As the Internet has grown enormously over the last several years, the number of reported security incidents related to Internet connectivity has grown at a similar pace. Harris-Stowe State University expects Harris-Stowe’s employees, students and visitors to be aware of security issues and to respond to security incidents. To meet these growing needs and expectations, Harris-Stowe’s Information Technology Department has identified three services addressing Internet security:
Purpose of Security Policy and AUP:
Harris-Stowe’s Acceptable Use Policy (AUP) is a companion document to this Security Policy. The AUP spells out what employees and students shall and shall not do on the various components of the system, including the type of traffic allowed on the networks. The Security Policy internally informs Harris-Stowe employees and students of the day-to-day implementation of the AUP in protecting technology and information assets. These two policies also cover incidents when someone outside Harris-Stowe is injured by or interferes with Harris-Stowe related network activities. Finally, these policies inform Harris-Stowe employees and students of the mechanisms through which the AUP and Security Policy are complied with and enforced.
- Security Defined: For the purposes of this document, "security" refers to the integrity of Harris-Stowe’s owned and or operated systems, servers and network infrastructure.
- Acceptable Use Concerns: Some incidents may not involve the integrity of Harris-Stowe owned and/or operated systems, servers, processes and/or network infrastructure. On the other hand, some Security incidents may involve non Harris-Stowe participants. Due to the overlapping areas of concern and the level of expertise required, Harris-Stowe’s Security Incident Response Team is tasked with investigating Security and AUP concerns. Policies and procedures referred to in this Security Policy are intended to cover both AUP and Security related incidents.
- Harris-Stowe’s Acceptable Use Policy (AUP), referred to throughout this document.
Delivery of Security & Acceptable Use Services:
The Security Incident Response Team is committed to certain principles for delivering these services. They include:
- Confidentiality - Security incidents will be held in strictest confidence by the Security Team. Security Incident Reports (SIR) and the resulting responses will not be made available to the public unless the employee or student specifically releases the Security Team to do so, the incident involves Harris-Stowe property interests, or required by federal, state, or local laws.
- Accuracy - Security information distributed by the Security Team should be complete, correct and reliable. Incident information will be thoroughly researched and checked by the Security Team before being communicated.
Designated Contact Persons:
Harris-Stowe has identified the need for an employee contact for Security matters. This contact will initially default to the Security Manager in the Information Technology Department. The person appointed should bear overall day-to-day responsibility for the network Security. The person should be empowered to act to safeguard the network, and should have access to the expertise to make necessary changes without undue delay.
Security Incident Response Team
Security Team Resources:
Harris-Stowe’s Information Technology Department has identified internal resources to deliver Security and Acceptable Use investigative services. These resources have been combined into Harris-Stowe’s Security Incident Response Team (SIRT), a working group of staff who are knowledgeable in areas of supported network systems, servers and infrastructure. The Security Team will respond to reported Harris-Stowe network and computer related Security incidents.
General Security Team Composition:
The Harris-Stowe Security Team is responsible for Harris-Stowe's implementation of Security measures on internal and shared resources. Specifically, this group's responsibilities include:
- Coordination of implementation and tracking of Harris-Stowe's Security protocols and procedures.
- Oversight of system and network configuration Security of all systems, servers, routers and other devices.
Harris-Stowe’s Security Manager’s responsibilities include:
- Coordination of the Security Team, including team composition for resolution of a specific incident.
- Coordination of response to SIRs from customers and external sources.
- Interacting with law enforcement and any other outside organization when appropriate.
Security and AUP Incident Response
Security and AUP Incident Response Goals:
These goals may be prioritized differently depending on the nature of the incident. Objectives for dealing with incidents include:
- Investigate how the incident occurred.
- Decide how to deter or prevent the action from recurring.
- Contact and inform MORENET of incident if applicable.
- Avoid escalation and further incidents.
- Assess the impact and damage of the incident.
- Recover from the incident.
- Bring the parties back into compliance with the AUP.
- Update policies and procedures as needed.
- Find out who did it (if appropriate and possible).
- Take actions to prevent and/or deter the action from recurring.
- Document the incident and preserve evidence where possible, for reporting purposes and effective resolution of an incident.
- Contact and inform the VP of Academic Affairs, the VP of the Business and Financial Affairs, and external law enforcement if required.
Depending on the nature of the incident, there may be a conflict between analyzing the original source of a problem and restoring systems and services. Overall goals (such as maintaining the operation of critical systems) may supersede the goal of detailed analysis of an incident. It remains the employee's decision, but all involved parties must be aware that without analysis the same incident may happen again.
Security and AUP Incident Response Priorities:
Actions to be taken during an incident should be prioritized before an incident occurs. An incident may be so complex that it is impossible to respond to everything at once, so priorities are essential. An important implication for defining priorities is that once human life and national Security considerations have been addressed, it is generally more important to save data than to save system software and hardware. Although it is undesirable to have any damage or loss during an incident, systems can be replaced. Another important concern is the affected parties beyond the systems and networks where the incident occurs. Within the limits imposed by government regulations it is always important to inform affected parties as soon as possible. Due to the legal implications, it should be included in planned procedures to avoid delays and uncertainties for administrators.
- Protect human life and safety.
- Protect classified and/or sensitive data.
- Protect other data.
- Prevent exploitation of other systems, networks or sites.
- Inform affected systems, networks, or sites about successful penetrations.
- Prevent damage to systems.
- Minimize disruption of computing resources. Sites must evaluate the trade-off between shutting down and disconnecting, or staying up.
Security and AUP Incident Response Obligations:
Harris-Stowe employees and students have an obligation to comply with Harris-Stowe’s Security Policy and AUP. The Harris-Stowe Security Incident Response Team is responsible for ensuring organizational compliance. This will include conducting investigations, reporting the findings of those investigations within a reasonable time period, and taking action to cure any breach of the Security Policy and AUP.
Security and AUP Notification:
The Security Manager should be notified of any Security or AUP incidents immediately. Click HERE to contact Security Manager.
Security and AUP Investigation:
The Security Team members will establish or disprove the existence of a Security incident, and will recommend action to end the incident or reduce future vulnerability.
Secure Handling Investigative Results:
The Security Team members will place all hardcopy or electronic documents, notes, memo’s, etc in a secured file to which only team members have access.
Security and AUP Incident Closure:
The Security Manager and/or the Security Team members will write a report at the end of the incident which will include at leaste the following information:
- Date of the incident's initiation and closure.
- Names of individuals involved.
- Description of the incident.
- How the incident was resolved.
- General nature of any disciplinary actions taken.
Safeguards in Event of Noncompliance:
In the event a Harris-Stowe employee or student does not respond within a reasonable time to the Security Team requests, is uncooperative or declines to ease or remedy an established Security or AUP incident, the Security Manager will take interim, non-disciplinary measures to safeguard the interests of affected institutions and inform the appropriate director of those actions. The Security Manager will then send a certified letter (return receipt requested) to the unresponsive institution. If there is no response or the incident/vulnerability continues unabated for five working days after receipt of the letter, the Security Manager will refer the incident to the appropriate director for disciplinary action while maintaining interim safeguards.