Created January 21, 2007
A. General. As soon as a network or computer threat is discovered, University of Idaho network and security personnel must take immediate action to mitigate any such threat that poses a risk to campus information system resources or the Internet. If the threat is deemed serious enough, the computer(s) posing the threat will be blocked from network access. This policy specifies the process for responding to a threat to campus information system resources or the Internet.
B. Process. Information Technology Services (ITS) network and security personnel have the authority to evaluate the seriousness and immediacy of any threat to campus information system resources or the Internet and to take appropriate action to mitigate that threat. Action that is taken shall be commensurate with risk associated with the threat and the potential negative impact to the University of Idaho caused by blocking the offending computer(s) and making it inaccessible.
Examples of threats to which this policy applies include but are not limited to:
(1) Theft of hardware containing sensitive or personally identifiable information;
(2) The level of network activity is sufficiently large as to cause serious degradation in the performance of the network;
(3) System administrative privilege has been acquired by an unauthorized person;
(4) An attack on another computer or network has been launched;
(5) Confidential, private or proprietary electronic information or communications are being collected;
(6) Continued complaints have been received regarding inappropriate activity and no response has been received from the departmental contact regarding the incident.
(1) If the threat is immediate, the offending networked devices(s) will be blocked immediately and notification will be sent to the college/division security contact(s) and the device owner/primary user (if available as registered in NMS) via email alerting them that the block has occurred.
(2) If the threat is not immediate, notification of the threat will be sent to the college/division security contact(s) and the primary user via email. If a response is not received within 4 hours indicating that the department is taking action to mitigate the threat, the offending networked device(s) will then be blocked.
(3) In either case, ITS personnel will work with the college/division security contact(s) and/or the primary user to complete an "IT Security Incident Report."
(4) If a block has been put in place it will be removed when either the college/division security contact(s) or the primary user reports to ITS (Abuse Email) describing the action(s) that were taken to mitigate the threat and confirming that the threat has been mitigated.
(5) ITS will determine if the action taken at the college/division level is sufficient to safeguard the security of the University network. If ITS determines that additional measures are needed, ITS may require that further actions be taken, at college/division expense. Such action may be required either prior to or after removing any block.
(6) ITS will require an after-action report from the college/division, stating how the college/division will prevent similar threats in the future. If ITS determines that additional measures are needed, ITS may require further actions be taken at college/division expense.
D. Review. These standards and all exceptions are to be reviewed at least annually by Information Technology Services, in consultation with other appropriate campus computing representatives.
E. Compliance. ITS will advise appropriate college/division management and the office of Risk Management of any non-compliance with this policy. The college/division management shall be responsible for following up with any non-compliance and shall initiate disciplinary action for such non-compliance, where appropriate.