Educause Security Discussion mailing list archives
Incident investigation and forensic capabilities and obligations
From: "Hearn, David L." <DHearn () ADMIN FSU EDU>
Date: Thu, 2 Jun 2005 13:03:24 -0400
Hello all, I am trying to get some information and feedback on the current state of IT incident investigative and forensic capabilities within the higher education arena. As well, I would like to find out opinions (or authoritative information) on the obligations (whether regulatory or legal) associated with those capabilities. Here's my motivation: Due to the recent upsurge of "phishing" scams, and the aggressiveness of the RIAA and MPAA investigations and notifications, our security team is finding itself in the position of performing much more than it's normal, "go fix the hacked box" type of "abuse" response. I recently left IT security in the private sector financial industry, where formalized and highly structured incident response, reporting and forensic analysis and storage were SOP and not only supported, but required for regulatory reasons. We had frequent interaction with law enforcement, internal HR, and industry investigation and litigation arms. Obviously, this is not the norm in public sector education. So ... here are some direct questions ... 1) How formal and\or mature are your current incident response processes? Tracking? Reporting? Remediation? 2) How advanced are your forensic capabilities? Evidence storage? I would love to have a full EnCase setup and the capability to image and store large drives, but we just do not have the funding and support for this type operation. 3) Here's the tough one. What are the obligations associated with externally initiated investigations - whether abuse report, law enforcement or other? What is "minimum due diligence"? What is the "expected due diligence"? Who determines capability level and responsibility in your org? In my last position, it was the "Risk Management Department". Obviously, it's not quite so clear in the Higher Ed hierarchy. 4) Is this aspect of your security operations recognized as a capability, responsibility and budgetary line item? Any opinions, information or feedback would be appreciated. Also any examples or relevant links. Thank you for your time and consideration. David Hearn FSU - User Services Assistant Director, Security and Operations david.hearn () fsu edu w -(850)644-2591 m -(850)528-4309 f - (850)644-8722
Current thread:
- Incident investigation and forensic capabilities and obligations Hearn, David L. (Jun 02)