Mandating format/reinstall after compromise

[Gary Flynn <flynngn () JMU EDU>]

We're wrestling with supporting a format/re-install
process for compromised computers and would appreciate
some input. We're especially interested in the ways
you handle student computers.

How many of you *require* a computer be reformatted and
reinstalled after a compromise?

Does a computer running malware that includes an IRCBOT
or remote control trojan meet your definition of a
compromise requiring a reformat/re-install? Do you have
to have proof that it was taken advantage of or is its
mere existence sufficient?

Do you do the format/reinstall yourself? If not, how do
you check for compliance with this policy?

Who is responsible for backups before the format
process?

What do you do if the student does not have recovery
media? (OS, applications, backup capability, etc.)

Do you alter the affected computer's network connectivity
until the format/reinstall is done? Do you disconnect
entirely or just reduce connectivity? What is the process
to regain full connectivity?

Are any of you in a situation where you've "sublet" a portion
of your network (connectivity, topology, and IP address space)
to a third party contractor providing connectivity to
off-campus students? How does this affect your policies?

thanks,

--
Gary Flynn
Security Engineer
James Madison University

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.