Educause Security Discussion mailing list archives
Re: Procedure Question
From: Sarah Stevens <sarah () STEVENS-TECHNOLOGIES COM>
Date: Sun, 21 Aug 2005 18:13:04 -0600
Dear Ms. Martin: Do you have a formal incident response procedure in place at your University? I am assuming that if an "analysis" was done, that means that an incident response team was assembled and a thorough analysis of the hack was conducted and it was determined that only the web server which sits in the DMZ was compromised, and the "hacker" was not able to break the University firewall to obtain any further information within the University system. Is the website used to collect any personally identifiable information from the student body or public at large? If you are 100% sure that the web server was the only system affected, and the web server is separated from the rest of the University data with a suitable firewall that shows no evidence that the attacker was able to get any further, then your decision to notify needs to be based on facts other than student information compromise. Was your website defaced? Was incorrect information displayed on the web site for any amount of time? Was student or public at large data attempted to be collected by the "hacker" during the attack? You may want to inform the public of the hack to protect the liability of the University for any incorrect information that was displayed on your website at anytime. If this was a Denial of Service attack, you may want to alert the public as to why the system was down. However, as a certified incident handler, I would recommend that you defer these questions to your Public Relations Department. On our incident teams, we always recommend having a person from Public Relations who is specially trained on how to notify the public and others of any attacks. Best of luck with your issue, and let me know if I can be of anymore help. Without knowing the technical specifics of exactly what occurred, it is hard to give concrete advice in this situation. Sincerely, Sarah E Stevens Stevens Technologies, Inc.
This is a multi-part message in MIME format. As a new comer to the IT world holding an interim position for a
while,
I am in need of understanding procedure for the following: What is the requirement or responsibility of an institution when a website has been compromised and analysis show no compromised to personal data? Is notification to students required or recommended? Thank you for your direction. Louisa Martin Coordinator for Information Technology St. Mary's University San Antonio, Texas 78228 (210) 431-5005 - phone e-mail: lavitua () stmarytx edu
--
Current thread:
- Procedure Question Avitua, Louisa (Aug 19)
- <Possible follow-ups>
- Re: Procedure Question Kay Sommers (Aug 19)
- Re: Procedure Question Penn, Blake (Aug 19)
- Re: Procedure Question Cuocco, Patricia (Aug 19)
- Re: Procedure Question Stephen D. Franklin (Aug 19)
- Re: Procedure Question Sarah Stevens (Aug 21)