This policy relates to personal data as defined by the Data Protection Act 1998, held in connection with security incidents reported to CamCERT.
CamCERT gathers and records all security and related incidents reported to it.
The information is used as follows:
- Reports of attacks of any description (unexpected activity from machines outside the cam.ac.uk) domain is passed to (JANET-CSIRT, which is the Computer Emergency Response team for the UK Academic Community. It may also be passed directly to the security teams at the site of the attacking machine. This includes computer staff in the University of Cambridge and its Colleges as well as sites anywhere in the world. Typically, the identity of the owner of the machine and the person who reported the incident will not intentionally be forwarded to third parties, but such information may be a part of the report or the name of the machine. Information may also be passed to University Computer Officers to enable them to trace insecure machines on their network.
- Details of any machine within the cam.ac.uk domain that is
found to be insecure may be forwarded to JANET-CSIRT so that
- they can deal swiftly with complaints from remote sites
- they can alert other members of the academic community to the sort of attack being experienced.
- To alert the owners of machines on the Internet when their machine is misbehaving, perhaps because its security has been compromised or because some software is misconfigured.
- To preserve evidence for subsequent investigations.
- To enable repeating and continuing incidents to be identified.
- To produce statistical reports for management purposes, such as the Annual Report of the University Computing Service. Such statistics do not include personal data, but are derived from logs that may contain personal data.
Information is recorded in the following ways:
- All email is kept easily accessible for about 3 months so that investigations can continue. The email is available only to the CERT team, although extracts from the messages may be forwarded as described above.
- email is archived at the end of each month and is kept on archive for a period of approximately 18 months.
- A summary of the incidents reported is recorded in a small database and kept indefinitely. Typically, this includes the name and IP address of the machines involved in the incident and the nature of the incident. In the case of a single use machine, the name of the machine may therefore identify an individual.
- Depersonalised reports are available to technical staff in the University and are kept indefinitely.
To assist with incidents the following traffic accounting information logged from the CUDN is used:
- date and time of day
- source and destination IP addresses
- aggregated source and destination port numbers
- protocol type
- number of octets of data
- number of packets of data
This information is processed by aggregating, ranking, and selection. Traffic data is held for approximately 3 months, processed security incident data for approximately 1 year.