Chief Information Officer at The University of Iowa

POLICY TITLE:     IT Security Incident Escalation

POLICY #: IT - 06

DATE DRAFTED: 03/20/02

APPROVED DATE: 04/03/02

REVISION DATE: 03/31/2005 (Attachment 2)

BRIEF DESCRIPTION: Provides guidance in determining the proper response to a misuse of IT resources from within or outside the University.

Introduction | Policy Scope | Policy Statement | Related Policies | IT Policy Index

Introduction:

This policy provides guidance in determining the proper response to a misuse of IT resources from within or outside the University. It documents when to involve University administration, judicial representatives, and legal representatives. It also documents the individuals designated for these responsibilities, and procedural details, which depend on the severity and source of the attack. 

Scope:

Attacks on University IT resources are serious infractions of the Acceptable Use of Information Technology Resources policy, and misuse or vandalism of University resources.  We must pay particular attention to the education of our students with regard to proper behavior in these matters.  Serious attacks on University resources will not be tolerated, and this policy provides a method for pursuing the resolution and follow-up for incidents.

Policy Statement:

The entity responsible for support of the system or network under attack is in all cases expected to:

1. report the attack to the University IT Security Officer

2.  block or prevent escalation of the attack, if possible

3.  repair the resulting damage

4.  restore service to its former level, if possible

5.  preserve evidence, where appropriate

Incident Scenarios Summary

	Short Term Duration / Minor Damage	Long Term Duration / Major Damage
Attacker Originates Inside University of Iowa	·         Report to IT Security Officer ·         Repair breach (close) ·         Report to judicial representative for sanctions	·         Report to IT Security Officer ·         Preserve evidence ·         Stop/Repair breach (close) ·         Notify service provider(s) ·         Report to CIO ·         Report to judicial representative and/or General Counsel and/or Public Safety for follow-up
Attacker Originates Outside University of Iowa	·         Report to IT Security Officer ·         Repair breach (close) ·         Send notice/complaint to  service provider(s) if possible	·         Report to IT Security Officer ·         Preserve evidence ·         Notify service provider(s) ·         Pinpoint source if possible ·         Stop/Repair breach (close) ·         Report to CIO ·         Report to General Counsel and/or Public Safety for follow-up

Related Policies, References and Attachments:

This collection of University of Iowa Information Technology policies and procedures contain acceptable use, security, networking, administrative, and academic policies that have been developed to supplement and clarify University of Iowa policy.

They are incorporated into the University of Operations Manual (http://www.uiowa.edu/~our/opmanual/index.html) by reference, per the Policy on Acceptable Use of Information Technology Resources (http://www.uiowa.edu/~our/opmanual/ii/19.htm)

1.  Attachment 1: IT Security Incident Escalation – Detailed Responses

2.  Attachment 2: IT Security Incident Escalation – Contacts

Attachment 1 - DETAILED RESPONSES:

Short Term Attack and/or with Minor Damage

• Attacks that are judged to be minor in scope or short term in duration, and originate inside the University, will be reported to the appropriate judicial representative after one warning from the IT Security Officer.  The warning to the source explains that they are in violation of the University's Acceptable Use of Information Technology Resources Policy, and are being given one chance to modify their behavior.  If the initial attack is relatively more serious, yet still "minor", the warning is to be waived and a report made to the appropriate judicial representative.  This is a judgement call to be made by the IT Security Officer.      

•  A judicial report will result in a permanent record of the attack, and a sanction(s) commensurate to the seriousness of the attack.  The intent is to provide an opportunity for members of our community to learn that we take these matters seriously and will not overlook inappropriate and potentially damaging behavior.  Repeated attacks will result in escalation to policy regarding incidents having long term and/or major damage. 

•  Attacks which originate outside the University will be reported to the appropriate service provider by the IT Security Officer.  The service provider will be given detail regarding the attack in order that the attacker may be dealt with according to the service provider's terms of use.  It is not economically feasible for the University to pursue additional action against attackers (or their service provider) for minor problems. 

•  When the source of a minor attack cannot be determined, because of a lack of evidence or because of faulty evidence, then it is in the best interest of the University to close the issue. (Evidence may be in the form of system recording (log) facilities, monitors, cache files, program dumps, network traces, disk storage media, etc.)

Long Term Attack and/or with Major Damage

• In consultation with the IT Security Officer, once the entity responsible for the system or network determines that an attack has crossed the line from "minor" into "major" damage or the attack continues for a long duration (greater than one day), operational steps must be taken to preserve evidence.  Major damage might be a loss (or corruption) of institutional data, an extended outage of a critical service or application, or other high-impact/high-cost damage.  

•  An on-going attack originating inside the University will be reported to appropriate campus service providers as soon as it is detected.  If needed, that group will perform tracing through network analysis to pinpoint the source of the attack.  Alternatively, if the attack is detected through networking analysis, it will be reported to the IT Security Officer and the entity responsible for the system as soon as possible after its detection. 

• If the source of the attack was outside of the University, ITS service providers will perform tracing through network analysis with the cooperation of the University's Internet Service Providers (the Iowa Communications Network (ICN)and PSI Net, Inc.), and/or other external service providers. When external service providers are involved, an appropriately high problem severity level and rapid escalation procedures will be observed in order to trace the attack source and reach a resolution quickly. 

• The IT Security Officer will inform the University Chief Information Officer (CIO) of the attack in a timely manner. The appropriate judicial representative(s) will also be informed, based on the source of an attack that originates inside the University.  

•  University legal representatives, in consultation with the CIO, will make a judgment regarding the seriousness of the attack and the appropriate legal action.  In all cases, the University will pursue punishment for the attacker if the source can be pinpointed with sufficient evidence to prove wrongdoing.   

•  In the unlikely event that a long term attack or a major or critical system attack goes undetected, evidence is lost, and the attack cannot be traced even far enough to determine if it came from on-campus or off-campus, then there is little to be done.  With no evidence, we can only repair the damage and attempt to restore service.  Serious attacks of this type will be reported as such to management for review.   

Attachment 2 - CONTACTS:

Enterprise IT Security Representatives:

Jane Drews, University IT Security Officer, CIO's Office

IT Management Representatives:

Service Providers 

Mark Katsouros, Director of ITS Telecommunication and Network Services

Rex Pruess, Director of ITS Systems and Platform Administration

Patrick Duffy, Director of UIHC Telecommunications 

IT Management             

Steve Fleagle, Associate Vice President and Chief Information Officer

Lee Carmen, Director of UI Health Care Information Systems 

Judicial Representatives:

For Students                

Thomas Baker, Assistant Dean of Students

Phil Jones, Vice President and Dean of Students

For Faculty                   

Susan Johnson, Associate Provost for Faculty

Mike Hogan, University Provost 

For Staff                       

Susan Buckley, Director of Human Resources

Doug True, Vice President for Finance and University Operations 

Legal Representatives:

Department of Public Safety                 

Derek Hyche, Lieutenant Detective

Duane Papke, Associate Director of Public Safety

Chuck Green, Assistant Vice President and Director of Public Safety

General Counsel           

Gay Pelzer, Senior Associate Counsel

Mark Mills, University General Counsel 

 

UI Home | UI A-Z Search | UI Phonebook/Email | Contact Us

Copyright © The University of Iowa. All rights reserved.

http://cio.uiowa.edu/policy/IT-Security-Incident-Escalation.shtml