Procedure

advertisement
Procedure
Effective Date
January 26, 2010
Date of Last Revision
April 21, 2015
Chapter Name
Information Management
Chapter Number
Title
4.8.P.10
Compromised Email Account
1.0 Purpose
This procedure documents the responsibilities and tasks associated with managing a compromised email account.
These procedures must be implemented on the time and date identified or immediately upon notification by the
messaging administrator, Division of Information Technology (DoIT) Security, Help Desk or Incident Response
Team (IRT).
2.0 Governing Policy
Number/Document Name
4.8 EMU System Accounts
Effective Date
September 30, 2008
3.0 Procedure
Mail administrator – Lock Compromised Account
1.
2.
Upon confirmation of compromise, based on reasonable information and belief the account is being used in
violation of Eastern Michigan University (EMU) policy, Merit Networks policy, Google Apps for
Education policy, or law, locks the account to prevent further malicious actions.
a. Script resets the compromised account's password to a randomly generated, very complex
password.
b. Flags the account as locked for the Help Desk.
c. Records the lock date for the Help Desk.
d. If it is a Zimbra account an automated script resets many of the Zimbra preferences that are
commonly changed by phishers when an account is compromised.
Sends email to an appropriate abuse email list with pertinent information such as user name.
Help Desk – Unlock Compromised Accounts
1.
2.
3.
4.
5.
6.
Receives call or ticket from user that they cannot access their account.
Help Desk verifies user identity
Determines that account is locked by reviewing it in https://id.emich.edu (ID hereafter).
Reads the call script to educate the user as to what happened and how to prevent reoccurrence.
Selects the option in ID to unlock the account.
Instructs the caller to reset their password in https://account.emich.edu to regain access to the account.
4.0 Responsibility for Implementation
Director over IT Security is responsible for the implementation of this procedure.
IT Procedure – 4.8.P.10 Compromised Email Account
Form Version 3.0
Page 1 of 2
5.0 Definitions
Term
Compromised Account
Definition
An account that has its password stolen and is being used in violation of EMU
policy or law, based upon reasonable information and belief.
6.0 Revision History
Description
Approval Date
Original
January 26, 2010
Revised by Mail Administrator
December 4, 2012
Revision approved by CIO
March 12, 2013
Revision draft By Allan Edwards
February 25, 2015
st
Policy Committee – 1 Review
March 19, 2015
Policy Committee – 2nd Review
April 16, 2015
Approved by CIO
April 21, 2015
IT Procedure – 4.8.P.10 Compromised Email Account
Page 2 of 2
Download