...
The following table describes the actions to be taken when an incident potentially affecting EGI users, data, services, infrastructure is suspected. Administrators are recommended to take note of every action (with timestamp) they take, for later analysis or legal cases.
| Step | Action | Deadline |
|---|---|---|
| 1 | Inform your local security team, your NGI Security Officer and the EGI CSIRT via abuse@egi.eu. You are encouraged to use the recommended templates. | Within 4 hours of discovery |
| 2 | In consultation with your local security team and the EGI CSIRT, act to isolate the compromised systems and contain the incident whilst preserving forensic data. Take a snapshot of affected VMs. Isolate at the network level if possible. Do NOT reboot or power off hosts. Do NOT destroy VMs. Physically disconnect systems from the network ONLY where other options are not available. | Within 1 day of discovery |
| 3 | Together with your local security team and the EGI CSIRT decide if it is an incident that requires further investigation or action. | |
| 4 | If applicable, announce downtime for the affected services in accordance with the EGI Operational Procedures | Within 1 day of isolation |
| 5 | Perform appropriate analysis and take necessary corrective actions, seeIncident Analysis Guideline | Within 4 working hours of any EGI CSIRT request |
| 6 | Coordinate with your local security team and the EGI CSIRT to send an incident closure report to the EGI CSIRT via abuse@egi.eu, including lessons learnt and resolution. This report should be labelled AMBER or RED, according to the Traffic Light Protocol. | Within 1 month of incident resolution |
| 7 | Restore the service and, if needed, update the service documentation and procedures to prevent recurrence as necessary. |
Resource Centre Checklist
View file name SEC01-RC.pdf height 250
EGI-CSIRT Responsibilities
...