Response to Suspected Circumvention of System Security
The University of North Carolina at Greensboro
Policy Reference: Acceptable Use of Computing and Electronic Resources
Approved: November 30, 2006
Document Maintainer: Security Officer, ITS - Technology Planning
Purpose
This procedure addresses the following section of the related policy:
Section III.A.viii
"The use does not attempt to circumvent system security or in any way attempt to gain or provide unauthorized system or network access."
Scope
The procedure covers any discovered circumvention of system security via misuse of networking components, system servers, Enterprise data, or network infrastructure committed by students, faculty, staff, non-affiliate, unknown or known person associated with the University, or an unknown or known person not related to the University. Events covered are similar but not restricted to malicious and non-malicious purposeful circumvention (i.e. shared passwords), workarounds, lack of protection, and general malicious activity. This also covers security breaches related to the following data issues:
- Exposure of restricted or public data, related to Personal Information Security Breach Notification Protocol
- Unknown data exposure
- Neither restricted or public data was exposed
- Degree of certainty of data exposure
For large-scale events such as widespread service interruptions affecting the University network, please see the Response to Detection of Harmful Network Communications Procedure.
Responsible Parties
- ITS Personnel
- ITS CERT Team
- Human Resources
- University Counsel
- Virtual Communications Office
- Pertinent Departmental Management
- Student Judiciary Committee
- Resnet
- Campus Police
- University Registrar
Procedure
Circumvention events may be discovered through various means including major traffic spikes, scans, and reports. When it is detected and diagnosed, the first response would be to determine if the violation is due to inappropriate individual actions or compromised machines. Following that step, ITS will take remedial action and will send recommendations of notifications according to the Matrix of Notification.
Responses and Recommendations
Each event is unique and therefore the response to each will vary. In any case, the Response to Circumvention of System Security form should be completed and sent to ITS-Service Operations and Support as well as any parties listed as per the Matrix of Notification as shown in 4.2 Matrix of Notification.
Matrix of Notification
| Staff | Faculty | Students | Unaffiliated | Contractor | |
|---|---|---|---|---|---|
| ITS-AVCs [1] | * | * | * | * | * |
| ITS-Operations[1] | * | * | * | * | * |
| ITS Systems Security[1] | * | * | * | * | * |
| ITS-Networks [1] | * | * | * | * | * |
| ITS-System Admins [1] | * | * | * | * | * |
| Compliance Office [2] | situational | situational | situational | situational | situational |
| Data Stewards/Trustees [2] | situational | situational | situational | situational | situational |
| CERT team [3] | situational | situational | situational | situational | situational |
| Communications Office [4] | situational | situational | situational | situational | situational |
| Departmental Mgt [5] | * | * | * | * | |
| Dean of Students Office [6] | situational | ||||
| Resnet [6] | * | ||||
| Registrar's Office [6], [7] | situational | situational | * | situational | situational |
| Police [8] | situational | situational | situational | situational | situational |
| University Counsel [8] | situational | situational | situational | situational | situational |
Notification Procedure
- A complaint comes to 6-TECH or is discovered.
- A report is made to the Director of the Service Operations and Support.
- The Director of Service Operations and Support disseminates the information to the appropriate division management and AVC staff as appropriate.
- AVCs notify the following areas of the Notification Matrix as is appropriate:
- Compliance Office who notifies the Data Stewards and Data Trustees as appropriate
- CERT
- ITS Communications Office
- University Departmental Management
- Dean of Students
- Resnet
- Registrar
- Campus/City/State Police as necessary
- University Counsel
In some instances this notification may need to be done twice, both when the problem is discovered and when the issue has been resolved.
- ITS departments need to be informed any time circumvention of system security is identified.
- The ITS Compliance Office needs to be notified any time University data may have been compromised.
- The Computer Emergency Response Team (CERT) is notified when a security situation exists that may damage multiple computers or create problems within the network.
- The ITS Communications Office is notified when an issue exists pertaining to the network security that needs to be communicated to the campus at large.
- Departmental Management of faculty or staff is notified when a direct employee has violated ITS policies or procedures.
- Dean of Students Office, Resnet and the Registrar's Office are notified when a student has violated University policies or ITS procedures.
- Resnet is notified when a security event will affect student computing.
- University Counsel and the police department may be notified pursuant to criminal activity within the campus network.