University of Houston – Information Technology Responsiveness to Homeland Security Threat Levels (rev 3/03) Elevated High Severe Normal operating processes are in All technology providers will increase When “threat level red” is announced, place. the level of monitoring and verify IT will immediately restrict the level of security readiness posture security exposure by changing how Overview network communications is processed and cutting off access to high risk machines. Homeland Security goes to threat Homeland Security goes to threat Homeland Security goes to threat Trigger(s) level yellow. level orange. level red. Standard Operating Processes Create awareness among Notify campus community of technology providers services which are limited. - Communicate plan to IT staff and technology providers - Communicate with technology Communication/Awareness providers (campus-wide)regarding what are RED strategies - Communication about preventative measures to take with all technology infrastructure Standard Operating Processes Increased monitoring and security Implement restrictions on Internet analysis connection Shift from “permit all but special cases” to “deny all except for special cases.” This will be accomplished in two stages. Stage 1 - Restricting Internet connections to all but identified critical services (like the admin systems and network infrastructure components). Internet Connectivity - Filter out all communications except for web browsing and email from IT mail servers. - Special software applications (like FTP and TELNET) will be permitted to specific computers. Stage 2 – Safe mode. After threat is assessed, most restricted services will be restored with the following exceptions. Elevated High Severe - Remote access to university computers will be only through a Virtual Private Network (VPN) service. The IT Help Desk will assist users in connecting through this service. - All Instant Messaging (ICQ and others) and Peer-to-Peer (P2P) applications will be restricted. The IT Help Desk will assist reconnecting any critical needs for these services. IT maintains standard operating Focus technology resources on Highest level of monitoring practices of 7x24 monitoring of system and network monitoring - All monitoring and analysis tasks technology infrastructure. and immediately disconnect identified in treat level orange should - Machines identified as security computer systems with suspicious be continued. treats are removed from the network. network traffic. - All systems with compromises or IT performs ongoing vulnerability - restoration of service to security vulnerabilities should be testing and intrusion detection. disconnected systems will be a much reported immediately. reduced priority. - System Administrators scan systems for any vulnerabilities Monitoring/Analysis - Increase monitoring of System logs (at least daily). - Identify any systems that have high risk concerns that should be filtered out in RED. - Update Critical Systems list for protection and response priorities - All system compromises, vulnerabilities and log irregularities are reported immediately to firstname.lastname@example.org. Confirm availability of service Resource Readiness provider and staff resources Standard operating practices Ensure Back up of data and OS Filter off the network machines - Back up of data regularly (network and system) with any security concerns - Maintain patch management (identified during threat level - Keep virus protection up to date Ensure Patch management up to Orange). date - All tasks identified in threat level Computing and Network Systems orange should be continued. Ensure Virus protection up to date - All systems with compromises or security vulnerabilities should be All campus technology providers reported immediately. report machines which have Elevated High Severe irresolvable security risks. Verify technology security readiness with college and division management. Standard operating practices Standard operating practices Verify authenticity of critical communications sent via email. Campus Customers Ensure Desktop computers are shut-off when not in use. Standard security processes in Network and data centers will shift Physical access to network and Physical Security of Technology place to full lock-down of all internal and data center facilities will be Infrastructure Locations external access points. restricted to critical personnel.