1. Each campus unit will designate a representative to coordinate with the Information Security Directorate. The Directorate will assist and give guidance on what preventative measures are needed and how they can be implemented, as well as regularly (annually) review campus unit safety plans and controls in place (joint cooperation between OIT and Internal auditing).
2. Campus Unit administrators will be required to approve the controls in place within their schools and perform risk analysis
3. Campus units will develop a business continuity plan that incorporates resources available through other campus units and internal to their own.
4. A school communications network (List serve) is established that links different technical representatives (CSR-CSS) to alert them to the current security threats. Campus units will be required to have one (or more) designated representatives subscribed to this. Currently, csr@gatech.edu serves this purpose.
5. Campus unit managers will be required to review with their staff, at least annually, the business continuity/disaster recovery plans and incident response procedures.
6. Access points to systems will be limited and monitored by the CSR/CSS using available tools from OIT and through coordination with OIT.
7. Users will be required to take responsibility for their own actions that may affect system safety by following the suggested system administration practices available at our system administration suggestions page and by reporting suspicious system behavior as defined by the local CSS/CSR or OIT where applicable.
8. Campus Units will establish a basic short curriculum to focus on informing employees of necessary actions during a possible security incident. To protect against intrusion the Campus unit CSR/CSS will not only analyze the systems to make non-authorized access as difficult as possible but will develop an information systems continuity plan that will supplement any business continuity plan of the campus unit.
OIT will be responsible for an ongoing assessment of the Institute's technology infrastructure to make sure that campus units are in a position to comply. OIT will provide assistance to smaller units without the technical expertise to support this undertaking.
1. No non-campus unit approved software regardless of the source may be loaded on Georgia Tech workstations connected to Georgia Tech LANs without prior Georgia Tech campus unit management approval.
2. All software introduced into the University.s MAC/PC/LAN computing environment must be known to be virus free.
3. Non-(OIT) distributed software must be certified to be virus free by the local CSS/CSR before it is loaded onto a workstation or LAN.
4. Software distributed from any Georgia Tech MAC/PC/LAN computing environment to another Georgia Tech organization or customer must be known to be virus free.
5. Virus detection software will be used in all MAC/PC/LAN equipment including Georgia Tech owned portable equipment used by Georgia Tech personnel. System Administrators, CSS, CSR.s will provide users with a list of potential virus detection software available for Georgia Tech use.
6. If symptoms of a virus appear, the system user should contact the Campus Unit CSS, CSR or System Administrator immediately and isolate all diskettes and other media, which have been recently used on that computer. Do not under any circumstances allow the isolated program or data media to be used on another computer. (See incident response procedures in X.X.X
7. Campus Unit Managers are responsible for ensuring that their employees comply with this standard.
Detection:
The appointed contact with OIT will be responsible for ensuring that an intrusion detection system should be employed by the unit. The intrusion detection system should address the following issues, regardless of what mechanism it is based on:
1. It must run continually without human supervision. The system must be reliable enough to allow it to run in the background of the system being observed.
2. It must be fault tolerant in the sense that it must survive a system crash and not have its knowledge base rebuilt at restart.It cannot degrade the system performance to an unusable level. A system that slows a computer to a crawl will not be used.
3. It must observe deviations from normal behavior. It must adapt to the system in question. Every system has a different usage pattern, and the defense mechanism should adapt easily to these patterns. It must cope with changing system behavior over time as new applications are being added. The system profile will change over time, and the IDS must be able to adapt.
An incident can be defined as one of the following:
A. Computer Theft.
Use of a computer or computer network with knowledge that such use is without authorization and may cause: taking or appropriating any property of another, whether or not with the intention of depriving the owner of possession; obtaining property by any deceitful means or artful practice; or converting property to such person.s use in violation of an agreement or other known legal obligation to make a specified application or disposition of such property.
B. Computer Trespass.
Use of a computer or computer network with knowledge that such use is without authorization and may cause: deleting or in any way removing, either temporarily or permanently, any computer program or data from a computer or computer network; obstructing, interrupting, or in any way interfering with the use of a computer program or data; or altering, damaging, or in any way causing the malfunction of a computer, computer network, or computer program, regardless of how long the alteration, damage, or malfunction persists.
C. Computer Password Disclosure.
Disclosure of a number, code, password, or other means of access to a computer or computer network knowing that such disclosure is without authority and which results in damages (including the fair market value of any services used and victim expenditure) to the owner of the computer or computer network.
· Red (Critical) This level of incident requires intervention by OIT (DDOS, etc.) It is an incident that extends beyond the borders of the local hardware or software system, or any incident that requires interaction with entities external to Georgia Tech.
· Yellow (Significant) This level of incident is localized to a campus unit and does not extend beyond the borders of the local hardware or software systems. Assistance from OIT or other expert resources may be required but is at the discretion of the CSR or CSS. It will be reported to OIT.
· Green (Minor) This level of incident is localized to a campus unit and does not extend beyond the borders of the local hardware or software systems. It also does not present an immediate threat to hardware or software systems external to the campus unit or GT. It will be reported to OIT for statistical purposes.
Intro: This paper addresses actions to be taken once a CSR, CSS, or System Administrator has been notified of, or discovered, a possible attack. The administrator should be certain to notify the Information Security Directorate (security@gatech.edu) for all levels of incidents. All incidents require reporting for statistical purposes.
1. Assess the severity of the compromise.
· Determine the level of the incident Red, Green, or Amber. Notify security@gatech.edu if there is damage being inflicted on other systems (e.g., denial of service attacks or corruption of data), web defacing, or a known root compromise, the compromise should be considered critical. If the compromise is critical, the system should be disconnected from the network!
2. Make a backup of the system. This step takes a .snapshot. of the system as it is. This is necessary to be certain the attacker does not have an opportunity to remove evidence of his activities.
3. Check for intrusion. To determine if the hacker left any programs or files on the system run a virus scanner, vulnerability scanner, or tools provided by OIT for intrusion detection. If any programs or files are found, check the ownership of the files. If any are owned by the root account (or other root privileged accounts, this may elude to a critical compromise.