Introduction

This policy provides guidance for the University of Iowa’s Network Vulnerability Assessment & Incident Response Program.  The program is designed to detect system vulnerabilities before they are exploited, and respond to successful system exploitations in a comprehensive manner.

Regular scanning of devices attached to the network, to assess potential security vulnerabilities, is a best practice for managing a dynamic computing environment. For critical enterprise systems or those dealing with sensitive data, additional testing methods to look deeper for more security vulnerabilities may be a requirement for compliance with laws, regulations, and/or policies.

Additionally, this policy provides guidance in determining the proper response to a network security incident from within or outside the University. It documents where to report problems and how the University will involve leadership and legal representatives. It also documents the individuals designated for these responsibilities, and procedural details, which depend on the severity and source of the attack.

In accordance with applicable law and UI policies, the University of Iowa shall provide timely and appropriate notice to affected individuals when there is reasonable belief that a breach in the security of private information has occurred. A breach in security is defined as an unauthorized acquisition of information, typically maintained in an electronic format by the University.

Scope

All devices attached to the University of Iowa’s network are subject to security vulnerability scanning and/or penetration testing.  Systems that are not properly managed can become a potential threat to the operational integrity of our systems and networks. Other systems dealing with sensitive data may be submitted for penetration testing at the request of the Data Trustee, or at the recommendation of the University Information Security and Policy Office (ISPO).

Penetration testing is a separate and distinctly different set of testing activities from vulnerability scanning. Its primary focus is the exploitation (not just observation or assessment) of security vulnerabilities and therefore may be disruptive of operations. Penetration testing is most beneficial when executed after an Assessment has been performed and the issues found by that Assessment have been remediated.

Attacks on University IT resources are infractions of the Acceptable Use Policy constituting misuse, or they may be vandalism or other criminal behavior. Attacks on University resources will not be tolerated, and this policy provides a method for pursuing the resolution and follow-up for incidents.

Reporting information security incidents occurring on University systems and/or on University networks to the appropriate authorities is a requirement of all persons affiliated with the University in any capacity, including staff, students, faculty, contractors, visitors, and alumni.  

Policy Statement

Network Vulnerability Assessment

Network scans are performed by ISPO-authorized scanning systems only.  This includes all ISPO systems (named itsecurity1.its.uiowa.edu, itsecurity2.its.uiowa.edu, …itsecurityN.its.uiowa.edu for prompt recognition as benign activity in system logs).

Types of Network Security Scanning and Assessment

Multiple levels and types of network security scanning are utilized by the University of Iowa, and are managed as services offered by the Information Security and Policy Office:

1. Routine Scan-- Low-level scans for basic service-tracking and vulnerability identification purposes will be conducted on all networks in the University uiowa.edu domain.  Routine scans are not typically advertised.
2. Ad Hoc Scan – Before a new system is put into service, it is recommended that a network security scan be conducted for the purposes of identifying potential vulnerabilities.   In addition, specialized scans to target specific problems posing a threat to the University’s systems and networks or to correlate interrelated network-based vulnerabilities will be conducted on an ad hoc basis. Scans may be requested by system administrators at any time, as frequently as necessary to maintain confidence in the security protections being employed.  Any system identified in conjunction with a security incident, as well as any system undergoing an audit, may be subject to a network security scan without prior notification.
3. Penetration Test - All penetration testing of University systems must be arranged by senior management/Data Trustee(s) and coordinated through the Information Security & Policy Office. Penetration testing is typically conducted over a period of several weeks, with regular feedback to the Data Trustee(s) if issues are identified.
   Due to the more intrusive nature of a penetration test, and to better manage risks associated with such tests, a signed non-disclosure agreement and confidentiality agreement is required prior to commencing the penetration test. Penetration testing may be performed by any qualified service provider approved by the ISPO.

Vulnerability Remediation

Vulnerabilities that are identified during ISPO network vulnerability assessments will be communicated to system owners.  The identification of “false positives” in scan reports is the responsibility of the system owner, and must be communicated to the ISPO.  University departments and units must work with ISPO toward vulnerability remediation, mitigation, or implementing compensating controls to reduce risks identified in vulnerability assessments.

Incident Response

Suspected or confirmed information security incidents must be reported promptly to the ISPO by sending a message to it-security@uiowa.edu or calling 319-335-6332.  After normal business hours and on weekends, the ISPO can be contacted by calling the ITS Help Desk: 384-HELP (4357), and then dialing 0.

The ISPO will investigate the report, and if a security breach may have occurred, will inform the Chief Information Officer (CIO), university and healthcare leadership, General Counsel, Critical Incident Management Team, and/or law enforcement, as appropriate.

In the event that a public notification of the security breach may be warranted, the CIO will consult with the appropriate University Vice President(s), Provost, and General Counsel to develop the response and make the final determination if a public notification of the event is warranted.  Individual departments are not authorized to perform public notification.

Incident Response Procedures

The entity responsible for support of the system or network that has been compromised or is under attack is in all cases expected to:

1. Report the incident to their leadership and to the ISPO.
2. Take action at the direction of the ISPO to contain the problem, and block or prevent escalation of the attack, if possible.  For systems critical to University operations, administrators may continue recovery efforts while awaiting ISPO response.
3. Follow instructions communicated from the ISPO in order to facilitate investigation of the incident and preservation of evidence.
4. Implement recommendations from the ISPO to remediate the system, and repair resulting damage, if any.
5. Restore service to its former level, if possible.

Internal Notifications

The Chief Information Security Officer (CISO) will report serious computer security breaches to the Chief Information Officer (CIO). The CIO will consult with appropriate officials, and decide if the Critical Incident Management Team must be convened to determine a response strategy, or if an alternate group is appropriate for the response. This determination may be made prior to completion of the investigation of the security breach. The ISPO will report the incident to the Department of Public Safety, university leadership and/or the General Counsel when, based on preliminary investigation, criminal activity has taken place and/or when the incident originated from a university computer or network.

Public Notification of Breach

To determine whether public notification is required, the CIO will consult with university leadership, including Office of the General Counsel (OGC), Office of Strategic Communication, HR and others as appropriate.  Departments may not perform public notification without CIO and OGC approval.

Individual Notification of Breach

To determine whether individual notification of a breach is necessary, the CIO, in consultation with appropriate university officials, will consider all relevant factors (such as legal or regulatory requirements, credible evidence the information was in a usable format, ability to reach the affected individuals, etc.)
If it is determined that a notification of breach to affected individuals is warranted, the following procedures will apply:

1. The notification will be drafted by the affected department and submitted to the CIO and Office of Strategic Communication for review and approval. The cost consideration will be the decision of the CIO, Provost, General Counsel, and Vice President for Finance and Operations.
2. Written notice will be provided to the affected individuals based on legal or regulatory requirements, which may include personal email or US Mail. 

All expenses associated with public or individual notification will be the responsibility of the department responsible for the system that experienced the security breach.

Incident Response Planning

The ISPO shall maintain an internal, standardized incident response framework that includes protection, detection, analysis, containment, recovery, and user response activities. 
The ISPO shall annually, at a minimum, test the incident response framework and associated capabilities in order to determine the framework’s effectiveness.  The results of this testing shall then be used to improve the incident response framework.

Related Policies, References, and Attachment(s)

This collection of University of Iowa Information Technology policies and procedures contain acceptable use, security, networking, administrative, and academic policies that have been developed to supplement and clarify University of Iowa policy.
They are incorporated into the University of Iowa Operations Manual (http://opsmanual.uiowa.edu) by reference, per the Policy on Acceptable Use of Information Technology Resources (http://opsmanual.uiowa.edu/community-policies/acceptable-use-information-technology-resources)

Institutional Data Policy

Security Policy

Enterprise IT Security Representative

Zachary Furst, CISO, Information Security & Policy Office
it-security@uiowa.edu | (319)335-6332