Procedures for Blocking Network Access

Purpose

Central campus network and security personnel must take immediate action to mitigate any threats that have the potential to pose a serious risk to campus information system resources or the Internet. If the threat is deemed serious enough, the computer(s) posing the threat will be blocked from network access. In addition, the Information Security and Policy (ISP) office is responsible for enforcing the campus Minimum Security Standards for Networked Devices and will block hosts from the network found to be out-of-compliance with these standards. These guidelines specify how the decision to block is made and the procedures involved.

These guidelines were developed in compliance with the UC Electronic Communications Policy: http://www.ucop.edu/ucophome/policies/ec/html/pp081805ecp.html.

Guidelines

Central campus network and security personnel have the authority to evaluate the seriousness and immediacy of any threat to campus information system resources or the Internet and to take action to mitigate that threat. Action that is taken will be responsible and prudent based on the risk associated with that threat and the potential negative impact to the campus mission caused by making the offending system inaccessible. Based on these criteria, threat risks will be assigned to one of three categories: urgent, non-urgent, and out-of-compliance. Examples of threats in each category include, but are not limited to:

Urgent

  • The level of network activity is sufficiently large as to cause serious degradation in the performance of the network
  • An attack on another computer or network has been launched
  • Confidential, private or proprietary electronic information or communications are being collected by unauthorized parties
  • System administrative privilege have been gained by an unauthorized party
  • Any threat exposing the university to serious legal or financial liability

Non-urgent

  • Host is receiving or listening for commands from an unauthorized party
  • Host is observed downloading malware code or other suspicious traffic
  • User (non-administrative) access is gained by an unauthorized party

Out-of-compliance

  • Operating systems and network services missing security patches
  • Services accepting plain-text authentication credentials
  • Open mail relays and unauthenticated proxy servers
  • Blank or vendor default administrative passwords
  • Any other violation of the campus Minimum Security Standards for Networked Devices.

Any risks associated with systems identified in the Restricted Data Management application (http://rdm.berkeley.edu) as containing restricted data will be escalated and handled individually outside of these guidelines.

Procedures

Urgent threats

The offending system will be blocked immediately from the campus network and the departmental security contact(s) will be notified via email that the block has occurred.

Non-urgent threats

Notification of the threat will be sent to the departmental security contact(s) via email. If a response is not received within five (5) days indicating that the department is taking action to mitigate the threat, a second “courtesy” notice will be sent to the departmental security contact. The offending system will be blocked within two (2) days of the second notice unless a response is received indicating how the threat will be mitigated. If additional information indicating an urgent threat is collected during this period, the issue will be escalated and the offending system will be blocked immediately.

Out-of-compliance

Notification of the vulnerability will be sent to the departmental security contact(s) via email. If a response is not received within five (5) days indicating that the department is taking action to bring the system into compliance, a second “courtesy” notice will be sent to the departmental security contact. The offending system will be blocked within two (2) days of the second notice unless a response is received indicating that the machine is in compliance. If the system cannot be brought into compliance within this timeline, the departmental security contact and/or system administrator must file an exception to the Minimum Security Standards to avoid blocking.

In all cases, central campus network and security personnel will work with the departmental security contact(s) and/or the system administrator(s) to ensure that the system is properly re-secured. If a block has been put in place it will be removed when both the department and central campus security personnel agree that the problem causing the incident has been sufficiently addressed.

Recourse

If a department feels that a computer has been inappropriately blocked it may request a review of the decision by the Chief Information Officer. If, after the review, there is still a disagreement with the decision, it may be further reviewed by the Executive Vice Chancellor and Provost.