7.20.03 Incident Response      

Printable Version

Approved on: 03/08/2006

By: Administrative Council

Effective Date: 03/08/2006

Policy Summary

Information security incidents occurring on the university network or attached devices will be managed centrally by the University Information Security Officer (ISO) and will include other campus resources as determined by the ISO.

Applicability/Eligibility

Staff

Students

Faculty

Administration of Policy

Mandating Authority:
Administrative Council

Responsible Office(s):
Information Systems and Technology, 13th floor, Commerce Building, 3-4357

Responsible Executive(s): AP for Information Systems and Technology

Background: None

Committee Members: None

Contacts
Position TitleCampus LocationPhone Number and/or E-mail Address
Information Systems and Technology13th Floor, Commerce Bldg.404-413-4357

Full Policy Text

Information security incidents occurring on the university network or attached devices will be managed centrally by the University Information Security Officer (ISO) and will include other campus resources as determined by the ISO.

Rationale or Purpose

Centralized notification and control of security incident investigation is necessary to ensure that immediate attention and appropriate resources are utilized to control, eliminate and determine the root cause of events that could potentially disrupt the operation of the university or the compromise of university data or sensitive information.

Policy History

None

Cross References

None

Appendix

None

Additional Information

Standards

Computer Security Incident Response Team (CSIRT). The ISO, with the advice and assistance of college and departmental IT representatives, will have the capability to establish a CSIRT to respond to security incidents.

Campus-wide Outage. A campus-wide outage is a fault, event or other unforeseen issue causing failures to all or large portions of the campus communication and computing infrastructure, services and devices or key communication and computing resources such as a DNS failure or a loss of campus Internet access. This type of incident would be treated as a Critical Incident.

Incident Types. An incident is defined an as adverse event in an information systems and/or network device or the threat of the occurrence of such an event. Events may be characterized as unauthorized use of anotherĀ“s user account, unauthorized use of system privileges or execution of malicious code. Events characterized as environmental (such as natural disasters, electrical outages, heat damage, etc.) are not within the scope of this policy. The most identifiable types of event are:

Malicious code attacks-Attacks by programs such as viruses, Trojan Horse programs, worms, and scripts to gain privileges, capture passwords, and/or modify audit log to hide unauthorized activity.

Unauthorized access-Includes unauthorized users logging into a legitimate account, unauthorized access to files and directories or operation of sniffer devices.

Disruption of services-Includes erasing of programs or data, mail spamming, denial of service attacks or altering system functionality.

Misuse-Involves the utilization of computer resources for other than official purposes.

Espionage-Stealing information to subvert the interests of a corporation or government entity.

Hoaxes-Generally an e-mail warning of a nonexistent virus.

Incident Severity. Incidents will be classified by the ISO based on the perceived impact on university resources:

Critical-Severe risk to the university network and/or external systems over the Internet. May be characterized by widespread risk of compromise of multiple systems or high risk of compromising sensitive information. Criteria for determining if an incident is critical include but are not limited to: health and safety of personnel, legal issues, possible harm to the universitys reputation.

Medium-Medium risk to the university network and low risk to external systems over the Internet. May be characterized by risk of compromising more than one system, no risk to sensitive data, or isolation to a single system.

Low-Low risk to the university network and no risk to external systems over the Internet. May be characterized by compromise of a system that does not host or process critical/sensitive information, does not pose a risk to other systems or types of devices.

Additional Helpful Resources

Procedures Compromised System Procedure (Word) Computer Security Incident Response Team Procedure (Word)