secure computer configuration for wire transfers

7/28/2019 Secure Computer Configuration for Wire Transfers

1/16

UCOP, IR&C Secure Computer Configuration for Electronic Funds Transfer

Secure Computer Configuration for Wire Transfers

BackgroundWire transfers are accomplished through the use of a web-based application that is provided

to the University by the financial institution. Authorized University personnel use an off the

shelf web browser to access the application. The following controls exist to preventunauthorized transactions:

The responsibilities for transaction entry and transaction approval are segregatedbetween two different groups of authorized University employees.

Authentication to the application (by all employees using this banking application)requires not only a password, but also a digital certificate that has been installed

on the employees personal computer (PC).

The employees' PCs (and any other authorized users and administrators of those PCs) are

trusted implicitly by these controls to prohibiting the following:

Transfer of the digital certificate's private key to unauthorized people or storage

locations.

Capture and/or transmission of passwords to unauthorized people or storage

locations.

Capture and/or transmission of transactions to unauthorized people or storage

locations.

Modification of transactions as they are transmitted to the financial institution.

Unfortunately, most PC software cannot be trusted to do this at the level required for wiretransfers without careful management. This document describes requirements for the

management of these PCs.

Controls

The following measures should be taken to mitigate the risks to private keys, passwords,and transactions.

1. Conduct periodic risk assessment and implement a departmental security plan incompliance with Business & Finance Bulletin IS-3: Electronic Information Security.

2. To prevent unauthorized capture, transmission, or modification of private keys,passwords and transactions, it is necessary to ensure that the web based application

provided by the Financial Institution (BA DIRECT WIRE TRANSFER PC), its operating

system, or the web browser have not been compromised or modified. The followingmeasures are intended for a single PC that is connected to a typical campus network.

2.1. Access Controls

2.1.1. The BA DIRECT WIRE TRANSFER PC must be used exclusively for BADIRECT WIRE TRANSFER functions and must not have any other uses.

2.1.2. User access to the BA DIRECT WIRE TRANSFER PC:

2.1.2.1. User must use only the local user accounts created for the BA

Page 1 of 16 Rev. 65/05/2006


2/16


DIRECT WIRE TRANSFER function. To ensure that only localaccounts can log on to the BA DIRECT WIRE TRANSFER PC,

the BA DIRECT WIRE TRANSFER PC must not be a member ofany NT/AD domain.

2.1.2.2. The local user accounts MUST NOT be shared for any reason.

2.1.2.3. Ensure that login accounts have no more privileges than arenecessarythe account should have no more privileges thanthose given to the built-in local Users group.

2.1.2.4. Ensure that the web browser's private key storage isencrypted by establishing a password for the Software

Security Device under Manage Security Devices of theAdvanced portion of Firefox's Preferences dialog.

2.1.3. Designation of BA DIRECT WIRE TRANSFER computers by function:

2.1.3.1. In order to enforce this segregation of function between two

types of BA DIRECT WIRE TRANSFER PCs, only the initiatorsuser accounts will be created on the Initiator BA DIRECT

WIRE TRANSFER PCs. Conversely, only the local useraccounts for approvers/releasers will be created on the

Releaser BA DIRECT WIRE TRANSFER PCs.

2.1.3.2. There will be a minimum of two separate BA DIRECT WIRE

TRANSFER PCs at a given site: an Initiator BA DIRECTWIRE TRANSFER PC dedicated to usage by the transaction

initiators, and a Releaser BA DIRECT WIRE TRANSFER PCdedicated to usage by the transaction approvers/releasers.

2.1.3.3. The Initiator computer may be shared among multipleinitiators, but not with approver/releasers. The Releaser BA

DIRECT WIRE TRANSFER PC may be shared among multipleapprovers/releasers, but never with initiators. The system

administrators for initiator computers must be different fromthe system administrators for approver/releaser computers.

2.2. Physical Controls

2.2.1. Physical security of the BA DIRECT WIRE TRANSFER PC:

2.2.1.1. Prevent unauthorized removal of the BA DIRECT WIRETRANSFER PC by securing the BA DIRECT WIRE TRANSFER

PC with an anchoring device (e.g. cable lock) or by placingthe BA DIRECT WIRE TRANSFER PC in a limited-access area

(e.g. locked room).

2.2.1.2. Prevent unauthorized access to the internal components of

the BA DIRECT WIRE TRANSFER PC by locking the chassis(some models of cable locks combine this feature with the

anchoring function).

2.2.2. Control access to devices that store digital certificates' private keys.

2.3. System Configuration

2.3.1. Use a secure operating system, such as Windows XP Professional with

SP2, including the security settings in Appendix A: Security TemplateSettings for BA DIRECT WIRE TRANSFER Computers.

Page 2 of 16 Rev. 65/05/2006


3/16


2.3.2. Remove all software except for the essential components of theoperating system, the web browser, the firewall software and the virus

protection software. Disable or remove all unnecessary services.

2.3.3. Ensure that only the required software will be allowed to be executed

by the user (e.g., via Software Restriction Policies in Windows XP LocalSecurity Policy).

2.3.3.1. Set the Enforcement so that the software restriction policiesapply to All users except local administrators.

2.3.3.2. Set the default Security Level to Disallowed, which is themaximally restrictive setting that does not allow any software

to run except for those that are defined as exceptions underAdditional Rules.

2.3.3.3. Specify exceptions for the allowed applications by creating

new rules (both Hash and Path).

2.3.4. Use Firefox as the BA DIRECT WIRE TRANSFER P/C's web browser.

2.3.5. Install ZoneAlarm or a similar firewall and configure it to enable

communication only with the financial institution and other requiredsystem management services, such as anti-virus and patch servers,

log servers, etc.

2.3.6. There must be no wireless connectivity to the computer.

2.3.7. There must be no back door connections to the computer or remotecontrol software, such as Windows Terminal Server or PC Anywhere.

2.3.8. Remove or disable physical media readers (e.g., CDs, floppy disks,flash drives) and disable USB.

2.3.9. Use a locally attached printer only.

2.3.10. Enable password protection on BIOS to prevent unauthorized system

reconfiguration (this is not to be confused with the power-onpassword).

2.4. System Administration and Maintenance

2.4.1. System administration and software updates (operating system and

application) must be performed in a highly-secure manner, preferablylocally, not over a network.

2.4.2. Ensure that all critical security patches are applied to the operating

system and all applications within 24 hours of release.

2.4.3. Ensure that virus, spyware scanners, etc. are installed and updatedwithin 1 week of new release of new threat definitions, unless deemed

critical.2.5. System Monitoring and Incident Response

2.5.1. Enable and monitor all appropriate log facilities for tracking useraccess and activity.

2.5.2. Auditing of logs must be conducted regularly by an establishedschedule, with a minimum frequency of once a week.

2.5.3. Install Tripwire for Servers as standalone installation and monitor

Page 3 of 16 Rev. 65/05/2006


4/16


system administration/change activity.

2.5.4. Monitor network traffic involving the BA DIRECT WIRE TRANSFER PCsand generate notices if unusually activity occurs. Use static IP

addresses to enhance the robustness of this monitoring.

2.5.5. If the BA DIRECT WIRE TRANSFER PCs is ever compromised, do

forensics on it to determine how it was compromised and to structurea recovery plan. (See Appendix B: Sample Incident Response CheckList.)

Page 4 of 16 Rev. 65/05/2006


5/16


Appendix A:Security Template Settings for BA DIRECT WIRE TRANSFERComputers

(This template is based on NIST Special Publication 800-68 (Draft) Guidance for Securing Microsoft Windows XPSystems for IT Professionals: A NIST Security Configuration Checklist, Appendix ANIST Security Template

Settings. Line items without numbers are additional UC settings.)

PolicyBA DIRECT WIRE

TRANSFERRequirements

Comment

A-1

1.1 Enforce password history24 passwordsremembered

1.2 Maximum password age 0

1.3 Minimum password age 1 day

1.4 Minimum password length 12 characters

1.5Password must meetcomplexity requirements

Enabled

1.6Store password usingreversible encryption for

all users in the domain

Disabled

A-2

2.1 Account lockout duration 15 minutes

2.2 Account lockout threshold10 invalid logon

attempts

2.3Reset account lockout

counter after15 minutes

A-3

3.1Audit account logonevents

Success, Failure

3.2Audit accountmanagement

Success, Failure

3.3Audit directory service

access

No auditing

3.4 Audit logon events Success, Failure3.5 Audit object access Success, Failure

3.6 Audit policy change Success

3.7 Audit privilege use Failure

3.8 Audit process tracking No auditing3.9 Audit system events Success

A-4

4.1Access this computerfrom the network

Remove all entries

4.2Act as part of the

operating systemNone

4.3Add workstations todomain

Not Defined (NotApplicable)

4.4Adjust memory quotas fora process

Not Defined

4.5 Allow logon throughTerminal Services

Remove all entries

4.6Back up files anddirectories

Administrators

4.7 Bypass traverse checking Users

4.8 Change the system time Administrators4.9 Create a pagefile Administrators

4.10 Create a token object None

4.11Create permanent sharedobjects

None

4.12 Debug programs None

Page 5 of 16 Rev. 65/05/2006


6/16


4.13Deny access to thiscomputer from thenetwork

Guest

4.14 Deny logon as a batch job Not Defined

4.15 Deny logon as a service Not Defined

4.16 Deny logon locally Not Defined

4.17Deny logon throughTerminal Services

Everyone

4.18Enable computer and useraccounts to be trusted for

delegation

Not Defined (Not

Applicable)

4.19Force shutdown from aremote system

Remove all entries

4.20 Generate security auditsLocal Service,

Network Service

4.21Increase schedulingpriority

Administrators

4.22Load and unload devicedrivers

Administrators

4.23 Lock pages in memory None

4.24 Log on as a batch job Not Defined4.25 Log on as a service Not Defined

4.26 Log on locally Users, Administrators

4.27 Manage auditing andsecurity log Administrators

4.28Modify firmware

environment valuesAdministrators

4.29Perform volumemaintenance tasks

Administrators

4.30 Profile single process Administrators

4.31Profile systemperformance

Administrators

4.32Remove computer fromdocking station

Users, Administrators

4.33Replace a process leveltoken

Local Service,Network Service

4.34Restore files anddirectories

Administrators

4.35 Shut down the system Users, Administrators

4.36 Synchronize directoryservice data


4.37Take ownership of files orother objects

Administrators

A-5

5.1Accounts: Administratoraccount status

Not Defined

5.2Accounts: Guest accountstatus

Disabled

5.3

Accounts: Limit localaccount use of blank

passwords to consolelogon only

Enabled

5.4 Accounts: Renameadministrator account

Built-in Administratoraccount should be

renamed and disabled,then a separateadministrator accountcreated for administrativepurpose.

5.5Accounts: Rename guest

accountNot Defined

5.6Audit: Audit the access ofglobal system objects

Enabled

5.7Audit: Audit the use ofBackup and Restoreprivilege

Enabled

Page 6 of 16 Rev. 65/05/2006


7/16


5.8Audit: Shut down systemimmediately if unable tolog security audits

Enabled

5.9Devices: Allow undock

without having to log onDisabled

5.10Devices: Allowed toformat and ejectremovable media

Administrators

5.11Devices: Prevent usersfrom installing printerdrivers

Enabled

5.12

Devices: Restrict CD-ROM

access to locally logged-on user only

Enabled

5.13Devices: Restrict floppyaccess to locally logged-on user only

Enabled

5.14Devices: Unsigned driverinstallation behavior

Warn but allowinstallation

5.15

Domain controller: Allow

server operators toschedule tasks


5.16

Domain controller: LDAP

server signingrequirements

Not Defined (Not

Applicable)

5.17Domain controller: Refusemachine accountpassword changes


5.18

Domain member:Digitally encrypt or signsecure channel data(always)

Enabled

5.19

Domain member:Digitally encrypt securechannel data (whenpossible)

Enabled

5.20

Domain member:Digitally sign secure

channel data (when

possible)

Enabled

5.21Domain member: Disablemachine accountpassword changes

Disabled

5.22Domain member:Maximum machineaccount password age

30 Days

5.23Domain member: Requirestrong (Windows 2000 orlater) session key

Enabled

5.24Interactive logon: Do notdisplay last user name

Enabled

5.25Interactive logon: Do notrequire CTRL+ALT+DEL

Disabled

5.26

Interactive logon:

Message text for usersattempting to log on

Should be edited to

contain message contentpertinent to UC policy.

5.27Interactive logon:Message title for usersattempting to log on

Should be edited tocontain message contentpertinent to UC policy.

5.28

Interactive logon:Number of previouslogons to cache (in casedomain controller is notavailable)

0

Page 7 of 16 Rev. 65/05/2006


8/16


5.29Interactive logon: Promptuser to change passwordbefore expiration

14 Days

5.30

Interactive logon: Require

Domain Controllerauthentication to unlockworkstation

Not Defined

5.31

Interactive logon: Smart

card removal behavior Lock Workstation

5.32Microsoft network client:Digitally signcommunications (always)

Enabled

5.33

Microsoft network client:Digitally signcommunications (if serveragrees)

Enabled

5.34

Microsoft network client:Send unencryptedpassword to third-partySMB servers

Disabled

5.35

Microsoft network server:Amount of idle time

required before

suspending session

15 minutes

5.36Microsoft network server:Digitally sign

communications (always)

Enabled

5.37

Microsoft network server:Digitally signcommunications (if clientagrees)

Enabled

5.38Microsoft network server:Disconnect clients whenlogon hours expire

Enabled

5.39Network access: Allowanonymous SID/Nametranslation

Disabled

5.40

Network access: Do notallow anonymous

enumeration of SAMaccounts

Enabled

5.41

Network access: Do notallow anonymousenumeration of SAM

accounts and shares

Enabled

5.42

Network access: Do notallow storage ofcredentials or .NETPassports for networkauthentication

Enabled

5.43Network access: LetEveryone permissionsapply to anonymous users

Disabled

5.44Network access: NamedPipes that can beaccessed anonymously

None

5.45Network access:Remotely accessible

registry paths

Not Defined

5.46Network access: Sharesthat can be accessedanonymously

None

5.47Network access: Sharingand security model forlocal accounts

Classic

Page 8 of 16 Rev. 65/05/2006


9/16


5.48Network access: Sharingand security model forlocal accounts

Enabled

5.49

Network security: Force

logoff when logon hoursexpire

Enabled

5.50Network security: LANManager authentication

level

Send NTLMv2, Refuse

LM and NTLM

5.51Network security: LDAPclient signingrequirements

Require Signing

5.52

Network security:Minimum session securityfor NTLM SSP based(including secure RPC)clients

Require MessageIntegrity, Message

Confidentiality,NTLMv2 SessionSecurity, 128-bit

Encryption

5.53

Network security:Minimum session securityfor NTLM SSP based(including secure RPC)servers

Require MessageIntegrity, Message

Confidentiality,NTLMv2 SessionSecurity, 128-bit

Encryption

5.54Recovery Console: Allowautomatic administrativelogon

Disabled

5.55Recovery console: Allowfloppy copy and access toall drives and all folders

Not Defined

5.56Shutdown: Allow systemto be shut down without

having to log on

Disabled

5.57Shutdown: Clear virtualmemory pagefile

Enabled

5.58

System cryptography:Use FIPS compliantalgorithms for encryption,hashing, and signing

Enabled

5.59

System objects: Defaultowner for objects createdby members of theAdministrators group

Object Creator

5.60

System objects: Require

case insensitivity for non-Windows subsystems

Enabled

5.61

System objects:Strengthen defaultpermissions of internalsystem objects (e.g.

Symbolic Links)

Enabled

A-6

6.1Maximum application logsize

16 MB

6.2Maximum security logsize 80 MB

6.3 Maximum system log size 16 MB

6.4Prevent local guestsgroup from accessingapplication log

Enabled

6.5Prevent local guestsgroup from accessingsecurity log

Enabled

6.6

Prevent local guests

group from accessingsystem log

Enabled

Page 9 of 16 Rev. 65/05/2006


10/16


6.7 Retain application log Not Defined

6.8 Retain security log Not Defined

6.9 Retain system log Not Defined

6.10Retention method forapplication log

Not Defined

6.11Retention method forsecurity log

Not Defined

6.12

Retention method for

system log Not DefinedA-7

7.1 Power Users None7.2 Remote Desktop Users None

A-88.1 Alerter Disabled

Application LayerGateway

DisabledPer UCOP CommonDesktop Initiativeconfiguration.

8.2 Clipbook Disabled

8.3 Computer Browser Disabled

Distribute Link TrackingClient


Error Reporting Disabled

Per UCOP Common

Desktop Initiativeconfiguration.

Fast User SwitchingCompatibility


8.4 Fax Service Disabled8.5 FTP Publishing Service Disabled

8.6 IIS Admin Service Disabled8.7 Indexing Service Disabled

8.8 Messenger Disabled

8.9 Net Logon Disabled

Per UCOP Common


8.10Netmeeting RemoteDesktop Sharing

Disabled

Network LocationAwareness (NLA) Disabled

Per UCOP Common


8.11Remote Desktop Help

Session ManagerDisabled

8.12 Remote Registry Disabled

8.13Routing and RemoteAccess

Disabled

8.14Simple Mail TransferProtocol (SMTP)

Disabled

8.15Simple NetworkManagement Protocol(SNMP) Service

Disabled

8.16Simple NetworkManagement Protocol(SNMP) Trap

Disabled

8.17 Task Scheduler Disabled8.18 Telnet Disabled

8.19 Terminal Services Disabled

8.20Universal Plug and PlayDevice Host

Disabled

Volume Shadow Copy DisabledPer UCOP CommonDesktop Initiativeconfiguration.

WebClient DisabledPer UCOP CommonDesktop Initiativeconfiguration.

Page 10 of 16 Rev. 65/05/2006


11/16


Wireless ZeroConfiguration


8.21World Wide Web

Publishing ServicesDisabled

A-9

9.1%SystemRoot%\system32\at.exe

Administrators: Full;System: Full

9.2%SystemRoot%\system32\attrib.exe


9.3%SystemRoot%\system32\cacls.exe


9.4%SystemRoot%\system32\debug.exe


9.5%SystemRoot%\system32\drwatson.exe


9.6%SystemRoot%\system32\drwtsn32.exe


9.7%SystemRoot%\system32\edlin.exe

Administrators: Full;System: Full;

INTERACTIVE: Read,Ex

9.8

%SystemRoot%

\system32\eventcreate.exe

Administrators: Full;

System: Full

9.9

%SystemRoot%

\system32\eventtriggers.exe


910%SystemRoot%\system32\ftp.exe



911%SystemRoot%\system32\net.exe



9.12%SystemRoot%\system32\net1.exe


INTERACTIVE: Read,

Ex

9.13%SystemRoot%\system32\netsh.exe


9.14%SystemRoot%\system32\rcp.exe


9.15%SystemRoot%\system32\reg.exe


9.16%SystemRoot%\regedit.exe


9.17%SystemRoot%\system32\regedt32.exe


9.18%SystemRoot%\system32\regsvr32.exe


9.19%SystemRoot%\system32\rexec.exe


9.20%SystemRoot%\system32\rsh.exe


9.21%SystemRoot%

\system32\runas.exe



9.22%SystemRoot%\system32\sc.exe


9.23%SystemRoot%\system32\subst.exe


Page 11 of 16 Rev. 65/05/2006


12/16


9.24%SystemRoot%\system32\telnet.exe



9.25%SystemRoot%\system32\tftp.exe



9.26%SystemRoot%\system32\tlntsvr.exe


A-10

10.1 HKLM\Software


System: Full; CreatorOwner: Full; Users:

Read

10.2HKLM\Software\Microsoft\Windows\CurrentVersion\Installer

Administrators: Full;System: Full; Users:

Read

10.3HKLM\Software\Microsoft\Windows\CurrentVersion\Policies


Authenticated Users:Read

10.4 HKLM\System


System: Full; CreatorOwner: Full; Users:Read

10.5HKLM\System\CurrentControlSet\Enum


Authenticated Users:Read

10.6

HKLM\System\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers

Administrators: Full;System: Full; Creator

Owner: Full

10.7

HKLM\System\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities

Administrators: Full;System: Full; Creator

Owner: Full

10.8

HKLM\Software\Microsoft\

Windows\CurrentVersion\policies\Ratings

Administrators: Full;Users: Read

10.9HKLM\Software\Microsoft\MSDTC


Network Service:

Query Value, SetValue, Create

Subkey, EnumerateSubkeys, Notify,

Read Permissions;Users: Read

10.10HKU\.Default\Software\Microsoft\SystemCertificates\Root\ProtectedRoots

Administrators: Full;System: Full; Users:

Read

10.11


WindowsNT\CurrentVersion\SecEdit


System: Full; Users:Read

A-11

11.1HKLM\Software\Microsoft\DrWatson\CreateCrashDump

0

11.2


WindowsNT\CurrentVersion\AEDebug\Auto

0

Page 12 of 16 Rev. 65/05/2006


13/16


11.3

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun

255

11.4

HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun

255

11.5

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\AutoAdminLogon

0

11.6HKLM\System\CurrentControlSet\Control\CrashCont

rol\AutoReboot

0

11.7HKLM\System\CurrentControlSet\Services\Cdrom\Autorun

0

11.8

HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareWks

0

11.9

HKLM\System\CurrentCon

trolSet\Services\MrxSmb\Parameters\RefuseReset 1

11.10


trolSet\Services\Tcpip\Parameters\DisableIPSourceRouting

2

11.11

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWD

etect

0

11.12

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedir

ect

0

11.13

HKLM\System\CurrentControlSet\Services\Tcpip\Par

ameters\EnablePMTUDiscovery

0

11.14HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime

300000

11.15

HKLM\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand

1

11.16

HKLM\System\CurrentControlSet\Services\Tcpip\Par

ameters\PerformRouterDiscovery

0

11.17HKLM\System\CurrentControlSet\Services\Tcpip\Par

ameters\SynAttackProtect

2

11.18HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen

100

11.19

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetried

80

11.20HKLM\System\CurrentControlSet\Services\IPSEC\NoDefaultExempt

1

Page 13 of 16 Rev. 65/05/2006


14/16


11.21HKLM\System\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden

1

11.22


trolSet\Control\SessionManager\SafeDllSearchMode

1

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LogonType

Disables the XP-style

Welcome logon screenand reverts to the"classic" Windows 2000logon screen.

A-1212.1 HKLM\Software Everyone: Failures

12.2 HKLM\System Everyone: Failures

Page 14 of 16 Rev. 65/05/2006


15/16


Appendix B:Sample Incident Response Check List

Campus incident response procedures will vary to some extent, depending on the

organization of the business functions, information technology, public information, law

enforcement, etc. In general, all incident response procedures would include the followingelements.

Ensure that the right people are involved. At a minimum, the incident response

team includes: the affected system's proprietor and custodian, the campus IT security

and policy officers, the campus Chief Information Officer, and the Associate VicePresident Information Resources and Communications (UCOP) if public disclosure is

required. In some circumstances, other campus experts may need to be involved (e.g.Chancellors office, campus police, legal counsel, public affairs, risk management,

internal audit, the campus payment card coordinator, the campus HIPAA security officer,or national and international IT security organizations (e.g., the US CERT).

Secure the area. Electronic evidence can be very perishable and can be easily

destroyed resulting in an inability to prosecute or inability to determine if personalinformation was compromised. Secure the scene and all the persons on the scene, then

visually identify potential evidence, both conventional (physical) and electronic, anddetermine if perishable evidence exists. Take care not to alter the condition of any

electronic device: If it is off, leave it off. If it is on, leave it on. Inventory and evaluatethe scene and then formulate a plan.

Incident Response Process Steps: Incident response processes are unpredictable.

For this reason, proper documentation at every stage in the process is essential.

1. Notify. Provide initial notification of the breach to the affected system'sproprietor and custodian, the campus IT security and compliance/policy officers,

and any other people required by the circumstances. Provide updates asappropriate throughout the incident response process.

2. Assess the need for forensic investigation. The factors to consider includethe potential value of forensic information vs. the immediate need to protect and

restore University resources and services. It may be necessary to delaysubsequent steps until an appropriate criminal investigation has been conducted.

3. Regain control. Once required forensic information has been collected, regaincontrol of the compromised system. This may include network disconnection,

process termination, a reboot, etc.4. Analyze the intrusion. Understand the nature of the intrusion and its impact on

information and process integrity. Determine if restricted information may have

been acquired by unauthorized individuals. Determine what address information isavailable for individuals whose data may have been acquired by unauthorized

individuals.5. Document results of analysis. Prepare a report on the nature of the incident,

the nature of the information that has been compromised, the numbers of

individuals affected, address information on impacted individuals.6. Submit report. Notify the campus IT leadership, executive managers, legal

counsel, and the Associate Vice President Information Resources andCommunications if there is a possibility that public disclosure will be required.

7. Recover from the intrusion. Perform whatever steps are needed to restore theintegrity of the affected information and processes.

Page 15 of 16 Rev. 65/05/2006


16/16


8. Correct system or application vulnerabilities. Correct the condition thatallowed the intrusion to occur.

9. Restore the service. Once everything is complete, service can be restored10. Assemble team to determine if notification is required. Work with

executive management to determine whether to make public disclosures.Determining the Threshold for Security Breach Notification

(http://www.ucop.edu/irc/itsec/security_breach_notification.pdf) contains issuesthat should be considered when evaluating the incident and determining whetherto notify affected individuals in compliance with Californias security breach

notification requirement. Campus counsel and public affairs should be included in

the determination evaluation.11. Close the incident. Ensure notification of the incident's final resolution to the

affected system's proprietor and custodian, the campus IT security andcompliance/policy officers, the campus IT leader, the Associate Vice President

Information Resources and Communications, and any other individuals who shouldbe engaged in this process.

Page 16 of 16 Rev. 65/05/2006

secure computer configuration for wire transfers

Documents