9. Incident Handling
Responsibility for network security within the University lies with the Oxford University Computer Emergency Response Team (OxCERT). Based within the Networks and Telecommunications Group at OUCS, the team exists primarily to ensure the security of the University backbone network. Specifically, security incidents are handled centrally by OxCERT and it is the University's policy to ensure that any compromised hosts are blocked from accessing the network until such a time that they are no longer considered a threat by OxCERT.
OxCERT are responsible for identifying compromised or potentially compromised systems within the University network, and taking appropriate measures to prevent malicious network traffic, from such systems, traversing the backbone network. OxCERT are also responsible for liaising with local IT staff to ensure that security incidents are dealt with promptly, and to ensure that compromised systems are fully cleaned and patched against known vulnerabilities before being reconnected to the network. Responsibility for blocking machines on the local network, and for the subsequent cleanup process is devolved to the local unit.
OxCERT are responsible for providing guidance for incident handling which can be found at http://www.oucs.ox.ac.uk/network/security/incidents.xml.ID=intro. Individual units are responsible for responding to security incidents in a timely manner, for following the advice and guidance given by OxCERT, and for ensuring that incidents are dealt with to the satisfaction of OxCERT.
Where OxCERT cannot impose a block on individual machines (e.g. behind NAT devices) units are expected to respond within 4 working hours. Failure to respond in such circumstances may lead to appropriate blocks on the NAT device in order to protect the integrity of the backbone network and users’ information.
Units should ensure they have sufficient contingency plans in place for dealing with security incidents. Appropriate procedures should be in place to ensure that information security events are reported through appropriate channels as quickly as possible. All employees, contractors and third party users of information systems and services are required to note and report any observed or suspected security weaknesses in systems or services. Breaches of security, such as system compromises and unauthorised access to data, should be reported to OxCERT.
Responsibilities and procedures should be established to ensure that security incidents are dealt with in a timely manner. This includes isolation of any system that is compromised and suspension of access for any person who may be responsible for misuse. Where possible, units should nominate at least two people who can be contacted by OUCS if action is required because of a network failure, system compromise, etc. and should provide a standard IT contact email address to which information, notices etc. can be sent by OUCS. Where it is not possible to have two people available, alternative contacts, who can take responsibility for the unit's ICT systems, should be provided. For all units, contingency plans should be in place to cover absence of the primary contact. Units should be able to respond to email or phone requests within 4 working hours.
Procedures should be in place to ensure that the necessary documentation is made available to OUCS if required to investigate a network or other failure or any compromise within the unit that impacts on other parts of the University. Any abusive or malicious network traffic should be easily traceable to a specific device and, where appropriate, user. The source of any such traffic should be isolated from the network. OxCERT are responsible for providing guidance on the appropriate levels of logging required.
Individual units are responsible for keeping, maintaining and testing the appropriate levels of logging. Units should be able to trace and isolate the source of any activity, identified by OxCERT, on request and are expected to respond within 4 working hours. Where a response is not received within the specified time frame, OxCERT may take appropriate action (including the possibility of blocking access to NAT devices etc.) in order to protect the integrity of the backbone network. Guidance on the levels of logging required can be found at http://www.oucs.ox.ac.uk/network/security/logging.xml.ID=logging.
Mechanisms should be in place to enable the types, volumes and costs of information security incidents to be quantified and monitored. OUCS maintain a register of security incidents relating to the backbone network, which is available for audit and summarised in regular reports to the PRAC ICT sub-committee. The PRAC ICT sub-committee is responsible for receiving reports on breaches of security.
When dealing with incidents involving potentially illegal material the following guidelines should be observed http://www.ict.ox.ac.uk/oxford/rules/soaguidelines.xml. Where it is necessary to collect evidence, procedures should be in place to ensure that it is collected, retained, and presented to conform to the relevant rules for evidence. Expert guidance should be sought and will be provided under the authority of the PRAC ICT sub-committee.