Computer Incident Response Team (CIRT) Process

Find out how the Computer Incident Response Team (CIRT) investigates and resolves computer security incidents.

A security incident occurs when an unauthorized entity gains access to UC San Diego computing or network services, equipment, or data.

• If you suspect a violation of your computer's security, contact your department computer or technical support immediately.
• If you are a system administrator, read IT Services Security's guidance on reporting a computer security incident to determine whether you need to contact the CIRT. Report possible incidents immediately.
• Departments with internal incident response teams are still required to contact the CIRT when an incident occurs. The CIRT will work closely with your security team to investigate the incident.

CIRT Process

The CIRT process begins when a system administrator reports a possible security incident.

1. Isolating the compromised system from the network: The machine is isolated unless network connections can help determine the extent and nature of the incident.
2. Preserving the evidence: To prevent destruction of evidence and maximize the chances of identifying the intruder, no interaction with the machine will occur until the incident handling team is in place.
3. Setting up the incident handling team: The CIRT contact and the reporting system administrator set up an incident handling team if the situation merits further attention. Under the guidance of the CIRT contact, the team:
   • Investigates the extent and type of occurrence and determines, possibly with disk imaging and analysis, if it is a security incident. If it is, the team contacts law enforcement, UC San Diego's Campus Counsel, and appropriate campus executives.
   • Works with the system administrator and law enforcement to collect proper evidence, in keeping with the UC Electronic Communications Policy (ECP), and determines the impact of the incident.
   • Meets with CIRT and law enforcement to generate an official report for UC San Diego's top management. The report outlines the type and extent of the incident and lists actions required and recommended to mitigate future incidents.
4. Cleaning up and restoring the system: This process begins after the official report is filed.
5. Notifying the impacted department or equipment owner: This takes place as required by the ECP unless law enforcement indicates it will interfere with the investigation. The IT policy coordinator provides advice on ECP notification requirements and process.
6. Evaluating how the situation was handled: After the required notification, the CIRT and incident handling team evaluate the response and notification process.