Information Technology Security Incident Response Plan

Incident Response

Incident Response refers to those practices, technologies and/or services used to respond to suspected or known breaches of IT security safeguards.

Once a suspected intrusion activity has been identified as a security-breach incident, it must be contained as soon as possible, and then eradicated so that any damage and risk exposure to the University are avoided or minimized. Information technology security incidents frequently involve deliberate, malicious acts that may be technical (e.g., creation of viruses, system hacking) or non-technical (e.g., theft, property abuse, service disruption). Often, if the incident is left unchecked, then the damage it causes spreads within — and beyond — the University.

Responding to and handling incidents can be logistically complex, and may require information and assistance from sources outside the University’s Department of Information Technologies (such as technical specialists, law enforcement entities such as state police or FBI, and the University Relations office). The University combines both proactive and reactive strategies to deal with IT security incidents. Examples of proactive activities include establishing communication mechanisms to report incidents and to disseminate incident alerts and identifying technical experts who can provide emergency assistance if needed. Examples of reactive activity include blocking or aborting computer processes, temporarily denying user access or disabling vulnerable services, and deploying patches or inoculation software.

How to Report an Incident

To report a problem, send an e-mail message to the Incident Response Team at: abuse@umw.edu, providing a complete description of the problem.   If e-mail is not an option, call the Director of IT Security, as listed below.  Before anyone can respond to your complaint, you must provide as much information as possible.

Incident Response Team (IRT)

The University’s Division of Information Technologies (DoIT) has established a team — the Incident Response Team or IRT — that responds to IT security incidents and reports and complaints about abuse of information technologies.

The IRT includes the following:

Director of IT Security and ISO (Raymond Usler: 540-654-2152)
Acting CIO (Hall Cheshire:  540-654-1379)
Director, Networks and Communications (Deborah Hovey Boutchyard:  540-654-1217)
Director, Data Center Services (David Dean:  540-286-8034)

The IRT, led by the Director of IT Security, investigates the problems reported and takes appropriate action to protect the members of the community and the University’s resources. Whenever appropriate, the team may be expanded to include additional IT system or application administrators, and/or members from Internal Audit, Student Affairs, University Police, Human Resources or Academic Affairs, depending on the specific nature of the incident.

Each member of the DoIT IRT recognizes the often sensitive nature of both reports received and what is found during the course of an investigation. All members of the team will hold both reports and findings confidential consistent with both the letter and the spirit of the procedure described in this document, federal and state laws, and the rules of the disciplinary bodies involved.

The Division of Information Technologies is neither an investigative nor a disciplinary entity in its primary responsibilities. However, in cases where University resources and privileges are abused or otherwise threatened, the division will take appropriate steps.

DoIT system administrators who are members of the DoIT IRT may disable user accounts, interrupt computing processes or disable services at any time to safeguard University resources and protect University privileges. They may take these actions without prior approval if, in their best professional judgment, they need to do so to deal with immediate circumstances. These actions must be reported to, and are subject to timely review by the Director of Information Technologies Security and the Chief Information Officer. The CIO may authorize extending such actions to longer terms if necessary to safeguard University resources.

The team will work as rapidly as possible to establish the nature of the incident and to develop an appropriate response that protects the University’s resources and interests while eliminating (to the degree possible) the threat of recurrence. Sometimes, to accomplish this goal, the technical staff may have to temporarily leave a system vulnerability open in order to identify the malicious person(s) behind the incident. In all cases, the team will assume that it must notify appropriate authorities and preserve evidence.

How Investigations Work

Incidents that involve the University’s on-line environment sometimes lead to investigations, which include the gathering of technical evidence. Those investigations may be managed by law enforcement officers, authorized government officials, or others outside of the University community; by the University’s student Honor Committee or Judiciary Committee or by faculty conducting individual student-academic-issue investigations; or by University administrators in faculty or staff disciplinary investigations, depending on the nature of the incident and the role (i.e., faculty, staff or student) of the persons suspected of improper behavior. In such investigations, investigating officials may call on the DoIT IRT to provide technical information that may become evidence from computers owned and managed by DoIT.

Information That Can Be Requested

Evidence in these investigations may involve computer usage information about individuals that is maintained on centrally-managed computers. Computer usage information about individuals includes two major types

  • log information (generally referring to when a user’s account was used in various contexts)

and

  • content information (generally referring to content of materials stored in storage space tied to the account as well as “live” content generated or received by a person currently using the account).

After investigative officials have completed appropriate processes to authorize their requests, the DoIT IRT may be able to provide pertinent log information. Such records may show the connection of individual accounts to our host computers (called a connection log), and they may show delivery of a message from one individual’s account to another or other similar usage information. These logs usually are available for a limited period of time before they are overwritten with more current log data. Providing content information such as the contents of a mailbox, a file or a copy of a specific message within a mailbox raises more complex policy issues of privacy and academic freedom. From a technical perspective, it is also important for investigating officials to know that:

  • we keep backup copies of mailboxes for a limited period of time – while some individuals keep copies of all messages received on our central machines, others keep some messages there, and still others store no messages on the central machines after they have been delivered to a local machine. In any case, if a message was received by the recipient sufficiently long before the request, we may not be able to find a copy of it.
  • a message must reside in a mailbox or a file on one of our systems overnight for it to be available on a backup tape – if someone routinely reads and deletes messages from the server or keeps a file on the system for only a short period of time, it is possible that we have no record of the contents of that message/file.

Also understand that data we can provide from central computing systems in almost all cases will not establish with certainty the physical location of any person at any time. What it may establish is when an account was used and from what location.

How to Request Information

The procedures below reflect the sequence of steps necessary for investigating officials seeking computer usage information about individuals. All requests for access to the specific subtype of computer usage information that involves “content” will require additional review by the office of the University’s counsel, who is a member of the staff of the Office of the Attorney General of the Commonwealth of Virginia.

Law Enforcement, Government Officials, and Others Outside the University Community

  • Law enforcement, government officials and others outside the University community usually will need to provide legal orders (normally search warrants) to obtain computer usage information. These documents should be delivered to:

Mr. Hall Cheshire
Acting Chief Information Officer
University of Mary Washington
George Washington Hall, Room 307
1301 College Avenue
Fredericksburg, Virginia 22401-5300

 

Any such legal documents will be forwarded immediately to other appropriate University officials and to the Office of the Attorney General of the Commonwealth of Virginia in Richmond for review. Of course, the University and its employees will comply in timely fashion with any conditions included in a legal order. To ensure that the abuse team preserves information that may be needed, you may wish to notify it-abuse@umw.edu in advance about your intent to request such information. When possible and feasible, advance discussion about the type of computer-usage information sought before a legal order is delivered may help to ensure that language included in the order is precise and appropriate to the technical environment at the University.

  • Be specific about what you request. A specific request will speed delivery of information to you and will provide you with information that is pertinent to your needs.
  • The DoIT IRT will release computing usage information to law enforcement, government officials, or others outside the University community only after it has been reviewed by the state Attorney General’s Office, except in conditions where immediate delivery is mandated by legal order.
  • Unless otherwise instructed in the legal order, we will inform the persons whose accounts were associated with the requested information that the information was requested and provided, and we will report to them the name of the investigating entity.

Honor and Judiciary Investigations and Faculty Conducting Individual Student-Academic-Issue Investigations

  • Representatives of the University’s Honor or Judiciary processes, or faculty conducting individual student-academic-issue investigations, will file any request for computer usage information through the University’s Vice President for Student Affairs, who will review it and instruct us about responding. To ensure that the DoIT IRT preserves information that may be needed, you may notify abuse@umw.edu in advance about your intent to request information. Should you contact a member of the DoIT IRT with a request, we will forward it to the University’s Vice President for Student Affairs.
  • Be specific about what you request (see above).
  • The DoIT IRT will not provide computer usage information to representatives of the Honor or Judiciary processes or faculty conducting individual student-academic-issue investigations until we are notified by the University’s Vice President for Student Affairs that the requestors have completed the appropriate processes. Requests for content information may require additional review by the state Attorney General’s Office.
  • Unless otherwise instructed in the request we receive from the University’s Vice President for Student Affairs, we will inform the persons whose accounts were associated with the requested information that the information was requested and provided, and we will report to them the name of the investigating entity.

University Administrators in Faculty or Staff Disciplinary Investigations

  • University administrators investigating incidents as part of faculty or staff disciplinary processes will need to obtain appropriate authorization. For log information, appropriate authorization often will take the form of approval by the appropriate dean for teaching faculty or by the relevant vice president, dean or director for administrative or professional faculty or staff. To ensure that the DoIT IRT preserves information that may be needed, notify the abuse@umw.eduof your intent to request information as soon as you know you need it.
  • The DoIT IRT will not provide log information to University administrators investigating incidents as part of faculty or staff disciplinary processes until we have received appropriate approval to do so. Requests for content information will be handled in accord with relevant University policy.
  • Unless otherwise instructed in the request we receive, we will inform the persons whose accounts were associated with the requested information that the information was requested and provided, and we will report to them the name of the investigating entity.

CHANGE HISTORY

Version Review/Approval Date Reviewed/Approved by Change
V1.0 April 12, 2011 Dana German Approved
V1.1 September 25, 2012 Hall Cheshire Updates based on CIO position
V1.1 September 25, 2012 Justin Webb (Acting CIO for Information Technologies Division) Approved
V1.2 April 7, 2015 Ray Usler Name and email edits