Discussion

The operators of school or University networks should run intrusion detection and other vulnerability assessment systems to scan for signs of network-based attacks on computers connected to the networks.

Operators of school or University networks should also conduct vulnerability scans of computers connected to their networks to be sure that security vulnerabilities are detected, reported, and remediated.

In cases of emergency, network operators may act to block some or all network traffic to or from a computer that the operators have reason to think may be specifically vulnerable to attack, under attack or has been compromised or disconnect the computer from the network as approved by school or University senior management.

The response to a security incident should consistently follow a predetermined checklist that includes steps to end the incident, preserve forensic data, repair the damage, prevent a repeat attack, and scan for new vulnerabilities. Note that any potential breach in a system containing or processing high-risk confidential information needs to be reported as soon as possible. (See Section 9.2: Reporting Security Breaches [1].)

In the case where a school's network is not operated by the school all monitoring, scanning and blocking should be done in consultation with the school's CIO or network manager.