The Computer Incident Response Team (CIRT) investigates and resolves computer security incidents. A security incident occurs when an unauthorized entity gains access to UCSD computing or network services, equipment or data.
- If you suspect a violation of your computer's security, contact your department's computer or technical support person immediately.
- If you are a system administrator and need to report an incident, follow the directions on How to Report a Computer Security Incident and call the ACT Help Desk at (858) 534-1853 immediately.
The CIRT process begins when a system administrator reports a possible security incident. It includes these steps:
- Isolating the compromised system from the network: The machine is isolated unless network connections can help determine the extent and nature of the incident.
- Preserving the evidence: To prevent destruction of evidence and maximize chances of identifying the intruder, no interaction with the machine will occur until the CIRT team is in place.
- Setting up the CIRT team: The CIRT contact and the reporting system administrator set up an incident handling team if the situation merits further attention. The team, under the guidance of the CIRT contact:
- Investigates the extent and type of occurrence and determines, possibly with disk imaging and analysis, if it is a security incident. If it is, the team contacts law enforcement, UCSD general counsel, and appropriate campus executives.
- Works with the system administrator and law enforcement to collect proper evidence, in keeping with the UC Electronic Communications Policy (ECP), and determines the impact of the incident.
- Meets with CIRT and law enforcement to generate an official report for UCSD's top management. The report outlines the type and extent of the incident and lists actions required and recommended to mitigate future incidents.
- Cleaning up and restoring the system: This process begins after the official report is filed.
- Notifying the impacted department or equipment owner: This takes place as required by the ECP unless law enforcement indicates it will interfere with the investigation. The manager of campus electronic communications support provides advice on ECP notification requirements and process.
- Evaluating how the situation was handled: After the required notification, the CIRT and incident handling team evaluate the response and notification process.
Questions? Contact CIRT.
Note: This page has a friendly link that’s easy to remember: http://blink.ucsd.edu/go/cirt
| 
At Your Service Online
