Information Security
Page tree

Computer Incident Response Process

The Computer Incident Response Team (CIRT) investigates and resolves computer security incidents. A security incident occurs when an unauthorized entity gains access to SU computing or network services, equipment or data.

  • If you suspect a violation of your computer's security, contact your department's computer or technical support person immediately.
  • If you are a system administrator, please go to the Information Security Policies/Guidelines page.  Once there under the Associated Procedures area there is a document The CIRT and Incident Handling that can help you determine what type of incident and the escalation process for you. Please follow the below process for all incidents.  
  • Departments with internal incident response teams are still required to contact the CIRT in case of incident.  The CIRT will work closely with your security team to investigate the incident.


  • Isolating the compromised system from the network: The machine is isolated unless network connections can help determine the extent and nature of the incident.
  • Preserving the evidence: To prevent destruction of evidence and maximize chances of identifying the intruder, no interaction with the machine will occur until the CIRT team is in place.
  • Setting up the CIRT team: The CIRT contact and the reporting system administrator set up an incident handling team if the situation merits further attention.
  • Cleaning up and restoring the system: This process begins after the official report is filed.
  • Notifying the impacted department or equipment owner: This takes place as required unless law enforcement indicates it will interfere with the investigation.
  • Evaluating how the situation was handled: After the required notification, the CIRT and incident handling team evaluate the response and notification process.
  • No labels