Computer Incident Response Process
The Computer Incident Response Team (CIRT) investigates and resolves computer security incidents. A security incident occurs when an unauthorized entity gains access to SU computing or network services, equipment or data.
- If you suspect a violation of your computer's security, contact your department's computer or technical support person immediately.
- If you are a system administrator, please go to the Information Security Policies/Guidelines page. Once there under the Associated Procedures area there is a document The CIRT and Incident Handling that can help you determine what type of incident and the escalation process for you. Please follow the below process for all incidents.
- Departments with internal incident response teams are still required to contact the CIRT in case of incident. The CIRT will work closely with your security team to investigate the incident.
- Isolating the compromised system from the network: The machine is isolated unless network connections can help determine the extent and nature of the incident.
- Preserving the evidence: To prevent destruction of evidence and maximize chances of identifying the intruder, no interaction with the machine will occur until the CIRT team is in place.
- Setting up the CIRT team: The CIRT contact and the reporting system administrator set up an incident handling team if the situation merits further attention.
- Cleaning up and restoring the system: This process begins after the official report is filed.
- Notifying the impacted department or equipment owner: This takes place as required unless law enforcement indicates it will interfere with the investigation.
- Evaluating how the situation was handled: After the required notification, the CIRT and incident handling team evaluate the response and notification process.