[unisog] Security Incident Handling Procedure

James H Moore jhmfa at rit.edu
Fri Mar 24 17:39:08 GMT 2006

There is a parallel discussion in the Educause Security Task Force - One of the best resources that I visited from their discussion is at:



- - - -
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
(585) 475-5406 (office)
(585) 475-4122 (lab)
(585) 475-7950 (fax)

"We will have a chance when we are as efficient at communicating information security best practices, as hackers and criminals are at sharing attack information"  - Peter Presidio

-----Original Message-----
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org] On Behalf Of Jenkins, Matthew
Sent: Thursday, March 23, 2006 5:41 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Security Incident Handling Procedure

I would be interested in seeing what you come up with.  I presented some basic steps to my director several months ago.  It was decided that we would shutdown student ports if we knew their machine was infected.  However, in the end, students' parents complained, and we had to turn the ports back on.  We have since begun to better secure our student access ports utilizing protected ports and ACLs so that they do not infect each other and make the problems worse.

I would say that our number one threat was coming from viruses distributed by student access ports.  Second to that are viruses on faculty/staff workstations, which have been sparse thanks to desktop and e-mail virus and spyware/adware scanning.  I would bet that after we are done locking our student access ports and wireless access down, we will see viruses from students be much less of a threat.

We have yet to develop incident response procedures; however, I definitely think that every organization needs them.

I did a quick Google search and came across these links that may help:


I found a few security related resources on:


Matthew Jenkins
Network/Server Administrator
Fairmont State University
AOL: MLJenkinsCom  Yahoo: mljenkins  ICQ: 8116624  MSN
Visit us online at www.fairmontstate.edu
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org] On Behalf Of Tim Lane
Sent: Thursday, March 23, 2006 5:17 PM
To: UNIversity Security Operations Group
Subject: [unisog] Security Incident Handling Procedure

Hi Folks,

I am developing a written procedure "IT Security Incident Handling" to be followed in the event of an incident (mainly virus outbreak or hacking event).

Just wondered if anyone has already been down this track and has some developed procedure that they might like to share???


Tim Lane
Information Security Program Manager

Information Technology and Telecommunication Services
Southern Cross University
PO Box 157 Lismore NSW 2480

P02 6620 3290        02 6620 3033      tlane at scu.edu.au
t http://www.scu.edu.au 

unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list