Security Information

2009 Security Awareness Poster Contest 2009 Advanced Technical Security Symposium Security Series Web Seminars Security Awareness Services Blackhole DNS E-mail Virus and Spam Filtering Good Net Neighbor Service - Phase 1 Good Net Neighbor Service - Phase 2 Internet Content Filtering Remote Vulnerability Assessment Service Incident Response Incident Response Online Incident Report Security Tools and Documents Security Tools Security Policies and Presentations Security Contact Information E-mail: security@more.net Phone: 1-800-509-6673 Fax: +1-573-884-7699 Security Policies Contents Status of this Document Abstract 1.0 Introduction 2.0 MOREnet Security Team 3.0 Team Coordination 4.0 Incident Response 5.0 AUP Incident Response Protocols

MOREnet Security Services Policies

Status of this Document

This MOREnet Security Services Policies begins implementation of a comprehensive MOREnet security policy in line with Internic's recommended policies. Its sources include Internic's RFC 2196 (Site Security Policy) and draft-ietf-ssh-users-03.txt(Users' Security Handbook). The current version of the MOREnet Security Services Policies are maintained at http://www.more.net/security/materials/secpol.html.

Abstract

This document codifies MOREnet practices and procedures used to implement MOREnet's Acceptable Use Policy and Security Services Policies. It also provides guidance to MOREnet customer administrators who are developing computer security policies and procedures for sites that have systems on the Internet. This policy's secondary purpose is to provide practical guidance to MOREnet customer administrators trying to secure their information and services.

1.0 Introduction

As the Internet has grown exponentially over the last several years the number of reported security incidents relating to Internet connectivity has grown at a similar pace. MOREnet customers expect MOREnet to be aware of security issues and to respond to security incidents on their behalf. The number of customers seeking MOREnet response will continue to grow, as will the level of service required by customers, as concerns over security and actual compromises in security increase.

To meet these growing needs and expectations, MOREnet has identified three services addressing Internet security:

1. Security Incident Response Team — Provide response for MOREnet customers to security incidents involving system, server or network infrastructure attacks or compromises.
2. Security Consulting — Provide MOREnet customers with advice and recommendations for general security implementations for their local network servers, infrastructure and procedures.
3. Internet Security Training/Seminars — Conduct and sponsor training sessions or seminars on Internet security topics, best practices and specific technologies such as firewalls or file encryption.

1.1 Purpose of Security Policy

MOREnet's Acceptable Use Policy (AUP) is a companion document to this Security Services Policies document. The Acceptable Use Policy spells out what customers shall and shall not do on the various components of the system, including the type of traffic allowed on the networks. The Security Services Policies internally inform MOREnet staff and managers of the day-to-day implementation of the Acceptable Use Policy in protecting technology and information assets. These two policies also cover incidents when someone outside MOREnet is injured by or interferes with MOREnet-related network activities. Finally, these policies inform MOREnet customers of the mechanisms through which the AUP and Security Services Policies are complied with and enforced.

1. Security Defined: For the purposes of this document, "Security" refers to the integrity of MOREnet owned and/or operated systems, servers and network infrastructure.
2. Acceptable Use Concerns: Some incidents may not involve the integrity of MOREnet owned and/or operated systems, servers, processes and/or network infrastructure. On the other hand, some security incidents may involve non-MOREnet participants. Due to the overlapping areas of concern and the level of expertise required, MOREnet's Security Team is tasked with investigation of both security and AUP concerns. Policies and procedures referred to in this Policy are intended to cover both AUP and Security related incidents.
3. MOREnet's Acceptable Use Policy (AUP), referred to throughout this document, is located at http://www.more.net/about/policies/aup.html.

1.2 Delivery of Security & Acceptable Use Services

MOREnet is committed to certain principles for delivering these services. They include:

1. Confidentiality — Security incidents, consultations or ISREs will be held in strictest confidence by MOREnet staff. Security Incident Reports (SIR) and the resulting responses will not be made available to external organizations unless the customer specifically releases MOREnet to do so or the incident involves MOREnet property interests.
2. Proactive Notification — Security bulletins, advisories or other notifications will be made to MOREnet customers via secure methods to allow them to modify system or network configurations to protect against known security flaws.
3. Accuracy — Security information distributed by MOREnet should be complete, correct and reliable. Incident information will be thoroughly researched and checked by Incident Response Team members before being communicated. Sources of bulletins, advisories and notifications will be screened and clearly identified on distributions from MOREnet to customers.
4. Communication — Interaction among technical contacts at MOREnet customer sites is crucial to a successful security program. MOREnet staff will use secure methods to provide secure communications among customer Security Contacts. PGP is MOREnet's Incident Response Team (IRT)'s standard tool for secure communication with customers, other teams and authorities.

1.3 Availability of Services

MOREnet Security Services are available to all MOREnet customers. Incident response capabilities are part of MOREnet's Reference Desk services under the Membership and Project agreements with a customer. Consulting services are available to all MOREnet customers at the standard hourly rate. ISRE services will be delivered for a fee negotiated between the customer and MOREnet based on the depth and specific customer requirements.

1.4 Designated Contact Persons

MOREnet has identified the need for customer contacts for security matters. This contact will initially default to the Network Coordinator for MERC members, the Security Coordinator for the Missouri Express project, and the MC1 for CONNECT Project participants. Customers are strongly encouraged to change this contact to reflect the nature of their own local network security practices.

Some MOREnet participants have developed twenty-four hours a day, seven days per week security response teams. This practice is admirable, and should be emulated where possible. MOREnet does not require this capability, but its availability often helps to quickly resolve security incidents without interruption of a network.

1.4.1 Description of Security Contact Role

The person named should bear overall day-to-day responsibility for the network security of the customer. The person should be empowered to act to safeguard the network, and should have access to the expertise to make necessary changes without undue delay. The person need not have the expertise themselves, but should be able to bring appropriate expertise to bear on a problem quickly (i.e., by telephone or pager).

The Security Contact need not provide their own email address if the customer has an alternative RFC 2196 recognized emergency contact that is regularly monitored (i.e., abuse@host, hostmaster@host, noc@host, security@host). The alternative address is preferred when available.

The Security Contact need not provide their own telephone number if the customer has developed an alternative regularly monitored telephone point of contact such as a "hot pager" with shared responsibility in a networking group. The alternative telephone number is preferred when available.

The Security Contact should, if possible, be familiar with and have installed PGP or PGPmail for secured communications. On notification that a Security Contact has a PGP key, MOREnet's Security Team will on verification sign the contact's public key. Instructions for downloading and installing PGP are provided on MOREnet's web site at http://www.more.net/security/.

The Security Contact must be an employee of the customer. No outside consultants are permitted as a Security Contact, to eliminate delays in action or approval. The Security Contact is free to refer technical questions to an outside consultant for technical assistance.

1.4.2 MOREnet Responsibilities to Security Contact

The Security Contact will be MOREnet's preferred point of contact with a customer on security matters. Only in the event a Security Contact is not available or responsive will attempts be made to reach other contacts.

MOREnet will forward relevant notices of security vulnerability and advisories, software bugs affecting security, notices of available security related training and quarterly summaries of security statistics to the Security Contact.

Back to top

2.0 MOREnet Security Team

2.1 Team Resources

MOREnet has identified internal resources to deliver Security and Acceptable Use investigative services. These resources have been combined into MOREnet's Security Team, a working group of staff who are knowledgeable in areas of supported network operating systems, network servers and network infrastructure (routers, gateways, firewalls, etc.). The Security Team will respond to reported MOREnet security incidents, conduct proactive training sessions and seminars, and provide consulting and ISRE services.

A library of security resources will be created as well as examples of security policies, procedure documents, and other documents beneficial to MOREnet customers concerned with increasing levels of security on their systems and networks. These publications will be updated frequently, and documents made available to MOREnet customers as copyright permits.

MOREnet will maintain software and other resources on the secured ftp server for customer access. Security programs and files will have authentication checks for customer verification of the integrity of the software file. The Security Team will build and maintain a knowledge base gathered from various Internet news groups, publications and peers, and use this resource to deliver the services identified above. Open access to this knowledge base will not be allowed.

2.2 General Team Composition

The MOREnet Security team is responsible for MOREnet's implementation of security measures on internal and shared resources. Specifically, this group's responsibilities include:

• Coordination of implementation and tracking of MOREnet's security protocols and procedures.
• Oversight of system and network configuration security of all shared and backbone servers, routers and other devices.
• Coordination of internal network server and network device configuration security including routing, filtering and other configurations.
• Coordination of implementation of MOREnet's ongoing Continuous Security Improvement program.

2.3 Security Coordinator

MOREnet has identified a Security Coordinator to administer security services. The Security Coordinator's responsibilities include:

• Coordination of the Security Team, including:
• Team composition for resolution of a specific incident
• Identifying and coordinating training of team members
• Identifying and coordinating professional development opportunities related to security topics
• Coordination of response to Security Incident Reports (SIR) from customers and external sources
• Coordination of ISRE services and negotiation with customers
• Coordination of security consulting services and negotiation with customers
• Interacting with external teams and security groups, and law enforcement organizations when appropriate
• Coordination of security-related training sessions and seminar offerings for customers
• Maintenance of internal MOREnet protocols and procedures for SIRs and service requests
• Report to the MOREnet Management Team, Executive Committee and State Projects Steering Committee to review security services provided

Back to top

3.0 Team Coordination

3.1 Coordination with CERT

MOREnet cooperates with the Computer Emergency Response Team (CERT) located at Carnegie Melon University for reporting and resolution of security incidents. The CERT Coordination Center is the organization that grew from the computer emergency response team formed by the Defense Advanced Research Projects Agency (DARPA) in November 1988 in response to the needs identified during the "Internet Worm" incident, a malicious program that shut down about 6,000 government and university computers.

The CERT charter is to work with the Internet community to facilitate its response to computer security events involving Internet hosts; to take proactive steps to raise the community's awareness of computer security issues; and to conduct research targeted at improving the security of existing systems.

1. MOREnet will regularly report summaries of security reports and resolutions to CERT for inclusion in CERT reports. These reports will include information on all incidents, but include only specific data about the incident(s) which has been authorized for release by the customer reporting. Any reports to CERT, MOREnet committees or other external sources will not identify specific customers, nor will the reports be generated in such a manner that specific customers could be identified unless the customer specifically releases MOREnet to do so.
2. The MOREnet Security Coordinator will create a quarterly summary report of all security incident reports for inclusion in MOREnet reports. This report will not disclose any customer information that may be used to identify the customer.

3.2 Reporting Incidets to Outside Authorities

Reporting of incidents to appropriate authorities is solely at the customer's option, except MOREnet reserves the right to report incidents involving MOREnet property interests. MOREnet will not report incidents or information about other incidents to appropriate authorities unless the customer has specifically released MOREnet to do so.

1. Releases given to MOREnet to permit release of security incident related information can be written, faxed or delivered by e-mail. Such releases must be signed by an authorized individual of the involved institution. In the event of a security incident where the IRT believes e-mail security may have been compromised, a written or fax authorization may be required at the discretion of the Security Manager or Security Coordinator.
2. For incidents when MOREnet does not have a customer release to discuss the information and that do not involve MOREnet property interests, MOREnet will not release, communicate or transfer any information of a specific incident obtained as a result of investigation into that incident without a lawfully executed subpoena or judge's order. Requests from law enforcement or other authorities will be denied without the customer's release or the above legal orders.
3. MOREnet will cooperate fully with all law enforcement or other authorities to investigate and resolve incidents on a customer's behalf. A customer may elect to report the incident to the appropriate authority, and then turn over the incident to MOREnet for coordination with the authority. All contact with and communication between authorities and MOREnet are confidential and may be shared only with appropriate MOREnet staff and the customer.
4. Information disclosed to MOREnet's IRT during the course and scope of an investigation is confidential in nature. Release to other parties will be made only as necessary to resolve an incident, and does not release other parties to disclose that information outside the MOREnet-information recipient relationship.
5. Receipt of a release does not constitute a waiver of any rights held by MOREnet or the University of Missouri to its work product and/or property, and does not guarantee MOREnet will release any such materials.
6. All inquiries regarding requests for information and/or information release shall be directed to MOREnet's Communications Officer, whose public e-mail address is info@more.net. E-mail queries about general public information will be honored, but no request for disclosure of confidential materials outside the course and scope of incident resolution will be honored.

Back to top

4.0 Security Incident Response

4.1 Incident Response Goals

These goals may be prioritized differently depending on the nature of the incident. Objectives for dealing with incidents include:

1. Figure out how it happened.
2. Find out how to avoid further exploitation of the same vulnerability.
3. Avoid escalation and further incidents.
4. Assess the impact and damage of the incident.
5. Recover from the incident.
6. Update policies and procedures as needed.
7. Find out who did it (if appropriate and possible).
8. Take actions to prevent and/or deter the action from recurring.
9. Document the incident and preserve evidence where possible, for reporting purposes and effective resolution of an incident.

Depending on the nature of the incident, there may be a conflict between analyzing the original source of a problem and restoring systems and services. Overall goals (such as maintaining the operation of critical systems) may supersede the goal of detailed analysis of an incident. It remains the customer's decision, but all involved parties must be aware that without analysis the same incident may happen again.

4.2 Security Incident Response Priorities

Actions to be taken during an incident should be prioritized before an incident occurs. An incident may be so complex that it is impossible to respond to everything at once, so priorities are essential.

An important implication for defining priorities is that once human life and national security considerations have been addressed, it is generally more important to save data than to save system software and hardware. Although it is undesirable to have any damage or loss during an incident, systems can be replaced. However, the loss or compromise of data (especially classified or proprietary data) is usually not an acceptable outcome.

Another important concern is the effect on others, beyond the systems and networks where the incident occurs. Within the limits imposed by government regulations it is always important to inform affected parties as soon as possible. Due to the legal implications, it should be included in planned procedures to avoid delays and uncertainties for administrators.

1. Protect human life and safety; human life always has precedence over all other considerations.
2. Protect classified and/or sensitive data. Prevent exploitation of classified and/or sensitive systems, networks or sites. Inform affected classified and/or sensitive systems, networks or sites about penetrations, bearing in mind local, state and federal laws and regulations.
3. Protect other data, including proprietary, scientific, managerial and other data, because loss of data is costly. Prevent exploitation of other systems, networks or sites and inform affected systems, networks or sites about successful penetrations.
4. Prevent damage to systems (for example, loss or alteration of system files, damage to disk drives, etc.). Damage to systems can result in costly down time and recovery.
5. Minimize disruption of computing resources (including processes). In many cases it is better to shut a system down or disconnect from a network than to risk damage to data or systems. Sites must evaluate the trade-off between shutting down and disconnecting, and staying up. The damage and scope of an incident may be so extensive that the MOREnet infrastructure is compromised and mandates a shutdown.

4.3 Customer Security Incident Response Obligations

All MOREnet customers have an obligation to comply with MOREnet's Security Services Policies. MOREnet Member Representatives are responsible for ensuring organizational compliance, including the customer's responsibility to conduct reasonable investigation on request by the MOREnet Security Coordinator or Manager, report the findings of those investigations within a reasonable time and take reasonable action to cure any breach of the Security Services Policies.

4.4 Security Report Tracking

When a report of an alleged Security incident is received, a MOREnet staff member will immediately enter a tracking report in a secure database or refer the matter to the Reference Desk for initial investigation and creation of a secured tracking report. MOREnet's AUP is located at http://www.more.net/about/policies/aup.html.

4.5 Security Notification

The Security Manager and Security Coordinator are notified of the creation of an Security related tracking report. Should the event occur outside regular office hours, the reporting person will call the security pager.

4.6 Security Incident Response Team Composition

The Security Manager and Security Coordinator will assign team members with appropriate expertise to handle varying stages of each incident, with the Security Coordinator handling coordination of team members and investigation.

4.7 Security Reporting Model

Team members will use the MOREnet Incident Response Form located at http://www.more.net/security/incident/incident.html as a data gathering model.

4.8 Secure Handling of Security Investigative Results

Team members, bearing in mind the need to preserve all relevant logs, communications and other electronic evidence of an alleged Security violation, will place all such electronic notes in a secured database to which only Security Team members have access. Any hardcopy documents, fax communications or other evidence not suitable for storage in this database shall be secured under lock in a location designated by the Security Manager or Coordinator, and a log established to preserve a chain of custody.

4.9 Security Investigation

Team members will establish or disprove the existence of a bona fide AUP or Security incident. Team members, after investigation and based on professional expertise in consultation with other team members, involved institutions and CERT, will recommend action to the involved institution(s)to end the incident or reduce future vulnerability. Team members, within the confines of the MOREnet Product Support matrix, will assist the affected institution(s) in closing the incident or reducing future vulnerability.

4.10 Interim Security Safeguards

Team members may certify to the Security Manager that a present threat exists to other institutions or individuals or institutions outside the affected institution. The Security Manager or Coordinator will inform the appropriate Project Manager(s) of such an occurrence. In such a case, the Security Manager or Coordinator will approve appropriate interim measures to safeguard the interests of affected institutions and inform the appropriate MOREnet Project Manager of those actions.

1. When devising interim safeguards, as time permits, the Security Manager or Coordinator will consult the appropriate MOREnet Project Manager(s)for appropriate interim measures.
2. Interim measures will balance least intrusive alternatives against the nature and severity of security breaches, and may include blocking a site's network traffic at the MOREnet hub router in exigent circumstances.

4.11 Security Incident Closure

Team members will report the end of an incident to the Security Coordinator, who will request an incident letter from the appropriate institution(s). The incident letter must be hardcopy and signed by an authorized individual of the appropriate institution. The incident letter must be received by MOREnet Security within ten (10) working days of request. If the letter is not received within that time, a second request will be made, and the letter must be received within five (5) working days of the second request. If no letter is received within five (5) working days of the second request, the Security Manager or Coordinator may escalate the incident to the appropriate Project Manger for disciplinary purposes. This letter, at minimum, must include:

1. Date and nature of the incident's initiation.
2. Names of institutions involved.
3. Nature of the incident, including the nature of exploitation where applicable.
4. Date of incident's closure.
5. How the incident was resolved.
6. General nature of any disciplinary actions taken.
7. Type and nature of actions taken to end the incident or reduce future vulnerability to this type of exploitation.

4.12 Security Safeguards in Event of Noncompliance

In the event a MOREnet customer does not respond within a reasonable time to Security Team requests, is uncooperative or declines to ease or remedy an established Security violation, the Security Manager or Coordinator will take interim, non-disciplinary measures to safeguard the interests of affected institutions as discussed above and inform the appropriate MOREnet Project Manager of those actions. The Security Manager or Coordinator will then send a certified letter, return receipt requested, to the unresponsive institution. If there is no response or the incident/vulnerability continues unabated for five (5) working days after receipt of the letter, the Security Manager or Coordinator refer the incident to the appropriate Project Manager for disciplinary action while maintaining interim safeguards.

Back to top

5.0 Acceptable Use Policy Incident Response

5.1 AUP Incident Response Goals

These goals may be prioritized differently depending on the nature of the incident. Objectives for dealing with incidents include:

1. Figure out how it happened.
2. Find out how to deter or prevent the action from recurring.
3. Avoid escalation and further incidents.
4. Assess the impact and damage of the incident.
5. Bring the parties back into compliance with the AUP.
6. Update policies and procedures as needed.
7. Find out who did it (if appropriate and possible).
8. Take actions to prevent and/or deter the action from recurring.
9. Document the incident and preserve evidence where possible, for reporting purposes and effective resolution of an incident.

Depending on the nature of the incident, there may be a conflict between analyzing the original source of a problem and restoring systems and services. Overall goals (such as maintaining the operation of critical systems) may supersede the goal of detailed analysis of an incident. It remains the customer's decision, but all involved parties must be aware that without analysis the same incident may happen again.

5.2 AUP Incident Response Priorities

Actions to be taken during an incident should be prioritized before an incident occurs. An incident may be so complex that it is impossible to respond to everything at once, so priorities are essential.

An important implication for defining priorities is that once human life and national security considerations have been addressed, it is generally more important to save data than to save system software and hardware. Although it is undesirable to have any damage or loss during an incident, systems can be replaced. However, the loss or compromise of data (especially classified or proprietary data) is usually not an acceptable outcome.

Another important concern is the effect on others, beyond the systems and networks where the incident occurs. Within the limits imposed by government regulations it is always important to inform affected parties as soon as possible. Due to the legal implications, it should be included in planned procedures to avoid delays and uncertainties for administrators.

1. Protect human life and safety; human life always has precedence over all other considerations.
2. Protect classified and/or sensitive data. Prevent exploitation of classified and/or sensitive systems, networks or sites. Inform affected classified and/or sensitive systems, networks or sites about penetrations, bearing in mind local, state and federal laws and regulations.
3. Protect other data, including proprietary, scientific, managerial and other data, because loss of data is costly. Prevent exploitation of other systems, networks or sites and inform affected systems, networks or sites about successful penetrations.
4. Prevent damage to systems (for example, loss or alteration of system files, damage to disk drives, etc.). Damage to systems can result in costly down time and recovery.
5. Minimize disruption of computing resources (including processes). In many cases it is better to shut a system down or disconnect from a network than to risk damage to data or systems. Sites must evaluate the trade-off between shutting down and disconnecting, and staying up. The damage and scope of an incident may be so extensive that the MOREnet infrastructure is compromised and mandates a shutdown.

5.3 Customer AUP Incident Response Obligations

All MOREnet customers have an obligation to comply with MOREnet's Acceptable Use Policy. MOREnet Member Representatives are responsible for ensuring organizational compliance, including the customer's responsibility to conduct reasonable investigation on request by the MOREnet Security Coordinator or Manager, report the findings of those investigations within a reasonable time and take reasonable action to cure any breach of the Security Services Policies.

5.4 AUP Report Tracking

When a report of an alleged Acceptable Use Policy (AUP) violation is made to MOREnet, a MOREnet staff member will immediately enter a tracking report in a secure database or refer the matter to the Reference Desk for initial investigation and creation of a secured tracking report. MOREnet's AUP is located at http://www.more.net/about/policies/aup.html.

5.5 AUP Notification

The Security Manager and Security Coordinator are notified of the creation of an AUP related tracking report. Should the event occur outside regular office hours, the reporting person will call the security pager.

5.6 AUP Incident Response Team Composition

The Security Manager and Security Coordinator will assign team members with appropriate expertise to handle varying stages of each incident, with the Security Coordinator handling coordination of team members and investigation.

5.7 AUP Reporting Model

Team members will use the MOREnet Incident Response Form at http://www.more.net/security/incident/incident.html as a data gathering model.

5.8 Secure Handling of AUP Investigative Results

Team members, bearing in mind the need to preserve all relevant logs, communications and other electronic evidence of an alleged AUP violation, will place all such electronic notes in a secured database to which only Security Team members have access. Any hardcopy documents, fax communications or other evidence not suitable for storage in this database shall be secured under lock in a location designated by the Security Manager or Coordinator, and a log established to preserve a chain of custody.

5.9 AUP Investigation

Team members will establish or disprove the existence of a bona fide AUP incident. Team members, after investigation and based on professional expertise in consultation with other team members, involved institutions and CERT, will recommend action to the involved institution(s) to end the incident or reduce future vulnerability. Team members, within the confines of the MOREnet Product Support matrix, will assist the affected institution(s)in closing the incident or reducing future vulnerability.

5.10 Interim Acceptable Use Safeguards

Team members may certify to the Security Manager that a present threat exists to other institutions or individuals or institutions outside the affected institution. The Security Manager or Coordinator will inform the appropriate Project Manager(s) of such an occurrence. In such a case, the Security Manager or Coordinator will approve appropriate interim measures to safeguard the interests of affected institutions and inform the appropriate MOREnet Project Manager of those actions.

1. When devising interim safeguards, as time permits, the Security Manager or Coordinator will consult the appropriate MOREnet Project Manager(s)for appropriate interim measures.
2. Interim measures will balance least intrusive alternatives against the nature and severity of Acceptable Use Policy breaches, and may include blocking a site's network traffic at the MOREnet hub router in exigent circumstances.

5.11 Acceptable Use Policy Incident Closure

Team members will report the end of an incident to the Security Coordinator, who will request an incident letter from the appropriate institution(s). The incident letter must be hardcopy and signed by an authorized individual of the appropriate institution. The incident letter must be received by MOREnet Security within ten (10) working days of request. If the letter is not received within that time, a second request will be made, and the letter must be received within five (5) working days of the second request. If no letter is received within five (5) working days of the second request, the Security Manager or Coordinator may escalate the incident to the appropriate Project Manger for disciplinary purposes. This letter, at minimum, must include:

1. Date and nature of the incident's initiation.
2. Names of institutions involved.
3. Nature of the incident, including the nature of exploitation where applicable.
4. Date of incident's closure.
5. How the incident was resolved.
6. General nature of any disciplinary actions taken.
7. Type and nature of actions taken to end the incident or reduce future vulnerability to this type of incident.

5.12 Safeguards in Event of AUP Noncompliance

In the event a MOREnet customer does not respond within a reasonable time to Security Team requests, is uncooperative or declines to ease or remedy an established AUP violation, the Security Manager or Coordinator will take interim, non-disciplinary measures to safeguard the interests of affected institutions as discussed above and inform the appropriate MOREnet Project Manager of those actions. The Security Manager or Coordinator will then send a certified letter, return receipt requested, to the unresponsive institution. If there is no response or the incident/vulnerability continues unabated for five (5) working days after receipt of the letter, the Security Manager or Coordinator refer the incident to the appropriate Project Manager for disciplinary action while maintaining interim safeguards.

Back to top