Scope

The policy and procedure in this document applies to all individuals authorized to use SDSC's IT resources. The prescribed actions and processes described in this document apply to situations involving any SDSC Host (as defined in the SDSC Security Policy) as well as any of the IT resources provided by SDSC.

Note that this document does not authorize all affected individuals to act upon the procedures described here. The policy in this document authorizes actions for only specific roles. For those not included in those roles, this document is purely informational.

Background

After detection, incident response focuses upon two general activities: containment and eradication. Containment attempts to restrict the influence of an attacker while trying to learn the attacker's goals and methods. Eradication attempts to remove the attacker's influence and restore the affected systems to a secure state. Both activities require the oversight of security personnel as well as cooperation between security personnel, service administrators, and host administrators. However, containment places a greater emphasis on effort from security personnel, whereas eradication places a greater emphasis on effort from service and system administrators.

Incident response involves both activities, containment, then eradication, in that order. Depending on the nature of the incident and attack, one may have priority over the other.