threat_levels by marcusjames


									                                University of Houston – Information Technology
                          Responsiveness to Homeland Security Threat Levels (rev 3/03)

                                         Elevated                                High                                     Severe
                              Normal operating processes are in   All technology providers will increase   When “threat level red” is announced,
                              place.                              the level of monitoring and verify       IT will immediately restrict the level of
                                                                  security readiness posture               security exposure by changing how
                                                                                                           network communications is
                                                                                                           processed and cutting off access to
                                                                                                           high risk machines.
                              Homeland Security goes to threat    Homeland Security goes to threat         Homeland Security goes to threat
                              level yellow.                       level orange.                            level red.
                              Standard Operating Processes        Create awareness among                   Notify campus community of
                                                                  technology providers                     services which are limited.
                                                                  - Communicate plan to IT staff and
                                                                  technology providers
                                                                  - Communicate with technology
                                                                  providers (campus-wide)regarding
                                                                  what are RED strategies
                                                                  - Communication about preventative
                                                                  measures to take with all technology
                              Standard Operating Processes        Increased monitoring and security        Implement restrictions on Internet
                                                                  analysis                                 connection
                                                                                                           Shift from “permit all but special
                                                                                                           cases” to “deny all except for special
                                                                                                           cases.” This will be accomplished in
                                                                                                           two stages.

                                                                                                           Stage 1 - Restricting Internet
                                                                                                           connections to all but identified critical
                                                                                                           services (like the admin systems and
                                                                                                           network infrastructure components).
Internet Connectivity
                                                                                                           - Filter out all communications except
                                                                                                           for web browsing and email from IT
                                                                                                           mail servers.
                                                                                                           - Special software applications (like
                                                                                                           FTP and TELNET) will be permitted
                                                                                                           to specific computers.

                                                                                                           Stage 2 – Safe mode. After threat is
                                                                                                           assessed, most restricted services
                                                                                                           will be restored with the following
                                            Elevated                                  High                                     Severe
                                                                                                                - Remote access to university
                                                                                                                computers will be only through a
                                                                                                                Virtual Private Network (VPN)
                                                                                                                service. The IT Help Desk will assist
                                                                                                                users in connecting through this
                                                                                                                - All Instant Messaging (ICQ and
                                                                                                                others) and Peer-to-Peer (P2P)
                                                                                                                applications will be restricted. The IT
                                                                                                                Help Desk will assist reconnecting
                                                                                                                any critical needs for these services.
                                IT maintains standard operating        Focus technology resources on            Highest level of monitoring
                                practices of 7x24 monitoring of        system and network monitoring            - All monitoring and analysis tasks
                                technology infrastructure.             and immediately disconnect               identified in treat level orange should
                                - Machines identified as security      computer systems with suspicious         be continued.
                                treats are removed from the network.   network traffic.                         - All systems with compromises or
                                IT performs ongoing vulnerability      - restoration of service to              security vulnerabilities should be
                                testing and intrusion detection.       disconnected systems will be a much      reported immediately.
                                                                       reduced priority.
                                                                       - System Administrators scan
                                                                       systems for any vulnerabilities
Monitoring/Analysis                                                    - Increase monitoring of System logs
                                                                       (at least daily).
                                                                       - Identify any systems that have high
                                                                       risk concerns that should be filtered
                                                                       out in RED.
                                                                       - Update Critical Systems list for
                                                                       protection and response priorities
                                                                       - All system compromises,
                                                                       vulnerabilities and log irregularities
                                                                       are reported immediately to
                                                                       Confirm availability of service
Resource Readiness
                                                                       provider and staff resources
                                Standard operating practices           Ensure Back up of data and OS            Filter off the network machines
                                - Back up of data regularly            (network and system)                     with any security concerns
                                - Maintain patch management                                                     (identified during threat level
                                - Keep virus protection up to date     Ensure Patch management up to            Orange).
                                                                       date                                     - All tasks identified in threat level
Computing and Network Systems
                                                                                                                orange should be continued.
                                                                       Ensure Virus protection up to date       - All systems with compromises or
                                                                                                                security vulnerabilities should be
                                                                       All campus technology providers          reported immediately.
                                                                       report machines which have
                                             Elevated                             High                                  Severe
                                                                   irresolvable security risks.

                                                                   Verify technology security
                                                                   readiness with college and
                                                                   division management.
                                  Standard operating practices     Standard operating practices            Verify authenticity of critical
                                                                                                           communications sent via email.
Campus Customers
                                                                                                           Ensure Desktop computers are
                                                                                                           shut-off when not in use.
                                  Standard security processes in   Network and data centers will shift     Physical access to network and
Physical Security of Technology
                                  place                            to full lock-down of all internal and   data center facilities will be
Infrastructure Locations
                                                                   external access points.                 restricted to critical personnel.

To top