|
|
III-3a Case Quarantine Procedures
and Return to Service Fees
|
Overview
Version 1.0
Last Revision Date: November 3, 2007
Approval Date: November 3, 2007
Approval Authority: Case Chief Information Security Officer
Purpose
The Case Quarantine Process is defined to inform and instruct network
and help desk users in the use of the Quarantine Network in
network-based security problem mitigation.
Scope
This policy applies to all information technology systems that use the
Case network infrastructure.
Cancellation
Not applicable.
Procedure Statement
General
All hosts (personal computers, servers, printers, etc.) on Case
networks are required to be registered in accordance with the II-3
Network Management Policy. When Case ITS staff detect anomalous
network activity related to specific hosts on the network, the host in
question can be placed in Quarantine Network which provides reduced
network communication to the host. This network prevents spread
of attacks and malware while permitting end users to communicate with
network-based anti-virus and software update services.
The operational model is to quarantine hosts, notify the end users or
their responsible administrators, investigate the root cause, resolve
the root cause and potential user practices, and return the host to
full network services.
Procedure
1. When a host exhibits anomalous network behavior which in the
judgment of the ITS staff constitutes an unacceptable risk to
the Case IT infrastructure and university computing environments,
it may be placed into the Quarantine Network either manually or by
automated means. The Quarantine Network permits the host to
communicate with Case WebMail, Symantec Anti-Virus update servers, and
Windows Update services.
2. When a host is quarantined, an automatic notification is
sent to the Case Help Desk concerning the host. The Case Help
Desk will create a tracking ticket and attempt to contact the
registered owner of the host via phone calls (to the number listed in
the Case LDAP) and email to the owner's case.edu email address.
The Case Help Desk will attempt to contact the owner daily for the
first five business days of the quarantine event. Once placed in
the Quarantine Network the host's user will see the Quarantine Page for
all web traffic (due to traffic redirection). When the owner
responds to the Help Desk, then the owner is assisted in problem
investigation and remediation.
3. Upon successful remediation, the Case Help Desk will move the
host from the Quarantine Network back to the production network.
The tracking ticket will be closed out.
4. If a quarantined host owner does not respond to the Case Help
Desk within 30 calendar days of the original quarantine date, the host
will have its network registration removed (registration
disabled). When the host is disabled, the Quarantine Network
changes will be removed and the network faceplate will be restored to
the production network. The tracking ticket will be moved to a
different work queue.
5. To restore network services to a registration-disabled host,
the host shall be brought to a Case Help Desk walk-in center where it
will undergo a full remediation by the Help Desk staff. Once the
Help Desk staff have determined that the root cause of the original
quarantine event have been understood, and the owner is given
corrective actions (up to a full system rebuild and secured
configuration). A system baseline audit will be performed to
assure the host is compliant with the Case minimum standards for
networked operation. The owner shall then pay a network
restoration fee of $100.00, and the Help Desk will submit the tracking
ticket to the Case ITS staff to restore the network service for the
host in question.
5.a. Return to service fees are paid to PerceptIS, Inc. If
a user has a service agreement with PerceptIS, this fee may be included
in the support package.
Responsibility
Case End Users: When a registered host is quarantined, contact
the Case Help Desk. The Help Desk staff will assist the user in
steps to self-assess and correct the security issues.
Case ITS Staff: Monitor the network for potentially malicious
activity. Use established procedures and protocols to move hosts
into quarantine pro-actively to prevent propagation of
infections. Case ITS staff also will perform host registration
disable and re-enable tasks. Maintain documented procedures with
the Case Help Desk.
Case Help Desk: Contact End Users (as listed in the host
registration information) when notified of a quarantine. Notify
Case ITS Staff of a host that has been quarantined for more than 30
days without response from the End User.
Definitions
host: Any network capable device utilizing network
services. A host can be a personal computer, a networkable
appliance, server resources, printers, scanners, copiers.
network faceplate: The primary network interface for Case
users. Many network faceplates have fiber-optic cable
connections, and network users will be using a network switch with a
fiber-media converter, permitting the host to connect using a standard
RJ-45 type CAT-5a or CAT-6 network cable.
Standards Review Cycle
This procedure will be reviewed every three years on the anniversary of
the policy effective date, at a minimum. The standard may be reviewed
on a more frequent basis depending on changes of risk exposure.
|
|
