Purpose
Central campus network and security personnel must take immediate action to mitigate any threats that have the potential to pose a serious risk to campus information system resources or the Internet. If a threat is deemed severe enough, the computer(s) posing the threat will be blocked from network access. In addition, the Information Security Office (ISO) is responsible for enforcing the campus Minimum Security Standards for Networked Devices (MSSND) and Minimum Security Standards for Electronic Information (MSSEI) and may, based on the level of risk, block hosts found to be out-of-compliance. These guidelines specify how the decision to block is made, followed by the procedures involved.
These guidelines and procedures were developed in compliance with the UC Electronic Communications Policy.
Guidelines
Central campus security personnel have the authority to evaluate the seriousness and immediacy of any threat to campus information system resources or the Internet and to take action to mitigate that threat. Action that is taken will be responsible and prudent based on the risk associated with that threat and the potential negative impact to the campus mission caused by making the offending system inaccessible. Based on these criteria, threat risks will be assigned to one of three categories: urgent security threat, urgent out-of-compliance, and non-urgent threat. Examples of threats in each category include, but are not limited to:
Urgent Security Threat
- The level of network activity is sufficiently large as to cause serious degradation in the performance of the network
- An attack on another computer or network has been launched
- Confidential, private or proprietary electronic information or communications are being collected by unauthorized parties
- System administrative privilege has been gained by an unauthorized party
- Any threat exposing the university to serious legal or financial liability
Urgent Out-of-Compliance
- Critical network facing vulnerabilities in systems containing Protection Level P4 data.
- Vulnerabilities and issues deemed critical to the mission of the campus, or representing substantial financial, reputational, or administrative risk, as determined by the Information Security Office. These issues will be announced to the campus IT community via the ucb-security mailing list and the ISO Security Alerts page; or via more targeted outreach if those impacted are known.
Non-Urgent Threat
- Host is receiving or listening for commands from an unauthorized party
- Host is observed downloading malware code or other suspicious traffic
- User (non-administrative) access is gained by an unauthorized party
- Violations of the campus MSSND or MSSEI that don't meet the above "urgent" criteria
Any risks associated with systems identified in the Socreg application as containing protected data will be escalated and may be handled individually outside of these guidelines depending on the level of risk.
Procedures
In all cases, the central campus security personnel will work with the departmental Security Contact(s) and/or the system administrator(s) to ensure that the system is properly re-secured. If a block has been put in place it will be removed when both the department and central campus security personnel agree that the problem causing the incident has been sufficiently addressed.
Urgent Security Threat
The offending system will be blocked immediately from the campus network and the departmental Security Contact(s) will be notified via email that the block has occurred.
Urgent Out-of-Compliance
Notification of the vulnerability will be sent to the departmental Security Contact(s) via email. If a response is not received within two (2) days indicating that the department is taking action to bring the system into compliance, a second "courtesy" notice will be sent to the departmental Security Contact(s). The offending system will be blocked within two (2) days of the second notice unless a response is received indicating that the machine is being brought into compliance. If the system cannot be brought into compliance within this timeline, the departmental Security Contact and/or system administrator must request an exception to the Minimum Security Standards to avoid blocking.
Non-Urgent Threat
Notification of the threat/vulnerability will be sent to the departmental Security Contact(s) via email. If a response is not received within five (5) days indicating that the department is taking action to mitigate the threat (or bring the system into compliance, in the case of non-compliance with Minimum Security Standards), a second "courtesy" notice will be sent to the departmental Security Contact(s). The offending system will be blocked within two (2) days of the second notice unless a response is received indicating how the threat will be mitigated (or that the machine is in compliance).
If a non-compliant system cannot be brought into compliance within this timeline, the departmental Security Contact and/or system administrator must file an exception to the Minimum Security Standards to avoid blocking.
If additional information indicating an urgent security threat is collected during this period, the issue will be escalated and the offending system will be blocked immediately.
Recourse
If a department believes that a computer has been inappropriately blocked it may request a review of the decision by the Chief Information Officer. If, after the review, there is still a disagreement with the decision, it may be further reviewed by the Executive Vice Chancellor and Provost.
Rev. May 2024