Versions Compared

Old Version 9

changes.mady.by.user Richard Goerwitz

Saved on

compared with

New Version 10

changes.mady.by.user Richard Goerwitz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Security Incident and Breach Response

...

Procedures

The purpose of this document is to outline ITS's general approach to dealing with security incidents relating to, or affecting, Carleton's network and computing environment.  It is not intended as a comprehensive framework ( along the lines of ISO/IEC 27035), but rather as 1) a framework for helping clients understand what is happening, and 2) a template we can follow look to internally for guidance, in the heat of the moment, in case of a security incident.

This document also outlines our specific response policy steps where personally identifiable or otherwise very sensitive information has been disclosed.

Table of Contents
minLevel2

...

excludeSecurity Incident
typeflat

Motivation

Maintaining Carleton's network and overall computing environment has become, increasingly, a cybersecurity challenge.  2017, in particular, was a bad year for for cybersecurity.  2017 saw a number of highly publicized breaches, like the Equifax hack, as well as new vulnerabilities on computer processors (Spectre and Meltdown), and the rise of ransomware.  In response to these security challenges, ITS has taken steps to improve our ability to monitor our network, detect anomalies, and mitigate vulnerabilities (or outright compromises) when discovered.

...

A breach could be something as minor as, for example, the theft of user credentials, allowing unauthorized parties to assume the identity of a Carleton user.  A breach could also be something as significant as exfiltration of a large amount of sensitive data, or outright theft/ransom of an entire administrative database.

Detection

Detection of anomalous or unauthorized activity in Carleton's computing environment that presents either a reputational or financial risk to the college may come to ITS through a variety of channels, including

  • User reports
  • Automated alerts
  • Semi-automated scanning (for example, when we have reason to suspect a problem exists)
  • Analysis of log data by security staff

Risk Assessment

Once a problem has been identified, we assess.  In complex cases, we may engage third parties, for example, cybersecurity firms with expertise in the area where we've experienced a compromise.

...

  • How immediate is the threat?
    • Is the threat potential (a "vulnerability"), or are we looking at an actual breach?
    • If the threat is potential, what is its CVS score?  How are other schools/businesses addressing the risk?  What actions do our software vendors recommend?
    • What is the actual (and potential) financial risk to the college?
  • Who is affected?
    • A single person or device?
    • A few people (like a small department) or small number of devices?
    • A large number of people or devices, possibly the entire college?
    • Internal or external users?

Mitigation

Once affected people and systems have been assessed, ITS will assign appropriate resources, which may include

...

  • Temporarily locking a user's account, to limit damage to their personal information and resources
  • Locking multiple accounts to prevent damage from spreading to new accounts or devices
  • Taking one or more devices physically (or virtually, via software) off the network, to prevent intrusion
  • Removing unauthorized software ("malware")
  • Reimaging/rebuilding affected machines, resetting them to a "known good" state
  • Requesting that a user, or set of similar users, update software, in order to secure a device they are responsible for
  • See also PII disclosure response procedure below

Response in Case of Personally Identifiable Information (PII) Disclosure

When sensitive PII is involved, Carleton's response, once we have discovered a breach, is necessarily more formal.  ITS will:

...

  • Set up a website relating to the incident
  • Send a notification email to affected parties outlining the breach, their risk, and next steps, as well as linking to the website
  • Send paper notifications to the same, where possible
  • In general, provide any information, mitigation, or remedies mandated by law and/or by senior officers of the college

Richard Goerwitz
January 2018

 

...

 

...

Richard Goerwitz
January 2018

...