Date
of Last Review 6/6/07
SME: Director of Management Information Systems
Network Incident Handling and Response Procedures
Overview
This procedure will provide incident handling and response guidelines for the resources under the control of the UT-HCPC IT Infrastructure Owners. The IT Infrastructure Owners provide the data processing and telecommunications hardware, software and computer network equipment to support the operations of the hospital. The IT Infrastructure Owners consist of the Office of Academic Computing, Information Services and Medical School Network Operations.
The IT Infrastructure Owners will monitor all networks for unauthorized traffic, including penetration attempts and denial of service attacks. The IT Security department also scans the network for vulnerabilities, viruses and network compromises.
The goals and objectives of handling incidents at UT-HCPC are to:
- Detect the incident
- Contain the incident
- Resolve the incident
- Prevent the incident from recurring
Detecting a Network Incident
“Incident” refers to an adverse event in a network, information system, and/or workstation, or the threat of the occurrence of such an event. An event is any observable occurrence in a system, network, and/or workstation. Although natural disasters and other non-security rs. It is important to inform the IT Infrastructure Owners and IT Security department if any of these anomalies are part of your department’s normal operations. See Notification section for those procedures.
- Network log discrepancies that are suspicious
- Unusual usage patterns (high traffic loads on the network)
Anyone other than the IT Infrastructure Owners or IT Security department who suspects an adverse incident is taking place, must contact the IT Security department immediately.
IT Security Core Team - its.core@uth.tmc.edu
Security Office-713-500-2227
Evaluating the Incident:
The IT Infrastructure Owners will evaluate the incident that is occurring. The criteria they will use are:
- Time of the incident
- Amount of traffic being created by the incident– There is no specific amount of traffic that triggers notice. Infrastructure Owners generally look for traffic patterns that are unusual for a given machine, not at the overall amount.
- Impact of the incident on the entire network infrastructure
- The ability to contact the steward immediately (weekends, after 5:00 pm weekdays).
Containing the Network Incident
If any of the criteria listed above are deemed to present a risk to the network, the IT Infrastructure Owners and/or IT Security personnel will trace the activity through the network to the segment, server or workstation that is causing the activity, and the device will be disabled from the network immediately. For example,
- If the system impacts confidential or sensitive information, the system will be shut down or disabled from the network immediately.
- If the incident compromises the Hospital network resources and mission objectives, the IT Infrastructure Owners will disable the device from the network and notify IT Security to assist in assessment.
- If a virus, worm, or cracker is actively attacking the system, the system will be disabled from the network until suitable control of the intrusion attempts can be ensured. This is for the protection of the system being attacked.
Departments with a critical need to have certain resources on-line at all times, must provide a list of these machines and their function. They must also provide the owner name, steward name, IP number, location of the computer and names of personnel who will be available immediately, 24 hours a day, 7 days a week in the event the device is causing problems that could impact the entire Hospital network. This information should be provided to the IT Security Core Team - its@uth.tmc.edu
Resolving the Incident
Notification
- If the severity of the incident does not require immediate shut down, the IT Infrastructure Owners will attempt to contact the steward of record by phone before disabling a critical resource. If urgent paging is available through voicemail, the steward will be paged, otherwise a message will be left. If a pager number is available for the steward, they will be paged. If the call is not returned within an appropriate amount of time determined by the scope of the incident, the IT Infrastructure Owners will disable the server or workstation that is causing network problems.
- Once a resource has been disabled, the IT Infrastructure Owners will contact both the IT Security department and the steward of record via phone message or email notifying them of the network incident.
- It is the responsibility of the steward of record who was notified of the network problem to contact the appropriate department personnel in their area.
If any department wishes to be contacted directly by
the IT Infrastructure Owners or IT Security department, they must submit
the names, phone numbers, pager numbers, and email addresses of the
personnel they would like to be contacted. Send these requests to the
IT Security Core Team - its@uth.tmc.edu |
|---|
Determine the Scope and Impact of the Incident
The IT Infrastructure Owners and IT Security department will determine the scope and impact of the incident.
Solve the Problem
Once the problem has been identified, the cause must be addressed.
· If it is determined that the incident is occurring on a network device – the IT Infrastructure Owners and IT Security department will work together to solve the problem.
· If it is determined that the incident is occurring on a host device – the IT Infrastructure Owners and/or IT Security department will notify the steward of the host to solve the problem. See Host Incident Response Procedures.
Preventing the Incident from Recurring
Reporting
- The IT Security department will track the incident, its resolution and follow-up to ensure the security measure remains effective.
- Depending on the seriousness of the incident, the IT Security department may report the incident and its resolution to the Executive Council and/or the State of Texas Department of Information Resources (DIR).
Sanctions
- If the incident was caused by carelessness of an employee, student or “guest,” the event documentation will be provided to the dean, direct supervisor, guest sponsor and/or vendor contract manager.
- If the incident was caused by an employee’s or student’s negligence and willful disregard for UT-HCPC policies and procedures, the event documentation will be provided to the dean, direct supervisor, department chairman, Human Resources, Legal and Audit Services. The employee or student will be sanctioned according to the severity of the security violation in accordance with the General Standards of Conduct and Disciplinary Actions posted in the Handbook of Operating Procedures (HOOP). Security violations may result in termination or expulsion.
- If the incident was caused by a “guest’s” negligence and willful disregard for UT-HCPC policies and procedures, the event documentation will be provided to the contract manager, Legal and Audit Services. Security violations may result in revocation of the contract.
Post Incident Process
- Based on the impact of the incident, the IT Security department may set up a “post-mortem” meeting to include the IT Security Core Team and key members who played a significant role in responding to the incident.
- In an effort to learn from the incident and apply the lessons to future
incident responses, documentation will be prepared. The incident will
be classified into one of the following categories:
· Malicious code attack · Unauthorized access · Unauthorized use · Disruption or denial of service - The results of the meeting should answer the following questions:
· What went right? · Where could the process be improved? · Should any policy or procedure change? · Should network or computer system changes be recommended? - A summary report will be prepared and included in the IT Security department incident reporting database.
Related standards
The Joint Commission : Management of Information
