8. Incident handling
Where centrally-collected logs are insufficient to provide OxCERT the information necessary for an investigation, OxCERT may request a college or department to provide information from their own logs. For example, this may be system logs from a compromised server, or network and port translations from a NAT device.
Depending on the nature of the incident, OxCERT may request that the unit send their full logs for a stated time period. OxCERT will aim to specify as short a time period as is reasonably possible. Nevertheless if malicious traffic is observed on several occasions during a time period (for instance overnight), then OxCERT may request logs for the full time period as there may be more than one infected host active during that time.
Units may be concerned about providing personally-identifiable information (PII) in logs to OxCERT. Data provided to OxCERT will be handled in confidence, accessible only to members of OxCERT and for no longer than is necessary for the purposes of the investigation. Incident summary information will be stored in accordance with OxCERT's data retention policy.
Note that NAT logs will provide OxCERT with information regarding traffic from a unit's internal IP addresses, but in general will have no means of linking those to invididuals; further data would be required in order to do so. Consequently most NAT logs should not contain PII; in cases where they do then units should feel free to remove or anonymise PII before sending data to OxCERT.