Additional Information

Tyler Information Technology Security Office (ITSO) Policy

Reporting the Incident:

An affected site must notify Tyler within 24 hours of discovery of the infection/attack. Tyler will immediately close down all active connections to the site and disable user accounts that have access to hosted services. This includes:

Clients who use VPN technologies to access Tyler hosted solutions
Clients using remote access technologies to access Tyler hosted solutions (ex. Parallels)
Client environments accessed by Tyler employees via remote access or support technologies (ex. Bomgar, GoToAssist, RDP)

Recording the Incident:

Tyler will create a ticket in CRM to track the progress of the attack. This ticket will be checked as Internal for Tyler's use and not client searchable.
Tyler will create a alert on the clients account in the following format: SEV-1 SECURITY BREECH - Site Quarantined - DO NOT CONNECT until cleared by ITSO (CASE#)
Tyler will open up a Sev-1 to include Hosting Services at ccs.tylerhost.net only if ransomware is part of the security incident.Create a sev 1 by clicking Sev tracking tool on the bottom of the lefthand menu. Deployment, Disaster Recovery (DR) Support, Information Technology Security Offices (ITSO) and others if needed and track the progression of the resolution.

Next steps:

For Tyler hosted client environments or Tyler DR client declarations involving malware, additional precautions will be taken. Client application environments will be moved from the multi-tenancy Tyler Hosting center into a temporary quarantined hosted environment. The Hosting team will scan the client’s data with an ITSO approved anti-malware solution and transfer the data into the new, fully segregated AWS environment.

This quarantine will remain in place for a minimum period of six (6) months. This added safeguard ensures that any malware present in the environment can not affect any other Tyler service.

Tyler will need documentation including the following information on official letterhead. This can be emailed, faxed, or mailed to the assigned Tyler Support Technician.

When was the infection first identified?
If known, what was the root cause of the initial infection?
What were the observed symptoms of the infection?
What is the name of the malware (if known)?
What organization is handling their response?
What steps were taken to contain and eliminate the malware?
Provide an outline of the response/restoration actions taken.
1. If available, provide a copy of the incident response procedure used.
What remote access software do Tyler employees use to connect to the client system?
When was the site declared clean of malware?
What ongoing monitoring has been put in place to prevent another outbreak?

A report from a government agency (FBI or Secret Service), third-party security firm that is handling the response, or responses on the site's official letterhead is requested.

Restoring connection to the cleaned site:

Once the client has provided appropriate documentation that their network is free of malware, Tyler’s IT Security Office will review within 72 hours and authorize Hosting or Division Support to re-enable remote access.

The six (6) month quarantine window begins on the day that the above written report is reviewed and accepted in writing by Tyler's Information Security team (or delegate).

Browser not supported