MetaCentrum security policy
This topic explains concepts and procedures for resolving a security incident in MetaCentrum.
- Security incident & ndash ; suspicious behaviour of a service or a machine offered by MetaCentrum, administrator or user account abusing
- Security group & ndash ; a group of MetaCentrum administrators which supervises RT system and responds to all reports of a potential attack. Its main goal is coordination during an incident and preparing final report.
Administrator of a service or a machine offered by MetaCentrum has to report every incident which might potentially affect another server, machine or user identity in MetaCentrum.
Administrator of a service or a machine offered by MetaCentrum has to respond to every incident which contains his local resources, services or user identities in relation with MetaCentrum.
Security group has to react to every initiative of an incident which is reported to RT system.
All communication has to be done via email address firstname.lastname@example.org. An email creates new ticket in MetaCentrum RT system. Copy of information sent to CSIRT teams has to be also sent to the email adress. It would be great if you could send compressed source code of malfunction software as well.
Responsible persons during an incident are: administrator of machine, which was attacked and security team of MetaCentrum. The administrator has to provide all necessary information to security team via email (see Communication above). The security team has to prepare final report of the incident.
The email address mentioned in Communication above is read just by a few MetaCentrum administrators and delivered emails are not public. The RT system is authenticated. In the case of an exchange of very sensitive data (passwords, private user data) it is necessary to use a secure channel, which will be selected after consultation with the MetaCentrum security group (again through RT system).
Procedure at detecting an incident
- Detecting and report via RT system
- Initial analysis of the incident
- Restriction of further incident spreading
- A detailed analysis of origin of the incident
- Recovery from the incident
- Lessons from the incident
- Final report