Policy Number: 
IT-06

POLICY TITLE:     IT Security Incident Escalation
POLICY #: IT - 06
DATE DRAFTED: 03/20/02
APPROVED DATE: 04/03/02
REVISION DATE: 10/20/2011, 03/31/2014
BRIEF DESCRIPTION: Provides guidance in determining the proper response to a misuse of or attack on IT resources from within or outside the University.

Introduction:
This policy provides guidance in determining the proper response to a misuse of IT resources from within or outside the University. It documents where to report problems and when to involve University administration, judicial representatives, and legal representatives. It also documents the individuals designated for these responsibilities, and procedural details, which depend on the severity and source of the attack.

Scope:
Attacks on University IT resources are serious infractions of the Acceptable Use of Information Technology Resources policy, and misuse or vandalism of University resources. We must pay particular attention to the education of our community with regard to proper behavior in these matters. Serious attacks on University resources will not be tolerated, and this policy provides a method for pursuing the resolution and follow-up for incidents.

Policy Statement:

The entity responsible for support of the system or network that has been compromised or is under attack is in all cases expected to:

  1. Report the incident to the Chief Information Security Officer (see Attachment 2)
  2. Take action at the direction of the Chief Information Security Officer to contain the problem, and block or prevent escalation of the attack, if possible
  3. Remediate changes, and repair the resulting damage
  4. Restore service to its former level, if possible
  5. Preserve evidence, as directed by the Chief Information Security Officer, where its deemed appropriate

Incident Scenarios Summary

  Short Term Duration /Minor Damage

Long Term Duration /Major Damage

Source Originates Inside University of Iowa

Report to Information Security & Policy Office

Assist in investigation as necessary

Remediate or repair breach (close)

Report to judicial representative for sanctions

Report to Information Security & Policy Office Preserve evidence

Stop/Repair breach (close)

Notify service provider(s)

Report to CIO

Report to judicial representative and/or General Counsel and/or Public Safety for follow-up

Source Originates Outside University of Iowa

Report to Information Security & Policy Office

Repair breach (close)

Send notice/complaint to service provider(s) if possible

Report to Information Security & Policy Office

Preserve evidence

Notify service provider(s)

Pinpoint source if possible

Stop/Repair breach (close)

Report to CIO

Report to General Counsel and/or Public Safety for follow-up

Related Policies, References and Attachments:
This collection of University of Iowa Information Technology policies and procedures contain acceptable use, security, networking, administrative, and academic policies that have been developed to supplement and clarify University of Iowa policy.
They are incorporated into the University of Operations Manual (http://opsmanual.uiowa.edu/) by reference, per the Policy on Acceptable Use of Information Technology Resources.

Acceptable Use of Information Technology Resources Policy
Computer Security Breach Notification Policy

Procedures for handling a computer system compromise incident
IT Security Resources

Attachment 1 - DETAILED RESPONSES:
Short Term Attack and/or with Minor Damage

  • Attacks that are judged to be minor in scope or short term in duration, and originate inside the University, will be validated and if confirmed, reported to the appropriate judicial representative after one warning from the Chief Information Security Officer. The warning to the source explains that they are in violation of the University's Acceptable Use of Information Technology Resources Policy, and are being given one chance to modify their behavior. If the initial attack is relatively more serious, yet still "minor", the warning is to be waived and a report made to the appropriate judicial representative. This is a judgment call to be made by the Chief Information Security Officer.
  • A judicial report will result in a permanent record of the attack, and a sanction(s) commensurate to the seriousness of the attack. The intent is to provide an opportunity for members of our community to learn that we take these matters seriously and will not overlook inappropriate and potentially damaging behavior. Repeated attacks will result in escalation to policy regarding incidents having long term and/or major damage.
  • Attacks which originate outside the University will be reported to the appropriate service provider by the Chief Information Security Officer if of sufficient seriousness to warrant action on their part. The service provider will be given detail regarding the attack in order that the attacker may be dealt with according to the service provider's terms of use. It is not economically feasible for the University to pursue additional action against attackers (or their service provider) for minor problems.
  • When the source of a minor attack cannot be determined, because of a lack of evidence or because of faulty evidence, then it is in the best interest of the University to close the issue. (Evidence may be in the form of system recording (log) facilities, monitors, cache files, program dumps, network traces, disk storage media, etc.)

 

Long Term Attack and/or with Major Damage

  • In consultation with the Chief Information Security Officer, once the entity responsible for the system or network determines that an attack is of "major" consequence or damage, or the attack continues for a long duration (on-going or greater than one day), operational steps must be taken to preserve evidence. Major damage might be a loss (or corruption) of institutional data, an extended outage of a critical service or application, or other high-impact/high-cost damage.
  • An on-going attack originating inside the University will be reported to appropriate campus service providers as soon as it is detected. If needed, that group will perform tracing through network analysis to pinpoint the source of the attack. Alternatively, if the attack is detected through networking analysis, it will be reported to the Chief Information Security Officer and the entity responsible for the system as soon as possible after its detection.
  • If the source of the attack was outside of the University, ITS service providers will perform tracing through network analysis with the cooperation of the University's Internet Service Providers, and/or other external service providers. When external service providers are involved, an appropriately high problem severity level and rapid escalation procedures will be observed in order to trace the attack source and reach a resolution quickly.
  • The Chief Information Security Officer will inform the University Chief Information Officer (CIO) of the attack in a timely manner. The appropriate judicial representative(s) will also be informed, based on the source of an attack that originates inside the University.
  • University legal representatives, in consultation with the CIO, will make a judgment regarding the seriousness of the attack and the appropriate legal action. In all cases, the University will analyze the impact and pursue punishment for the attacker if the source can be pinpointed with sufficient evidence to prove wrongdoing and there is justifiable cost to recover.
  • In the unlikely event that a long term event, attack or a major or critical system attack goes undetected, evidence is lost, and the attack cannot be traced to a source, then there is little to be done with the exception of recovery or repair of the damage and restoration of service. Serious attacks of this type will be reported as such to management for review.

Attachment 2 - CONTACTS:

Enterprise IT Security Representatives:

Jane Drews, Chief Information Security Officer, Information Security & Policy Office
it-security@uiowa.edu | (319)335-6332

Shari Lewison, IT Security Officer, UI Healthcare Information Systems
itsecurity-hcis@uiowa.edu | (319) 356-0071

IT Management:
Steve Fleagle, Associate Vice President and CIO, The University of Iowa
Guy Falsetti, Senior IT Director, ITS Enterprise Infrastructure

Lee Carmen, Associate Vice President and CIO, UI Healthcare Information Systems
Patrick Duffy, Senior IT Director, UI Healthcare Information Systems

Judicial Representatives:

Students:  Division of Student Life, (319) 335-3557
Tom Rocklin, Vice President for Student Life

Faculty:  Tom Rice, Associate Provost for Faculty