University of Central Florida

Information Security
 
Quick Links
Home
Data Security Do's and Don'ts
Security Tips for IT
Server Security Standards
Computer Security Standards
Legal Matters
 
Network Operations Center
ResNet
Service Desk

 
Security Sites
CERT
CIS
INCIDENTS
LINUX SECURITY
DHS
SANS
SARC
SECURITY FOCUS
US-CERT

 

   Information Security Incident Response

Goal

It is the responsibility of the SIRT, IT Managers, Departmental Security Coordinators, Deans and Directors to properly respond in a consistent manner, with appropriate leadership and technical resources, to an incident that threatens the availability, confidentiality, and integrity of information resources or violations of acceptable use policy.

Initial Actions

STOP!  You may be tempted to unplug the power of the machine, shutdown the system, or make changes to quickly remedy the incident.  Don't do anything until you have decided what your goal is. Making any change could lose valuable information related to the compromise such as the perpetrator, the avenue of attack, and any data that was affected.  In any event, the UCF SIRT should be notified to coordinate the response. 

To assist you in the first stage of response some procedures were developed to assist in the information gathering:

A rapid assessment must be made as soon as possible to determine the threat level.

  • Level 1 Incident - Security incident involving Unrestricted Data
  • Level 2 Incident - Security incident involving Restricted (non-personal) Data
  • Level 3 Incident - Security incident involving Restricted (personal) Data

If the incident involves personal restricted data (level 3) then the Standard Operating Procedures for this type of data breach should be followed.  Also if the system is an immediate threat to critical IT resources internally and/or externally, the system should be physically or logically removed from the network.  Please refer to the Incident Response for Compromised IT Resource for a workflow of the steps to be taken.

Investigation

Once the initial response is performed and the incident is classified and contained, further investigation may be required to determine the cause.  The SIRT team may perform the investigation using forensic tools to acquire the evidence and then analyze it in a secure environment.  All actions taken should be fully documented using the following form and submitted to SIRT.

Recovery

Recovering from an incident occurs when the investigation process is complete and the machine can be returned to normal operation.  Lessons learned will be identified and any implementation to protect from any future incidents of the same kind will be taken.  A final report to communicate findings with University IT Security Office, IT staff and other affected parties will need to be developed and shared.

All contents are copyrighted
Maintained by the Information Security Office
Computer Services & Telecommunications
Division of IT&R