Re: Role of Campus Police. Was: number of IT security staff

["Georgia T. Killcrece" <georgia () CERT ORG>]

Folks,

"--On Monday, January 31, 2005 11:44 AM -0800 Steven Alexander 
<alexander.s () MCCD EDU> wrote:
"
[deleted]
> It would a good idea to contact your local law enforcement ahead of time
> and find out what they want you to do when responding to a security
> incident.

I've been following the threads of discussion on this list and
am encouraged to see some of the feedback and additional comments
that are being shared amongst the readership.  There has been quite a lot
of good advice/information on things to do and relationships that should
be built (before your organization finds itself in situations where
law enforcement needs to be brought into the picture).  One of
the things we talk with folks about is how critical it is (as
part of your incident response plans) to identify and build
these relationships with other campus contacts/officials and
ensure each understands the other's situation (issues, needs and 
requirements,
concerns, etc.).  Having that clear understanding
will go a long way to ensuring that the investigation or analysis
of events are done in the right way.  Another point I'd like to
make is that some of these discussions you have will also need to involve
the higher level management folks--to discuss approaches for
what type of path they want to follow (e.g., Is it fix the
problem and move on? Collect the evidence and prosecute? Do we
know what the threshold is? How can we find out? Who do we need
to speak to? you get the idea, I think?).  Knowing the types of
activity that an organization is interested in pursuing (or may
be legally liable and required to pursue) means finding out
some of the answers about how you approach doing some of the
analysis and data collection before hand.

So as Steven says and adding to it...get to know what you need to know 
(before it happens) so you do the right thing when you start down a 
particular
path and to ensure that you are doing things in the right way.

Tracy Mitrano's second point is "dead on" in my opinion, and reflects
what we hear from some of the local law enforcement folks we
know and some of the FBI/USSS contacts we have interacted with in the past
(er...not in any criminal activity, but from the
standpoint of understanding how to work with them).  One of
the technical tips published by the CERT/CC a few years back was based on a
collaborative effort with the FBI. (For any who might be interested,
this is available from
<http://www.cert.org/tech_tips/FBI_investigates_crime.html> )

It seems to me that I also see more in the way
of guidance and training being available as it relates to "forensics"
(from the perspective of gathering information related to
computer security events/incidents in such a way that is done
so the information will be admissible in law enforcement
cases), and for sure talking with your local high-tech crimes teams
for FBI or Secret Service can also provide help.

Keep the dialog going!

georgia
--
Georgia Killcrece
CSIRT Development Team
CERT(R) Training and Education
CERT(R) Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890 U.S.A.

Telephone: +1-412-268-7090
Fax: +1-412-268-6989

http://www.cert.org/
http://www.cert.org/csirts/
http://www.cert.org/training/

The CERT Coordination Center is part of the Software Engineering
Institute (SEI). The SEI is sponsored by the U.S. Department of Defense.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Attachment: _bin
Description: