CSUSB Containment Guidelines CSUSB, Information Security Office

Similar documents
Personal Data Security Breach Management Policy

Key Steps for Organizations in Responding to Privacy Breaches

BLUE RIDGE COMMUNITY AND TECHNICAL COLLEGE BOARD OF GOVERNORS

Data Protection Act Data security breach management

Systems Support - Extended

Cloud-based File Sharing: Privacy and Security Tutorial Institutional Compliance Office July 2013

WHAT YOU NEED TO KNOW ABOUT. Protecting your Privacy

Process for Responding to Privacy Breaches

HIPAA HITECH ACT Compliance, Review and Training Services

Merchant Processes and Procedures

Malpractice and Maladministration Policy

FINANCIAL OPTIONS. 2. For non-insured patients, payment is due on the day of service.

GUIDANCE FOR BUSINESS ASSOCIATES

UBC Incident Response Plan V1.5

Privacy Breach and Complaint Protocol

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

Letter of Engagement. as instructed from time to time in respect of your/the company/trusts affairs

CORPORATE CREDIT CARD POLICY

Information Services Hosting Arrangements

How To Ensure Your Health Care Is Safe

edoc Lite Recruitment Guidelines

Internet and Policy User s Guide

Frequently Asked Questions About I-9 Compliance

VCU Payment Card Policy

Privacy and Security Training Policy (PS.Pol.051)

FORM ADV (Paper Version) UNIFORM APPLICATION FOR INVESTMENT ADVISER REGISTRATION AND REPORT FORM BY EXEMPT REPORTING ADVISERS

IMPORTANT INFORMATION ABOUT MEDICAL CARE FOR YOUR WORK-RELATED INJURY OR ILLNESS

Remote Working (Policy & Procedure)

DATA REQUEST GUIDELINES

Purpose Statement. Objectives

FAFSA / DREAM ACT COMPLETION PROGRAM AGREEMENT

THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM

RUTGERS POLICY. Responsible Executive: Vice President for Information Technology and Chief Information Officer

BRILL s Editorial Manager (EM) Manual for Authors Table of Contents

Hartford Seminary s. Online Application Instructions

ACTIVITY MONITOR Real Time Monitor Employee Activity Monitor

Enrollee Health Assessment Program Implementation Guide and Best Practices

Online Banking Agreement

Heythrop College Disciplinary Procedure for Support Staff

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK

INFORMATIONAL NOTICE MISCELLANEOUS TAX Issued: January 02, 2013

Shelby County Schools Online Employee Accident Reporting User Manual

GETTING STARTED With the Control Panel Table of Contents

nbn is committed to identifying hazards, preventing workplace accidents and minimising dangerous health safety and environment incidents.

First Global Data Corp.

The Relativity Appliance Installation Guide

Project Open Hand Atlanta. Health Insurance Portability and Accountability Act (HIPAA) NOTICE OF PRIVACY PRACTICES

HIPAA Notice of Privacy Practices. Central Ohio Surgical Associates, Inc.

Workers Disability Compensation Claims Procedures Issued: January 1, 1994 Revised: March 29, 2012

Privacy Policy. The Central Equity Group understands how highly people value the protection of their privacy.

Plus500CY Ltd. Statement on Privacy and Cookie Policy

DisplayNote Technologies Limited Data Protection Policy July 2014

State Fleet Card Oversight Usage and Responsibilities

Volume THURSTON COUNTY CLERK S OFFICE. e-file SECURE FTP Site (January 2011) User Guide

CROPREDY SURGERY Dr J Wright & Dr B Tucker

COMPREHENSIVE SAFETY ASSESSMENT INSTRUCTIONS for STUDY ABROAD PROGRAMS

Exercise 5 Server Configuration, Web and FTP Instructions and preparatory questions Administration of Computer Systems, Fall 2008

Internet and Social Media Solicitations: Wise Giving Tips

Bill Payment Agreement & Disclosures

Account Switch Kit. Locations. HACKLEBURG PO DRAWER A US HWY 43 HACKLEBURG, AL Phone: (205) Fax: (205)

Exercise 5 Server Configuration, Web and FTP Instructions and preparatory questions Administration of Computer Systems, Fall 2008

Accident Investigation

Data Protection Policy & Procedure

Peratr Accreditatin and Services in Queensland

New York Institute of Technology Faculty and Staff Retention Policy

OBJECTIVE 10: ALERT AND NOTIFICATION OBJECTIVE 10: ALERT AND NOTIFICATION OBJECTIVE

990 e-postcard FAQ. Is there a charge to file form 990-N (e-postcard)? No, the e-postcard system is completely free.

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

Newborn Blood Spot Failsafe Solution (NBSFS) Operational Level Agreements. Part B: Child Health Record Department (CHRD) Users

How To Ensure That The Internet Is Safe For A Health Care Worker

KIK s GUIDE FOR LAW ENFORCEMENT

Transcription:

CSUSB, Infrmatin Security Office Last Revised: 01/30/2013 Final

REVISION CONTROL Dcument Title: Authr: File Reference: CSUSB Cntainment Guidelines Javier Trner Date By Actin Pages 03/30/05 J Trner Created Guidelines All 07/25/05 J Trner Added Evidence Preservatin 08/11/05 J Trner Added Incident Handling 10/30/06 J Macdnell Added Incident Cntainment Prcedure 08/01/07 J Macdnell Added Incident Interview Review/Apprval Histry Date By Actin Pages All - 2 -

1.0 Incident Ntificatin... 4 Individual Ntificatin f Incidents... 4 Ntificatin f Incidents - Multiple systems... 4 Escalatin... 4 2.0 Security Event Ntificatin Template... 5 3.0 Evidence Preservatin... 6 4.0 Evidence Preservatin Template... 6 5.0 Incident Cntainment Prcedure... 8 6.0 Chain f Custdy Dcument... 9-3 -

1.0 Incident Ntificatin The fllwing are general guidelines when sending ntificatin fr security incidents t the wners r custdians f cmputer r infrmatin systems. Hwever, when security incidents invlve vilatins f state r federal laws, CSU r CSUSB plicies, ntificatins must adhere t the prcedures utline in the crrespnding CSU r CSUSB plicy. If in dubt abut the nature f the incident cntact the University Infrmatin Security Officer. An e-mail template fr incident ntificatin can be fund in the IncidentNtificatinTemplate dcument. Individual Ntificatin f Incidents Individual ntificatins are t be used fr thse systems which belng t a department r are under the care f an identified grup n campus. The ntificatin must include the fllwing infrmatin: Identificatin f the system in questin, such as IP-address, MAC address, prt number, lcatin, etc verifiable evidence in the frm f an excerpt f a lg file actin taken, if any be sent t the technician f recrd must be cpied t the immediate supervisr/manager/department chair must include apprpriate instructins in case the system in questin cntains r is used t access persnal infrmatin must be cc t security@infsec.csusb.edu shuld include a digital signature Ntificatin f Incidents - Multiple systems Ntificatin f incidents when there are multiple systems under the care f different grups n campus can be sent t the technician listserv (techs@csusb.edu) fr prmpt actin. The ntificatin must include the fllwing infrmatin: Identificatin f the systems in questin, such as IP-addresses, MAC addresses, prt numbers, lcatins, etc verifiable evidence in the frm f an excerpt f a lg file actin taken, if any must be sent t techs@csusb.edu must be cpied t the help desk at helpdesk@csusb.edu must include apprpriate instructins in case the system in questin cntains r is used t access persnal infrmatin must be cc t security@infsec.csusb.edu shuld include a digital signature Escalatin In the event that n respnse is received within a reasnable amunt f time (typically ne business day) t an incident ntificatin then a secnd ntificatin must be sent and cpied t the supervisr's supervisr. A third ntice is sent directly t senir management with cpies t technicians and direct supervisrs. - 4 -

2.0 Security Event Ntificatin Template Belw is the recmmended e-mail template fr ntifying wners and administratrs f cmputer incidents invlving cmputer systems under their cntrl. This template is intended t help t preserve evidence shuld it becme necessary t cmply with CA Civil Cde 1798 (frmally SB1386). The e-mail must be sent accrding t the guidelines described in the IncidentNtificatin guidelines. Edit the text in brackets t fit the crrespnding infrmatin fr the incident. Subject: [SECURITY] Suspicius activity - << cmputer r IP >> Frm: James Macdnell <jmacdne@csusb.edu> CC: Infrmatin Security Office <security@infsec.csusb.edu> This is an incident ntificatin fr the fllwing cmputer: 139.182.xxx.yyy << mac address >> << rm # >> This cmputer appears t be infected with ne r mre Malware: Latest Event Cunt Signature 2013-01-17 09:15:08 2 Outdated Windws Flash Versin IE 2013-01-17 12:15:41 1 pamdql/sweet Orange /in.php?q= Hstile landing 2013-01-17 12:15:48 1 Redkit Explit Kit 3Char PDF Request 2013-01-17 12:15:52 2 Vulnerable Java Versin 1.6.x Detected 2013-01-17 12:15:53 2 RedKit Explit Kit Java Request t Recent jar 2013-01-17 12:15:53 2 RedKit - Jar File Naming Algrithm 2013-01-17 12:15:54 1 RedKit - Paylad Requested - /2Digit.html 2013-01-17 12:15:55 7 RedKit - Ptential Java Explit Requested 2013-01-17 12:15:58 1 Maxmind geip check t /app/geip.js 2013-01-17 12:16:20 1 TROJAN Dwnlader HTTP Library seen with ZeuS 2013-01-17 12:16:20 1 Windws 98 User-Agent Detected 2013-01-17 12:18:13 2 TROJAN System Detectin FakeAV (INTEL) This cmputer shuld be examined and may need t be discnnected frm the netwrk. If any cmputer system suspected f cmprmise is knwn t cntain r access persnal infrmatin (such as a cmbinatin f full name and any f the fllwing: scial security number, date f birth, medical infrmatin, financial infrmatin) YOU MUST NOTIFY the Infrmatin Security Office and prevent any further access t the cmputer. A cncern f any cmputer attack is the cmpliance with Civil Cde Sectins 1798.29 and 1798.82-1798.84 (frmally SB- 1386) which require ntifying individuals whse persnal infrmatin may have been cmprmised. http://www.leginf.ca.gv/cgi-bin/displaycde?sectin=civ&grup=01001-02000&file=1798.25-1798.29 http://www.leginf.ca.gv/cgi-bin/displaycde?sectin=civ&grup=01001-02000&file=1798.80-1798.84 Please keep us infrmed f the status f this system. If yu have any questins r cncerns, please d nt hesitate t reply t this e-mail. We lk frward t yur reply. Lgs available upn request. - 5 -

3.0 Evidence Preservatin The fllwing are the guidelines fllwed by the Infrmatin Security Office fr preserving evidence which may have been cllected r prvided as part f an investigatin. In all cases the physical evidence will be prtected t maintain its integrity during its cllectin, during the prcess t prduce a frensic image, and during its strage while it is under the custdy f the Infrmatin Security Office. Physical evidence as well as the results f a cmputer frensic analysis will nt be released t anyne withut the written authrizatin f the University Prvst r its designee, r the university legal cunsel, after the cnclusin f an investigatin. The physical evidence as well as the results f the cmputer frensic analysis will be preserved as fllws: In thse instances that an investigatin invlves CSUSB persnnel, r invlves any pssible legal actin, the physical evidence and cmputer frensic analysis results will be preserved fr n less than 7 years frm the date the evidence was cllected. Otherwise the physical evidence and assciated results f the cmputer frensic analysis will be preserved fr n less than ne year frm the date the evidence was cllected. The physical evidence may be released upn request at the cmpletin f an investigatin. The infrmatin Security Office will nt clean, delete, r destry any infrmatin residing n any cllected r prvided evidence, except in extreme circumstances by a written request and at the discretin f the Infrmatin Security Officer. 4.0 Evidence Preservatin Template An email template t use in cases where cllectin f the hard drive (r cmputer itself) is anticipated r cmpulsry: T: Example Tech <example tech@csusb.edu> Cc: Example Supervisr <example supervisr@csusb.edu> Subject: [SECURITY] Preservatin f evidence (IRN: 20080808_01) This is an evidence cllectin request fr the fllwing cmputer: 139.182.1.1 (hackedbx.csusb.edu) {{LOGS OR OTHER EVIDENCE}} This cmputer needs t be physically secured. Fllw the D.U.S.T. prcedure: D) Physically DISCONNECT the cmputer frm the netwrk. U) UNPLUG the pwer D nt use standard shutdwn prcedure D nt attempt t lgin - 6 -

D nt attempt t find any infrmatin. Any f these actins can destry valuable trace evidence. S) Mve the cmputer t a SECURE lcatin An ccupied/lcked manager's ffice An ccupied/lcked cmputer wrkshp T) TELL us and arrange fr evidence cllectin. When the Infrmatin Security Office receives infrmatin that a cmputer appears t be cmprmised (e.g. by a virus r wrm), ur standard prcedure is t cnfirm the infrmatin, ntify the technicians assigned t the VLAN, and als t ntify an apprpriate MPP. As with any cmputer cmprmise, there is a ptential liability t the University. This is why a manager is ntified in additin t a technician. Under Califrnia law (Califrnia Civil Cde 1798), the University is bligated t ntify anyne whse persnally identifiable infrmatin (such as scial security numbers and financial accunt infrmatin) is reasnably believed t have been disclsed t an unauthrized third party. As part f the University's incident handling prcedures, ur ffice will wrk t preserve evidence t prtect the liability f the University and t meet ur bligatins under state and federal law. The preservatin f evidence ften requires the cllectin f the cmprmised cmputer's hard drive. This makes the cmprmised cmputer unusable fr at least a few days (the time necessary t create a frensic image f the hard drive) and perhaps up t seven years. When the hard drive (r cmputer itself) is cllected, managers are respnsible fr crdinating their cllege/divisin/department disaster recvery and business resumptins plans s the cmputer's user can regain prductivity. Als, if during the curse f an investigatin, evidence is discvered that indicates that persnally identifiable infrmatin was indeed disclsed withut authrizatin, the manager will becme invlved in the decisin and prcess t send ntificatins as required by law. That said, mst virus and wrm infectins n campus d nt escalate t the pint where ntificatins are required. The cllectin f evidence is mst ften simply a preventive measure t prtect the University frm future liability r lawsuits. If yu have any questins, please let us knw. We lk frward t yur reply. Additinal lgs available upn request. - 7 -

5.0 Incident Cntainment Prcedure - 8 -

6.0 Chain f Custdy Dcument NOTICE: The Infrmatin Security Office des nt attempt t mdify r remve files frm a cmputer system since these systems may cntain infrmatin f imprtance t the wner. Fr this reasn, the respnsibility t repair r remve files is left t the respective cllege/department cmputer technician. IRN: System Name: Department: Lcatin: Item(s): Received frm: Name Signature Date/Time Received by: Name Signature Date/Time Reasn fr change f custdy: hld fr pssible litigatin - 9 -

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information