information security: quarantine procedures
NAVIGATE
Students
Faculty
Staff
ITS Home
About ITS
Current Projects
IT Governance
Operational Excellence
help.case.edu Home
Information Security
ITS and University Policy
Help Desk
InfoSec Blog

III-3a Case Quarantine Procedures and Return to Service Fees

Overview

Version 1.1
Last Revision Date: March 16, 2012
Approval Date: November 3, 2007
Approval Authority:  Case Chief Information Security Officer

Purpose

The Case Quarantine Process is defined to inform and instruct network and help desk users in the use of the Quarantine Network in network-based security problem mitigation.

Scope

This policy applies to all information technology systems that use the Case network infrastructure.

Cancellation

Not applicable.

Procedure Statement

General

All hosts (personal computers, servers, printers, etc.) on Case networks are required to be registered in accordance with the II-3 Network Management Policy.  When Case ITS staff detect anomalous network activity related to specific hosts on the network, the host in question can be placed in Quarantine Network which provides reduced network communication to the host.  This network prevents spread of attacks and malware while permitting end users to communicate with network-based anti-virus and software update services.

The operational model is to place hosts in the quarantine network, notify the end users or their responsible administrators, investigate the root cause, resolve the root cause and potential user practices, and return the host to full network services.

Procedure

  1. When a host exhibits anomalous network behavior which in the judgment of the ITS staff  constitutes an unacceptable risk to the  Case IT infrastructure and university computing environments, it may be placed into the Quarantine Network either manually or by automated means.
  2. When a host is quarantined, an automatic notification is sent to the Case Help Desk concerning the host.  The Case Help Desk will create a tracking ticket and attempt to contact the registered owner of the host via phone calls (to the number listed in the Case LDAP) and email to the owner's case.edu email address.  The Case Help Desk will attempt to contact the owner. Once placed in the Quarantine Network the host's user will see the Quarantine Page for all web traffic (due to traffic redirection).  When the owner responds to the Help Desk, then the owner is assisted in problem investigation and remediation.
  3. Upon successful remediation, the Case Help Desk will move the host from the Quarantine Network back to the production network.  The tracking ticket will be closed out.
  4. If a quarantined host owner does not respond to the Case Help Desk within 30 calendar days of the original quarantine date, the host will have its network registration removed (registration disabled).  When the host is disabled, the Quarantine Network changes will be removed and the network faceplate will be restored to the production network.  The tracking ticket will be moved to a different work queue.
  5. To restore network services to a registration-disabled host, the host shall be brought to a Case Help Desk walk-in center where it will undergo a full remediation by the Help Desk staff.  Once the Help Desk staff have determined that the root cause of the original quarantine event have been understood, and the owner is given corrective actions (up to a full system rebuild and secured configuration).  A system baseline audit will be performed to assure the host is in compliance with the Case minimum standards for networked operation.  The owner shall then pay a network restoration fee of $100.00, and the Help Desk will submit the tracking ticket to the Case ITS staff to restore the network service for the host in question.

Responsibility

Case End Users:  When a registered host is quarantined, contact the Case Help Desk.  The Help Desk staff will assist the user in steps to self-assess and correct the security issues.

Case ITS Staff:  Monitor the network for potentially malicious activity.  Use established procedures and protocols to move hosts into quarantine pro-actively to prevent propagation of infections.  Case ITS staff also will perform host registration disable and re-enable tasks.  Maintain documented procedures with the Case Help Desk.

Case Help Desk:  Contact End Users (as listed in the host registration information) when notified of a quarantine.  Notify Case ITS Staff of a host that has been quarantined for more than 30 days without response from the End User.

Definitions

host:  Any network capable device utilizing network services.  A host can be a personal computer, a networkable appliance, server resources, printers, scanners, copiers.

network faceplate:  The primary network interface for Case users.  Many network faceplates have fiber-optic cable connections, and network users will be using a network switch with a fiber-media converter, permitting the host to connect using a standard RJ-45 type CAT-5a or CAT-6 network cable.

Standards Review Cycle

This procedure will be reviewed every three years on the anniversary of the policy effective date, at a minimum. The standard may be reviewed on a more frequent basis depending on changes of risk exposure.

© 2013 Case Western Reserve University
Cleveland, OH 44106
216.368.2000
 
Information Technology Services
(legal notice)
 
Contact website owner
 
Contact our service desk
ITS Information
New to CWRU
Our Services
I Need Help
Service Status
 
ITS Resources
Information Security
Software Center
eStore
CWRU ITS Social Networks
Facebook
Twitter
Google+
YouTube
iTunes
RSS Feed
Translate this page
Share |