Response to Detection of Harmful Network Communications
The University of North Carolina at Greensboro
Policy Reference: Acceptable Use of Computing and Electronic Resources
Approved: November 30, 2006
Document Maintainer: Information Technology Manager, ITS - Data and Voice Operations
Purpose
This procedure addresses the following section of the related policy:
Section III.A
"The use does not intentionally or unintentionally overload University computing equipment or systems, or otherwise harm or negatively impact the system's performance or the support of such systems."
This procedure covers large-scale events which are most often widespread service interruptions affecting the University network with the following:
- Automated Malware
- viruses
- worms
- spyware
- Denial of Service (DoS) Attacks and Events
- Network Intrusion Scans and Exploits
Scope
This procedure covers the University network, network infrastructure, and all machines that are University owned and privately owned and directly connected to the University network. This procedure is not intended to address general operational (individual client) virus issues. See Response to Suspected Circumvention to System Security for individualized security breaches.
Responsible Parties
- ITS CIO
- ITS AVCs/Directors
- Pertinent Department Management
- Computer Emergency Response Team (CERT)
- Virtual Communications Office (VCO)
- ITS Support Staff
Procedure
A phased process in response to problem discovery consists of the following components in a flexible order:
- Identifying the Problem
- Notification of Management and Clients
- Containment/Resolution
- Long Term/Permanent Solutions
A problem-resolution overview is outlined in no particular order in the steps below.
- The problem is reported or observed
- The front line (service desk) reports the symptoms to Enterprise Incident Management (EIM)
- EIM quantifies event, notifies management and routes the ticket to the correct group
- Correct incident routing is determined
- CERT is activated (non-operational event)
- Initial mitigation
- Reporting to management
- Decisions on next step/larger response
- Implement solution
- Client community announcement (VCO)
- Long term fixes/solutions