Skip to main content.
Information Technologies Security Program
IT Security Program Home > Information Technologies Security Program Home Page > Incident Handling > IT Security Incident Response Plan

Information Technology Security Incident Response Plan

The University's Department of Information Technologies (DoIT) has established a team -- the Incident Response Team or IRT -- that responds to IT security incidents and reports and complaints about abuse of information technologies here.

The group investigates the problems reported and takes appropriate action to protect the members of the community and the University's resources. Members of this team include staff from many different areas within DoIT.  Whenever appropriate, the team may be expanded to include members from Internal Audit, Student Affairs, University Police, Human Resources or Academic Affairs, depending on the specific nature of the incident.

Each member of the DoIT IRT recognizes the often sensitive nature of both reports received and what is found during the course of an investigation. All members of the team will hold both reports and findings confidential consistent with both the letter and the spirit of the procedure described in this document, federal and state laws, and the rules of the disciplinary bodies involved.

Review of incidents frequently begins with reports received at the Help Desk (helpdesk@umw.edu or 540-654-2255) or by e-mail directed to the team's e-mail address, it-abuse@umw.edu.

The Department of Information Technologies is neither an investigative nor a disciplinary entity in its primary responsibilities. However, in cases where University resources and privileges are abused or otherwise threatened, the department will take appropriate steps.

DoIT system administrators who are members of the DoIT IRT may disable user accounts, interrupt computing processes or disable services at any time to safeguard University resources and protect University privileges. They may take these actions without prior approval if, in their best professional judgment, they need to do so to deal with immediate circumstances.  These actions must be reported to, and are subject to timely review by the Director of Information Technologies Security and the Vice President for Information Resources.  The vice president may authorize extending such actions to longer terms if necessary to safeguard University resources.

Generally, the team will work rapidly and collaboratively, mostly using e-mail to its members, to establish the nature of the incident and to develop an appropriate response that protects the University's resources and interests while eliminating (to the degree possible) the threat of recurrence.  Sometimes, to accomplish this goal, the technical staff may have to temporarily leave a system vulnerability open in order to identify the malicious person(s) behind the incident.  In all cases, the team will assume that it must notify appropriate authorities and preserve evidence.

How Investigations Work

Incidents that involve the University's on-line environment sometimes lead to investigations, which include the gathering of technical evidence. Those investigations may be managed by law enforcement officers, authorized government officials, or others outside of the University community; by the University's student Honor Committee or Judiciary Committee or by faculty conducting individual student-academic-issue investigations; or by University administrators in faculty or staff disciplinary investigations, depending on the nature of the incident and the role (i.e., faculty, staff or student) of the persons suspected of improper behavior. In such investigations, investigating officials may call on the DoIT IRT to provide technical information that may become evidence from computers owned and managed by DoIT.

Information that can be requested

Evidence in these investigations may involve computer usage information about individuals that is maintained on centrally-managed computers. Computer usage information about individuals includes two major types

  • log information (generally referring to when a user's account was used in various contexts)

                        and

  • content information (generally referring to content of materials stored in storage space tied to the account as well as "live" content generated or received by a person currently using the account).
After investigative officials have completed appropriate processes to authorize their requests, the DoIT IRT may be able to provide pertinent log information. Such records may show the connection of individual accounts to our host computers (called a connection log), and they may show delivery of a message from one individual's account to another or other similar usage information. These logs usually are available for a limited period of time before they are overwritten with more current log data. Providing content information such as the contents of a mailbox, a file or a copy of a specific message within a mailbox raises more complex policy issues of privacy and academic freedom. From a technical perspective, it is also important for investigating officials to know that:

  • we keep backup copies of mailboxes for a limited period of time - while some individuals keep copies of all messages received on our central machines, others keep some messages there, and still others store no messages on the central machines after they have been delivered to a local machine. In any case, if a message was received by the recipient sufficiently long before the request, we may not be able to find a copy of it.
  • a message must reside in a mailbox or a file on one of our systems overnight for it to be available on a backup tape - if someone routinely reads and deletes messages from the server or keeps a file on the system for only a short period of time, it is possible that we have no record of the contents of that message/file.

Also understand that data we can provide from central computing systems in almost all cases will not establish with certainty the physical location of any person at any time. What it may establish is when an account was used and from what location.

How to request information

The procedures below reflect the sequence of steps necessary for investigating officials seeking computer usage information about individuals. All requests for access to the specific subtype of computer usage information that involves "content" will require additional review by the office of the University's counsel, who is a member of the staff of the Office of the Attorney General of the Commonwealth of Virginia.

Law Enforcement, Government Officials, and Others Outside the University Community

  • Law enforcement, government officials and others outside the University community usually will need to provide legal orders (normally search warrants) to obtain computer usage information. These documents should be delivered to:

Vice President for Information Resources
University of Mary Washington
George Washington Hall
1301 College Avenue
Fredericksburg, Virginia 22401-5300

Any such legal documents will be forwarded immediately to other appropriate University officials and to the Office of the Attorney General of the Commonwealth of Virginia in Richmond for review. Of course, the University and its employees will comply in timely fashion with any conditions included in a legal order.  To ensure that the abuse team preserves information that may be needed, you may wish to notify it-abuse@umw.edu in advance about your intent to request such information. When possible and feasible, advance discussion about the type of computer-usage information sought before a legal order is delivered may help to ensure that language included in the order is precise and appropriate to the technical environment at the University.

  • Be specific about what you request. A specific request will speed delivery of information to you and will provide you with information that is pertinent to your needs. Should you request information that covers a large time period, it will take us longer to gather the information and the volume of the information may preclude its being useful to you. Hence, a request for connections logs for the account of hypothetical individual mst3k between midnight on 7/1/2000 and noon on 7/2/2000 can be provided more quickly than a similar request that covers a week or more, assuming that your request is made within a time when we still have these records.
  • The DoIT IRT will release computing usage information to law enforcement, government officials, or others outside the University community only after it has been reviewed by the state Attorney General's Office, except in conditions where immediate delivery is mandated by legal order.
  • Unless otherwise instructed in the legal order, we will inform the persons whose accounts were associated with the requested information that the information was requested and provided, and we will report to them the name of the investigating entity.

Honor and Judiciary Investigations
and Faculty Conducting Individual Student-Academic-Issue Investigations

  • Representatives of the University's Honor or Judiciary processes, or faculty conducting individual student-academic-issue investigations, will file any request for computer usage information through the University's Vice President for Student Affairs, who will review it and instruct us about responding. To ensure that the DoIT IRT preserves information that may be needed, you may notify it-abuse@umw.edu in advance about your intent to request information. Should you contact a member of the DoIT IRT with a request, we will forward it to the University's Vice President for Student Affairs.
  • Be specific about what you request (see above).
  • The DoIT IRT will not provide computer usage information to representatives of the Honor or Judiciary processes or faculty conducting individual student-academic-issue investigations until we are notified by the University's Vice President for Student Affairs that the requestors have completed the appropriate processes. Requests for content information may require additional review by the state Attorney General's Office.
  • Unless otherwise instructed in the request we receive from the University's Vice President for Student Affairs, we will inform the persons whose accounts were associated with the requested information that the information was requested and provided, and we will report to them the name of the investigating entity.

University Administrators in Faculty or Staff Disciplinary Investigations

  • University administrators investigating incidents as part of faculty or staff disciplinary processes will need to obtain appropriate authorization. For log information, appropriate authorization often will take the form of approval by the appropriate dean for teaching faculty or by the relevant vice president, dean or director for administrative or professional faculty or staff. To ensure that the DoIT IRT preserves information that may be needed, notify the it-abuse@umw.edu of your intent to request information as soon as you know you need it.
  • The DoIT IRT will not provide log information to University administrators investigating incidents as part of faculty or staff disciplinary processes until we have received appropriate approval to do so. Requests for content information will be handled in accord with relevant University policy (see http://www.umw.edu/policies/web/monitoring_employee_electr/).
  • Unless otherwise instructed in the request we receive, we will inform the persons whose accounts were associated with the requested information that the information was requested and provided, and we will report to them the name of the investigating entity.

[Adapted from similar materials at the University of Virginia]