What happens when a computing incident is reported?
Thu, 02/26/2009 - 17:12 — binde
Sources of Incident Reports
- Email to abuse@rutgers.edu
- Results of network log analysis
- Results of network vulnerability scans
- Telephone reports
- In person reports
Actionable Incidents
- The Rutgers University CIRT handles incidents in which a Rutgers host (or users) cause computer or network problems. More specifically, this includes:
- Violations of the University Code of Student Conduct
- Violations of the Acceptable Use Policy for Computing and Information Technology Resources . See also
Guidelines for Interpretation and Administration of the Acceptable Use Policy for Computing and Information Technology Resources . - Violations of federal, state or local law.
- Reports from departmental staff of attacks on their computers and subnets (experimental).
Issue Escalation and Overdue Tickets
- IPS - Abuse - Incidents queue is normal priority. After 5 business days (generally 1 calendar week), the Administrative Contact is notified that the ticket is overdue, and the ticket enters the IPS - Abuse - Incidents - Escalated queue. After 5 more business days, a request is sent to the Network Operations Center to block the host. A ticket can also be escalated if more than 5 reports are received for the same host.
- IPS - Abuse - Incidents - Critical queue is critical priority. After 1 business day, the Administrative Contact is notified that the ticket is overdue. After 1 more business day, a request is sent to the Network Operations Center to block the host. The Director of Information Protection is routinely notified of incidents in the IPS - Abuse - Incidents - Critical queue. A ticket is entered in the IPS - Abuse - Incidents - Critical queue if the host is on the critical hosts list (GLBA, PCI and SEVIS compliance responsibilities) or if exposure of Non-Public Personal Information is involved in the incident.
Record Retention
- Two years for email to the Rutgers University Computing Incident Response Team (RU CIRT).
- Two years for hardcopy files related to computer incidents.
Note: HDRT tickets are retained two years for statistical purposes. They contain summary information such as incident type, IP address, department, and network liason. Tickets may contain copies of email messages and comments about incidents.
- Login to post comments