Procedure Effective Date January 26, 2010 Date of Last Revision April 21, 2015 Chapter Name Information Management Chapter Number Title 4.8.P.10 Compromised Email Account 1.0 Purpose This procedure documents the responsibilities and tasks associated with managing a compromised email account. These procedures must be implemented on the time and date identified or immediately upon notification by the messaging administrator, Division of Information Technology (DoIT) Security, Help Desk or Incident Response Team (IRT). 2.0 Governing Policy Number/Document Name 4.8 EMU System Accounts Effective Date September 30, 2008 3.0 Procedure Mail administrator – Lock Compromised Account 1. 2. Upon confirmation of compromise, based on reasonable information and belief the account is being used in violation of Eastern Michigan University (EMU) policy, Merit Networks policy, Google Apps for Education policy, or law, locks the account to prevent further malicious actions. a. Script resets the compromised account's password to a randomly generated, very complex password. b. Flags the account as locked for the Help Desk. c. Records the lock date for the Help Desk. d. If it is a Zimbra account an automated script resets many of the Zimbra preferences that are commonly changed by phishers when an account is compromised. Sends email to an appropriate abuse email list with pertinent information such as user name. Help Desk – Unlock Compromised Accounts 1. 2. 3. 4. 5. 6. Receives call or ticket from user that they cannot access their account. Help Desk verifies user identity Determines that account is locked by reviewing it in https://id.emich.edu (ID hereafter). Reads the call script to educate the user as to what happened and how to prevent reoccurrence. Selects the option in ID to unlock the account. Instructs the caller to reset their password in https://account.emich.edu to regain access to the account. 4.0 Responsibility for Implementation Director over IT Security is responsible for the implementation of this procedure. IT Procedure – 4.8.P.10 Compromised Email Account Form Version 3.0 Page 1 of 2 5.0 Definitions Term Compromised Account Definition An account that has its password stolen and is being used in violation of EMU policy or law, based upon reasonable information and belief. 6.0 Revision History Description Approval Date Original January 26, 2010 Revised by Mail Administrator December 4, 2012 Revision approved by CIO March 12, 2013 Revision draft By Allan Edwards February 25, 2015 st Policy Committee – 1 Review March 19, 2015 Policy Committee – 2nd Review April 16, 2015 Approved by CIO April 21, 2015 IT Procedure – 4.8.P.10 Compromised Email Account Page 2 of 2