TTUHSC IT Policies
1.4.7 INCIDENT MANAGEMENT
The following describes the requirements for managing security incidents. Security incidents include, but are not limited to detection of viruses, worms, and Trojan horses, unauthorized use of computer accounts and computer systems, as well as complaints of improper use of information resources as outlined in the Acceptable Use Policy.
TTUHSC Information Technology Security (ITS) group, in coordination with the Computer Incidence Response Team (CIRT) members is responsible for the following:
- developing and preserving the procedures for handling incidents,
- defining and classifying incidents,
- determining the tools and technology utilized in intrusion detection,
- determining if an incident should be investigated and the scope of such an investigation (i.e. law enforcement agencies, forensic work),
- securing the network,
- conducting follow-up reviews,
- insure the proper reporting is conducted, and
- promoting awareness throughout the organization.
- TTUHSC CIRT members may be required to perform duties related to the incident that take precedence over normal duties.
- The Information Security Officer is responsible for:
- initiating incident management action, including notifying the appropriate personnel.
- determining the physical and electronic evidence to be gathered as part of the incident investigation.
- determining if a widespread TTUHSC conference call is required, the content of the conference call, and how best to contact CIRT members
- initiating, completing, and documenting the incident investigation with assistance from the CIRT
- coordinating communications with outside organizations and law enforcement.
- reporting the incident to the:
- The appropriate technical resources from the CIRT are responsible for:
- ensuring that any damage from a security incident is repaired or mitigated, and that the vulnerability is eliminated or minimized where possible.
- communicating new issues or vulnerabilities to the system vendor and working with the vendor to eliminate or mitigate the vulnerability.
- In the case where law enforcement is not involved, the Information Security Officer will provide the appropriate information to the Managing Director of Technology Services, who will notify TTUHSC Human Resources as appropriate.
- In the case where law enforcement is involved, the CIO is responsible for reporting the incident to Federal, State, or local law officials as required by applicable statures and/or regulations as well as act as the liaison between law enforcement and TTUHSC.
Guidelines For Handling A Computer System Incident
Don't panic. Call the I.T. Help Desk. The Help Desk staff will guide you through the next steps to take, which includes the following:
- Assessment. Do not immediately shut down the machine, as you may lose important information. If the machine is being used to attack others, or if the attacker is actively using or damaging the machine, you may need to disconnect it from the network. If this does not appear to be the case, leave the system intact for the moment.
- System scan. Work with the I.T. Help Desk and run an emergency system security scan. This information will help you assess the damage. (The machine must be up and on the network in order to run a scan.)
- Gathering all relevant information. This may include, but is not limited to, system logs, directory listings, electronic mail files, screen prints of error messages, and database activity logs.
- Take notes. Record all relevant information, including things you observed, actions you took, dates and times, etc. It is best to log your activities as they occur.
- Changing account passwords. All system accounts that were involved with the incident may require new passwords as determined by the Information Security Officer. Choose a password in accordance with the password requirements and change it every ninety (90) days.
- ITS will determine the correct course of action. The appropriateness of each course of action varies with the severity of the incident (amount of damage, legal implications, cost of recovery, etc).
Other Steps A Systems Administrator May Take
- Change the status of accounts, if necessary. In the event that a system administrator detects a problem with a system, or questionable user activity on a system, a quick way to stop the unwanted activity is to "close" an account, by restricting logins to it. This results in the account owner having to contact an administrator in order to remove the login restriction. This is not deleting the account, but is merely making the account temporarily unusable.
- Stop rogue service(s), if necessary. In the event that a system compromise or denial-of-service attack is underway, and you are unable to stop or kill the service(s), you may need to disconnect the machine from the network. Examples of this type of attack is a “ping sweep” which occurs when one machine on the network sends other machines Internet Control Messages Protocol (ICMP) requests until the network exceeds capacity causing degradation and/or traffic being blocked.
- Review your backup policies. If you believe your data and/or operating system has been compromised, you must ensure that a backup is available for restoration. If your next backup could overwrite an undamaged backup, take immediate steps to prevent that occurrence. If your disaster recovery policy includes multiple levels of backup, and you are uncertain how long the system has been compromised, you must determine which backup version to restore to. Until that time, do not allow any backups to be overwritten. It is recommended that users regularly back up important data (e.g., student/patient/employee information, data related to Institutional operations, vital mission data, etc.) to a floppy disk or to a drive on the server (see your Department Administrator for Departmental I.T. Representative for access restrictions) at least once a week (or more often for more critical data.)
If you have questions about incident procedures, contact email@example.com.