Responding to Security Related Incident Causing Network Service Degradation

This is a standard operating procedure for responding to security related incidents causing network service degradation. This procedure allows for a coordinated response from ITS, a CSU (Computing Support Unit) and others involved in investigating and resolving the incident.

  1. When an incident involving network service degradation is detected by any of the monitoring systems or as reported by a client, an incident ticket is opened immediately with the ITS Service Desk
  2. The ITS Service Desk will assign the ticket to ITS Network Services
  3. Network Services will investigate the incident
  4. If the cause of service degradation is a compromised network device endpoint; e.g.; server or workstation, the network port or VLAN (Virtual Local Area Network) where the endpoint is connected will be disabled
  5. The VLAN will be disabled if the compromised network device was moved from an initial port (after it was disabled) to a different one, or there are multiple network devices on the VLAN that were compromised; e.g.; virus outbreak
  6. The CSU contact (if known), the ITS Service Desk and Information Security will be notified by email of the status and action taken by Network Services
  7. The CSU contact of the compromised endpoint will perform further investigation to identify the device and physically disconnect it from the Campus Network – if the CSU contact is not known, Network Services will request the Service Desk on-site Team to physically disconnect the compromised device from the network
  8. ITS Network Services will not enable the disabled port or VLAN until directed to do so by Information Security, who will confirm that the condition causing the performance degradation has been removed from the network
  9. After the affected port or VLAN is enabled back, Network Services will assign the ticket to Information Security
  10. ITS Information Security will create a security incident report that will contain pertinent details about the incident, and will close the ticket accordingly
  11. A copy of the report will be provided to the CSU contact, the ITS Service Desk, Network Services and other parties that were involved in the incident