Skip to main content

System Status: 

  1. Home
  2. Technology
  3. Security
  4. Services
  5. Computer Incident Response Team (CIRT) Process

Computer Incident Response Team (CIRT) Process

Last Updated: November 25, 2025 7:55:41 AM PST
Give feedback

Find out how the Computer Incident Response Team (CIRT) investigates and resolves computer security incidents.

Report IT Security IncidentA security incident occurs when an unauthorized entity gains access to UC San Diego computing or network services, equipment, or data.

  • If you suspect a violation of your computer's security, contact your department technical support immediately or click on the "Report IT Security Incident" button.
  • If you are a system administrator, read IT Services Security's guidance on reporting a computer security incident to determine whether you need to contact the CIRT. Report possible incidents immediately.
  • Departments with internal incident response teams are still required to contact the CIRT when an incident occurs. The CIRT will work closely with your security team to investigate the incident.

CIRT Process

The CIRT process begins when a system administrator reports a possible security incident.

  1. Isolating the compromised system from the network: The machine is isolated unless network connections can help determine the extent and nature of the incident.
  2. Preserving the evidence: To prevent destruction of evidence and maximize the chances of identifying the intruder, no interaction with the machine will occur until the incident handling team is in place.
  3. Setting up the incident handling team: The CIRT contact and the reporting system administrator set up an incident handling team if the situation merits further attention. The CIRT Team will consist of specific contacts outlined within the Incident Response Plan, and according to the UCoP Incident Response Standard.
  4. Under the guidance of the CIRT contact, the team:
    • Investigates the extent and type of occurrence and determines, possibly with disk imaging and analysis, if it is a security incident. If it is, the team contacts appropriate campus executives, and may contact law enforcement, UC San Diego's Campus Counsel, Privacy, Compliance, Registrar, Risk and others depending on if protected data is involved.
    • Works with the system administrator to collect proper evidence, in keeping with the UC Electronic Communications Policy (ECP), and determines the impact of the incident.
    • Meets with CIRT to generate an official report for UC San Diego's top management. The report outlines the type and extent of the incident and lists actions required and recommended to mitigate future incidents.
  5. Cleaning up and restoring the system: This recovery process begins after notification of the official report.
  6. Notifying the impacted department or equipment owner: This takes place as required by the ECP unless law enforcement indicates it will interfere with the investigation. The IT policy coordinator provides advice on ECP notification requirements and process.
  7. Evaluating how the situation was handled: After the required notification, the CIRT and incident handling team evaluate the response and notification process.
For more information, contact IT Services Security at security@ucsd.edu.