Information Security
Page tree

Computer Incident Response Process

The Computer Incident Response Team (CIRT) investigates and resolves computer security incidents. A security incident occurs when an unauthorized entity gains access to SU computing or network services, equipment or data.

  • If you suspect a violation of your computer's security, contact your department's computer or technical support person immediately.
  • If you are a system administrator, please go to the Information Security Policies/Guidelines page.  Once there under the Associated Procedures area there is a document The CIRT and Incident Handling that can help you determine what type of incident and the escalation process for you. Please follow the below process for all incidents.  
  • Departments with internal incident response teams are still required to contact the CIRT in case of incident.  The CIRT will work closely with your security team to investigate the incident.

Process

  • Isolating the compromised system from the network: The machine is isolated unless network connections can help determine the extent and nature of the incident.
  • Preserving the evidence: To prevent destruction of evidence and maximize chances of identifying the intruder, no interaction with the machine will occur until the CIRT team is in place.
  • Setting up the CIRT team: The CIRT contact and the reporting system administrator set up an incident handling team if the situation merits further attention.
  • Cleaning up and restoring the system: This process begins after the official report is filed.
  • Notifying the impacted department or equipment owner: This takes place as required unless law enforcement indicates it will interfere with the investigation.
  • Evaluating how the situation was handled: After the required notification, the CIRT and incident handling team evaluate the response and notification process.
  • No labels