Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Incident investigation and forensic capabilities and obligations

From: "Hearn, David L." <DHearn () ADMIN FSU EDU>
Date: Thu, 2 Jun 2005 13:03:24 -0400
Hello all, 

        I am trying to get some information and feedback on the current
state of IT incident investigative and forensic capabilities within the
higher education arena. As well, I would like to find out opinions (or
authoritative information) on the obligations (whether regulatory or
legal) associated with those capabilities. 

Here's my motivation: Due to the recent upsurge of "phishing" scams, and
the aggressiveness of the RIAA and MPAA investigations and
notifications, our security team is finding itself in the position of
performing much more than it's normal, "go fix the hacked box" type of
"abuse" response. 

I recently left IT security in the private sector financial industry,
where formalized and highly structured incident response, reporting and
forensic analysis and storage were SOP and not only supported, but
required for regulatory reasons. We had frequent interaction with law
enforcement, internal HR, and industry investigation and litigation
arms. Obviously, this is not the norm in public sector education. 

So ... here are some direct questions ...

1)      How formal and\or mature are your current incident response
processes? Tracking? Reporting? Remediation?
2)      How advanced are your forensic capabilities? Evidence storage? I
would love to have a full EnCase setup and the capability to image and
store large drives, but we just do not have the funding and support for
this type operation. 
3)      Here's the tough one. What are the obligations associated with
externally initiated investigations - whether abuse report, law
enforcement or other? What is "minimum due diligence"? What is the
"expected due diligence"? Who determines capability level and
responsibility in your org? In my last position, it was the "Risk
Management Department". Obviously, it's not quite so clear in the Higher
Ed hierarchy. 
4)      Is this aspect of your security operations recognized as a
capability, responsibility and budgetary line item?


Any opinions, information or feedback would be appreciated. Also any
examples or relevant links.

Thank you for your time and consideration.

David Hearn
FSU - User Services
Assistant Director, Security and Operations
david.hearn () fsu edu
w -(850)644-2591
m -(850)528-4309
f - (850)644-8722
Previous By Date Next
Previous By Thread Next

Current thread: