Computing Incident Response Team (CIRT) Policy1.0 PurposeThe Information Technology Security Computing Incident Response Team (CIRT) is the emergency response team for all IT security events at Brown University. The CIRT is critical to protecting Brown University's electronic communications infrastructure. This policy provides the IT Security Director, who oversees the CIRT, with the authority to develop guidelines and requirements to meet the security needs of users and to safeguard the University's systems. Support from all areas of the University is vital to the CIRT's success. The following policy advises those using University computing resources regarding the appropriate mechanism for reporting of security-related incidents and the steps that will be taken in response to an incident. 2.0 ScopeThis policy applies to all Brown University students, faculty, staff, visitors, contractors, vendors and agents using University computing resources regardless of the ownership of the device used to connect to the Brown University network. 3.0 Policy3.1 ReportingSystem Administrators, Departmental Computing Coordinators (DCCs), and other computer users at the University must immediately report suspected IT security incidents (including but not limited to virus infections and computers exhibiting behavior consistent with a compromised machine) to the CIRT through the Help Desk. Staff and faculty should contact their DCC who will then work with the CIRT team to contain damage and restore the computer(s) to normal operation as soon as possible. If an incident has occurred on a machine, and the damage suspected could involve a compromise of sensitive information, then no action should be taken on the computer other than to disconnect it from the campus network by removing the network cable or turning off the wireless device. Once a compromise of sensitive information is reported, CIRT team members will assist local personnel to try and determine the cause of the incident and assess damage before the machine is returned to service. 3.2 Emergency Access to Devices or InformationIn limited cases, authorized individuals may need immediate physical and/or logical access to areas and/or systems within the University. Requests to the Public Safety Department (for physical access) or to the Director of IT Security (for logical access) must be made using the Request for Privileged Access form, and are subject to several levels of approval. CIRT Team members will receive training regarding how to maintain the integrity of information that may be needed in support of an investigation up until the time that equipment or files are picked up by the Office of Public Safety (or other Brown authorized authority). Training regarding the need for strict confidentiality will also be provided by the Director of IT Security . The University's Office of the General Counsel and others (when appropriate) will be notified as necessary. When criminal activity appears likely, Public Safety will establish and maintain the chain of custody for evidence in connection with the incident. 3.3 ProceduresThe procedures used by CIRT members and other computing support staff (i.e., System Administrators, DCCs and Department Chairs) with regard to security incidents are under the authority and control of the Director of IT Security in CIS. The Director of IT Security has the authority to initiate changes in the way electronic traffic flows at the University when emergencies arise, based on approval from the VP of Computing and Information Services. Any questions about this requirement can be directed to the Brown University Help Desk (Help@Brown.edu or 863-7457). 4.0 Related DocumentsComputing Policy for Brown University (home) | Acceptable Use | CIRT home page Questions or comments to: ITPolicy@brown.edu Effective Date: August 30, 2004 |