Computing Incident Response Team (CIRT) Policy

1.0 Purpose
2.0 Scope
3.0 Policy
3.1 Reporting
3.2 Emergency Access to Devices or Information
3.3 Procedures

1.0 Purpose

The Information Security Computing Incident Response Team (CIRT) is the emergency response team for all information security events at Brown University. The CIRT is critical to protecting Brown University's electronic communications infrastructure. This policy provides the Chief Information Security Officer, who oversees the CIRT, with the authority to develop guidelines and requirements to meet the security needs of users and to safeguard the University's systems. Support from all areas of the University is vital to the CIRT's success. The following policy advises those using University computing resources regarding the appropriate mechanism for reporting of security-related incidents and the steps that will be taken in response to an incident.

2.0 Scope

This policy applies to all Brown University students, faculty, staff, visitors, contractors, vendors and agents using University computing resources regardless of the ownership of the device used to connect to the Brown University network.

3.0 Policy

3.1 Reporting

System Administrators, Departmental Computing Coordinators (DCCs), and other computer users at the University must immediately report suspected IT security incidents (including but not limited to virus infections and computers exhibiting behavior consistent with a compromised machine) to the CIRT through the Help Desk. Staff and faculty should contact their DCC who will then work with the CIRT team to contain damage and restore the computer(s) to normal operation as soon as possible.

If an incident has occurred on a machine, and the damage suspected could involve a compromise of sensitive information, then no action should be taken on the computer other than to disconnect it from the campus network by removing the network cable or turning off the wireless device. Once a compromise of sensitive information is reported, CIRT team members will assist local personnel to try and determine the cause of the incident and assess damage before the machine is returned to service.

3.2 Emergency Access to Devices or Information

In limited cases, authorized individuals may need immediate physical and/or logical access to areas and/or systems within the University. Requests to the Department of Public Safety (for physical access) or to the Chief Information Security Officer (for logical access) must be made using the Request for Privileged Access form, and are subject to several levels of approval.

CIRT Team members will receive training regarding how to maintain the integrity of information that may be needed in support of an investigation up until the time that equipment or files are picked up by the Department of Public Safety (or other Brown authorized authority). Training regarding the need for strict confidentiality will also be provided by the Chief Information Security Officer.

The University's Office of the General Counsel and others (when appropriate) will be notified as necessary. When criminal activity appears likely, Public Safety will establish and maintain the chain of custody for evidence in connection with the incident.

3.3 Procedures

The procedures used by CIRT members and other computing support staff (i.e., System Administrators, DCCs and Department Chairs) with regard to security incidents are under the authority and control of the Chief Information Security Officer in CIS.

The Chief Information Security Officer has the authority to initiate changes in the way electronic traffic flows at the University when emergencies arise, based on approval from the VP of Computing and Information Services. Any questions about this requirement can be directed to the Brown University IT Service Center (help@brown.edu or 863-7457).

Questions or comments to: ITPolicy@brown.edu

Effective Date: August 30, 2004
Last Reviewed: March, 2014