The document discusses establishing security controls and procedures for information systems assets at a university. It describes identifying critical university assets, risks to those assets, and controls to mitigate risks. The document recommends a process for prioritizing assessing risks and costs/benefits of controls for each asset to make informed investment decisions.

1. Forging Partnerships Between Auditors and Security Managers: Breakthrough Methods That Work Randy Marchany VA Tech Computing Center Blacksburg, VA 24060 [email_address] 540-231-9523 JCSC 2000

25. Incident Handling: Protect and Proceed? - Which strategy should your organization follow to handle an incident? This dictates the level of record keeping needed to fulfill the strategy. (RFC2196) - the protection and preservation of site facilities - return to normal operations as soon as possible - actively interfere with intruder attempts - begin immediate damage assessment and recovery Use if: - assets are not well protected - continued penetration could result in financial risk - possibility or willingness to prosecute is not present - user community is unknown - unsophisticated users and their work is vulnerable - the site is vulnerable to lawsuits from users if their resources are undermined

26. Incident Handling: Pursue and Prosecute? - allow intruders to continue their activity until the site can identify them. This is recommended by law enforcement agencies - Use if: - system assets are well protected - good backups are available - Asset risks are outweighed by risk of future penetrations - it's a concentrated and frequent attack - the site has a natural attraction to intruders, e.g. university, bank - the site is willing to spend the money and risk to catch the guy - intruder access can be controlled - well-developed monitoring tools are available - you have a technically competent support staff - management is willing to prosecute - system administrators know in general what evidence will aid in prosecution - there is established contact with law enforcement agencies - the site has involved their legal staff