The Information Security Incident Response Team (ISIRT) is critical to protecting Brown University's IT systems and infrastructure, providing emergency response to significant information security incidents at Brown. A security incident impacting infrastructure directly supported by Brown IT staff will invoke the ISIRT based on an incident’s level of severity and the systems affected. Response to a risk to Brown University data under the control of a third-party vendor will be coordinated by the Chief Information Security Officer and the CIO of the Office of Information Technology (OIT), who determine the appropriate communication required.

The ISIRT responds to and manages Brown University’s information security incidents. These are generally defined as malicious activity that threatens the University's computing infrastructure, and are characterized by an unauthorized entity gaining access to Brown computing or network services, equipment or data.

Categories of incident types, which are constantly evolving, include but are not limited to the following:

• Denial of Service attacks
• Rapidly spreading or highly virulent malicious code (e.g., malware, ransomware, worms, trojans)
• Compromised servers or accounts
• Unauthorized access to protected IT services by Brown community members or others
• Unauthorized utilization of services by Brown community members or others
• Requests for technical support for investigations approved by authorized Brown representatives, on behalf of the University

In addition to identifying threats to Brown’s computing environment, the ISIRT is responsible for:

• Coordinating appropriate responses to counter malicious threats
• Monitoring new and developing security issues that may affect computing and information services
• Developing group-level response procedures so that there is archival documentation and clear understanding of roles across OIT and non-OIT groups
• Periodically reviewing incident response processes and making recommendations for improvements
• Conducting periodic table-top exercises
• Building comprehensive strategies around emerging threats

The procedures used by ISIRT members and other IT technical support staff (system administrators, departmental computing coordinators, et.al.) with regard to security incidents are under the authority and control of the Director of Information Technology Security in OIT.

The ISIRT is overseen by the Chief Information Security Officer, who has the authority to develop guidelines and requirements to meet the security needs of users and to safeguard the University's systems from threats. The ISIRT is composed of key personnel in OIT representing the following areas: network technology, information security. infrastructure operations, database services, systems, endpoint engineering, and the IT service center.

In addition, depending on the incident and level of severity, the following offices may be called upon to support the work of the ISIRT: Office of University Communications, Office of Internal Audit Services, Government Relations & Community Affairs, Office of the General Counsel, University Human Resources, Office of the Provost, and the Department of Public Safety. Subject matter experts and others will be added as necessary.

While the details of each incident response may vary, the process generally includes the following phases:

• Response Phase: Conduct a triage of the incident, assist in containment of the incident, collect evidence for the post mortem report and if necessary, conduct or assist in a forensic investigation.
• Recovery Phase: Damage assessment, return to normal operations, rebuilding servers and systems, etc.
• Follow-up Phase: Sending final incident reports to parties with a need-to-know.

• Electronic Information Access Policy
• ISIRT Procedural Flowchart
• Report a Security Incident