Information Resources and Technology Procedure

Section Policy Name Procedure Number
Administration and Operation Security Incident Response Procedure 1.02.02

Procedure Purpose

This procedure documents Bradley University’s method and means of responding to a suspected or definite data security breach in which the integrity of protected data is suspected to have been or definitely has been compromised.

Policy Supported

Supports 1.02 Security Incident Response

Procedure Description

Data Security Incident Response Technical Team:
The Data Security Incident Response Technical Team shall include the following members:

First Level Escalation:
Computing Services Director of Systems of Integration and Security
Computing Services Network Administration
Computing Services System Administration

Second Level Escalation:
Executive Director of Computing Services
Associate Provost of Information Resources and Technology

Initial Report of the incident:

  • Upon being notified of an incident, any team member or other individual who is taking responsibility for reporting the incident shall notify the Director of Systems Integration and Security, and provide all of the information that is currently known about the incident at the present time

Systems Integration and Security tasks (if necessary/as appropriate):

  • Notify the user(s) of the system(s) in question and advise them not to reboot, turn off, log off, log on, change passwords, or otherwise access or touch the system until further notice
  • Notify all first level Incident Response Team members on both the technical and business side, and forward all of the known information at the present
  • Notify all second level Incident Response Team members on the technical side, and summarize all of the known information at the present time
  • Start a log or documentation trail of all of the information that is known at the present time
  • Assist the other team members as requested
  • Organize a team meeting to discuss findings
  • Preserve all electronic evidence
  • Assist law enforcement and Payment Card Industry personnel in the investigative process as needed
  • Document all actions taken and any additional information
  • Report back to the Director of Computing Services on findings and actions taken

Network Administration tasks (if necessary/as appropriate):

  • Run a network sniffer or watch network firewall logs in real time to determine if anything related to the incident is still occurring
  • Isolate the compromised system by disabling the system’s network port(s) or unplugging the system’s network cable(s)
  • Review network firewall logs for clues related to the incident, which may include date/time, source IP address, TCP port, or UDP port
  • Determine if the offending host’s IP address is a Bradley address or not
  • Use DNS, Whois, ARIN, and/or Netreg to determine the domain name or registered owner of the offending host
  • Research online and see what can be learned about the offending host’s domain.
  • Take the appropriate actions to block relevant network traffic
  • Review other immediate systems to determine if they might also be compromised
  • Preserve all evidence
  • Document all information about the systems in question including DNS names, IP addresses, OS versions, system functions, list of users authorized to use the system
  • Notify all contacts from Whois and ARIN that are associated with the offending IP address and as for their cooperation in the investigation
  • Assist law enforcement and payment card industry personnel in the investigative process as needed
  • Provide a network topology map of the systems within the scope of the investigation
  • Remediate as necessary
  • Document all actions taken and any additional information
  • Report back to the Director of Systems Integration and Security on findings and actions taken

System Administration tasks (if necessary/as appropriate):

  • Review local system logs for related information including the time of the incident and the scope of information compromised
  • Analyze all critical file integrity and change events and logs for information related to the compromise
  • Update DAT files and scan the system(s) for infections which may be relevant to the compromise
  • Identify a good backup that can be used to restore data, but do not rebuild the system(s) and restore data until the investigation is completed
  • Identify the length of downtime that will be required by the investigative process, and if necessary find some temporary replacement hardware to use during the investigation
  • Review other immediate systems to determine if they might also be compromised
  • Preserve all evidence
  • Document all information about the systems in question including DNS names, IP addresses, OS versions, system functions, list of users authorized to use the system(s)
  • Assist law enforcement and Payment Card Industry personnel in the investigative process as needed
  • Remediation as necessary
  • Document all actions taken and any additional information
  • Report back to the Director of Systems Integration and Security on findings and actions taken

Procedure Scope

This procedure will outline who will comprise Bradley University’s Data Security Incident Response Technical Team, and what actions the technical team will take in the event of a suspected or definite compromise of protected data. The procedure is for the technical side only within Computing Services and Information Resources and Technology (IRT). Incident Response policies and procedures for the business and financial side will be outlined in the document  “Credit Card Security Incident Response Plan”  which will be documented by the Bradley University Controller’s Office.

Definitions

Protected Data

Security Breach

Date Approved Revision 1 Date Revision 2 Date Revision 3 Date Revision 4 Date Revision 5 Date
6/6/2012