From: Dean Williams <dean.williams@uvm.edu>

Date: April 4, 2006 4:31:06 PM EDT (CA)

To: Dean Williams <djw@uvm.edu>, David Todd <David.Todd@uvm.edu>, "Jonathan L. Trigaux" <Jonathan.Trigaux@uvm.edu>, Stefanie Ploof <sbp@zoo.uvm.edu>, Jerry Thornton <jft@zoo.uvm.edu>, Randy Spooner <rgs@zoo.uvm.edu>, Keith Kennedy <kdk@zoo.uvm.edu>, Lynne Meeks <lzm@zoo.uvm.edu>, Bess Oland <bess.oland@uvm.edu>, Mike Austin <mga@zoo.uvm.edu>

Subject: Re: Incident Response Team


Thank you for attending and participating in this morning's incident response meeting.  We didn't get very far into the agenda, but we had some good discussions, laying a foundation for what's ahead.  Here are some notes I took; please add or correct based on your recollection.  We covered a lot of ground, and it's entirely possible that I haven't accurately captured what we decided to do.


David envisions a high-level, multidisciplinary team:


    - Functions:

        -- Security design and implementation (strategic)

        -- Incident response (tactical)


    - Including

        -- Legal

        -- Auditor/risk assessment

        -- Distributed and central IT people

        -- [djw: Communications, executives, the UVM non-IT incident response team, police, HR]


    - Proactive efforts

        -- Risk assessment, e.g., which servers have private data

        -- Workstation configuration

        -- Updating, hardening hosts and servers


Discussions:


    - Two teams are needed


        -- Strategic, proactive security team

            --- "Information Security Group"?

            --- Mainly proactive efforts

            --- Risk assessment

            --- Design

            --- Education

            --- Policy

            --- Monitoring


        -- Incident response

            --- "Incident Response Team"?

            --- Mainly reactive, but feeds process and practice improvement

            --- Coordination

            --- Record keeping

            --- Delegation

            --- Remediation

            --- Response and reporting (internal and external)

            --- Learning from incidents


    - Which units and which people should be represented


        -- Both teams:

            --- People with IT responsibilities

            --- CIT people

            --- Management

            --- non-IT people as needed


        -- Information Security Group *

            --- Legal

            --- Sysadmins or IT managers


        -- Incident Response Team

            --- Legal when needed

            --- Police when needed

            --- Communications when needed

            --- HR when needed


    - How the teams overlap


    - Role of the CISO?


    - How to get started

        -- Research best practices and other schools' experiences

        -- Presentations to potential members and collaborators

            --- e.g., IT pizza lunch, executive briefings



* Information Security Group potential members (David will invite to next meeting) -- many names were mentioned:


 - Those invited today (David, Jonathan, Stefanie, Jerry, Randy, Keith, Lynne, Bess, Mike, Dean)


 - Units with servers or a big stake in securing information:


    DAR,           Darwin Thompson

    AFS,           Geetha Ramanathan

    Bookstore,     Jay M.

    Athletics,     ________

    BSAD,          Nicole Chittenden

    CEMS,          Tim Raymond

    COM,           Mike Caputo

    CESS,          Laurie Gelles?

    CAS,           Andrew Hendrickson

    CatCard,       Mark McKenna

    Libraries,     Paul Philbin

    Ctr Hlth Wellbeing  Geoff Duke


 - Offices involved with policy, law, risk, compliance, enforcement, and image:


    General Counsel,       Tom Mercurio

    Audit/Risk Assessment, Chuck Jefferis

    Communications,        Enrique Corredera

    Police,                Gary Margolis


  - Members or leader of University incident response group? (Bill Ballard?)


The initial working group for developing the protocols for compromised workstations (Dean to convene):


  - Tim R.

  - COM (ask Mike Caputo)

  - CAS (ask Andrew Hendrickson)

  - BSAD (ask Nicole Chittenden)

  - CEMS (ask Tim Raymond)

  - ResLife?

  - Mike A.

  - Lynne M.

  _ Randy S.

  - Stefanie P.

  - Jonathan T.

  - Sharon P. or John St. L.

  - Dean



Elements we'll need moving ahead:


    - List of campus or 132.198 servers


    - Statistics

        -- number of incidents

        -- time spent


    - Checklists for responders, sysadmins, clients

        -- Highlight the top 2-3 actions

        -- Forensics


Action items:


 - Everyone: Read whatever you can from material Stefanie found; please contribute more.


 - David: Invite appropriate people to April 21 meeting


          (How about pretending that the names, SSNs, and case details of all students treated this year at the Center for Health and Wellbeing have just been posted on a former employee's Yahoo site?)


 - Dean: Invite people for compromised workstation group; develop processes


We'll need to talk more about preparing for the April 21 meeting.  It could be a big group, and their interests and awareness are quite varied.   We haven't yet laid out a very clear road map for getting from here to the point where the teams are in place and functional, but we do seem to have a shared vision now.


Thanks again, everyone.


-Dean


On Apr 4, 2006, at 8:44 AM, Dean Williams wrote:


I've updated the proposed agenda for this morning's meeting about compromised workstations.  If you're involved with situations like that, I hope to see you there.  Thanks.



-Dean



The following Meeting has been modified:



Proposed by: Williams, Dean


Creator: Williams, Dean


Access level: Normal


Importance level: Normal




The following instances have been modified:



Subject: Incident Response Team


Tue., Apr. 4, 2006


Time: 09:00 to 10:30 (EST5EDT)


Location: Waterman 238 Conf Room


Subject: Incident Response Team


Fri., Apr. 21, 2006


Time: 14:30 to 16:00 (EST5EDT)


Location: Waterman 238 Conf Room



Details:



Agenda for April 4: Compromised Workstations



 - Who needs to be involved today versus next meeting?



 - Define the problem:




  -- What situations are we concerned with today?


 


  --- Workstation viruses, worms, trojans


  --- Mainly Windows, some MacOS


  --- With impact beyond the individual computer


 


 


 - Current processes (What parts of the process are working; what aspects need revision or refinement?)




  -- Where does notification come from?


 


  -- Who currently received notification?


 


  -- What happens next?


 



 - What has changed since we worked out the current process?



-- New tools like NetReg


 


 


 - Defining the New Process




  -- How do we find out?


 


  -- Who starts the process?


 


  -- Who coordinates the process?


 


  -- How do we log our work?


 


  -- Classification of issues


 


  --- Impact, urgency


 


  -- What needs to happen for each type of issue?


 


 


  -- Closure


 


 



----------------------------------------------------------------------



Agenda for April 21: Forming the Incident Response Team



Beyond compromised workstations, how should we most effectively and efficiently respond to the whole range of network, host, and workstation incidents?



 - What incidents might happen, and how do we classify them?



 - Do we include incidents where technology is not the direct cause, e.g., crime data on Google, privacy violations, inadvertent disclosures?



 - Good models from other schools, best practices?



 - Who has the expertise needed to handle each type of incident?



 - What types of incidents require help beyond CIT?  (technical, legal, PR, policy, investigation, law enforcement, judicial)



 - Who responds first?  Is there a central point of contact to report an incident?



 - Is there one team, or several?



 - How are efforts coordinated? How does communication occur?



 - Process and protocols