Re: Procedure Question

[Sarah Stevens <sarah () STEVENS-TECHNOLOGIES COM>]

Dear Ms. Martin:

Do you have a formal incident response procedure in place at your
University?

I am assuming that if an "analysis" was done, that means that an
incident response team was assembled and a thorough analysis of the
hack was conducted and it was determined that only the web server
which sits in the DMZ was compromised, and the "hacker" was not able
to break the University firewall to obtain any further information
within the University system.  Is the website used to collect any
personally identifiable information from the student body or public at
large?

If you are 100% sure that the web server was the only system affected,
and the web server is separated from the rest of the University data
with a suitable firewall that shows no evidence that the attacker was
able to get any further, then your decision to notify needs to be
based on facts other than student information compromise.

Was your website defaced?  Was incorrect information displayed on the
web site for any amount of time?  Was student or public at large data
attempted to be collected by the "hacker" during the attack?  You may
want to inform the public of the hack to protect the liability of the
University for any incorrect information that was displayed on your
website at anytime.  If this was a Denial of Service attack, you may
want to alert the public as to why the system was down.

However, as a certified incident handler, I would recommend that you
defer these questions to your Public Relations Department.  On our
incident teams, we always recommend having a person from Public
Relations who is specially trained on how to notify the public and
others of any attacks.

Best of luck with your issue, and let me know if I can be of anymore
help.  Without knowing the technical specifics of exactly what
occurred, it is hard to give concrete advice in this situation.

Sincerely,

Sarah E Stevens
Stevens Technologies, Inc.

> This is a multi-part message in MIME format.
>
>
> As a new comer to the IT world holding an interim position for a
while,
> I am in need of understanding procedure for the following:
>
>
>
> What is the requirement or responsibility of an institution when a
> website has been compromised and analysis show no compromised to
> personal data? Is notification to students required or recommended?
>
>
>
> Thank you for your direction.
>
>
>
>
>
> Louisa Martin
>
> Coordinator for Information Technology
>
> St. Mary's University
>
> San Antonio, Texas 78228
>
> (210) 431-5005  - phone
>
> e-mail: lavitua () stmarytx edu

--