Information Technology Security & Support Subcommittee
CSIRT Documents
Joe Amador 14544
James Amann 11574
James Jones 14428
Terence Collis 13272
Thomas Stratton 13781
David McDuffie 13967
Sam White 14574
Preston May 10555
Gregory Jones 11587
Tammy Clark 39612
Kerry Heyward 12569 Legal
Melissa Bell Brennaman 11358 Human Resource
The following is the running list of revisions being made to the CSIRT document
Additionally,
we should :
1. Establish an incident response toolkit (On a CD based on O/S).
2. Incorporate BOR processes.
3. Incorporate SANS processes.
4. Incorporate contact recall
information
5. Make the CSIRT doc more user friendly such that anyone can initiate and
respond to a security incident – A step-by-step type of walk through.
6. Leverage some of UCCS’s Critical Outage Notification Procedures into
document
7. More University participation into the completion of this doc.
1. Remain calm
2. Take good notes
3. Notify the right people and get help
4. Enforce a "need to know" policy
5. Use out-of-band communications (IE: use telephone and faxes if it's a network
compromise)
6. Contain the problem
7. Make backups
8. Get rid of the problem
9. Get back in business
Incident
Handling (already in current document):
Phase 1 - Preparation
Phase 2 - Identification (responsibility)
Phase 3 - Containment
Phase 4 - Eradication
Phase 5 - Recovery
Phase 6 - Follow-up