Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

When sensitive PII is involved, Carleton's response, once we have discovered a breach, is necessarily more formal.  ITS will:

  • Remove or isolate the affected system(s) from the network
  • Notify the Chief Technical Officer, or, if unavailable, the Director of Technology SupportRemove or isolate the affected system(s) from the network
  • Notify senior Carleton College executives, at minimum the President and Treasurer, and provide ongoing impact assessments to their offices
  • Notify local law enforcement and contact the local office of the FBI or the U.S. Secret Service
  • Assemble an initial internal forensics team; start the process of engaging external forensics experts, if needed
  • Determine whether the system(s) should be shut down (doing this can wipe out evidence and should be avoided initially)
  • Attempt to preserve all evidence, including SIEM and firewall logs, backups, snapshots, and other internal (OS) and external monitoring logs, without altering the system itself (root/admin logins should be avoided)
  • Document everything we do, including dates, times, and individuals involved

...