The Center for Information Technology

CIT Policy and Procedures Statement
Computer Security Incident Response Policy

I. Purpose

This policy and procedures statement establishes the responsibilities of CIT staff in responding to and reporting computer security problems.
II. Coverage
This policy and procedures statement applies to all government and contract employees within CIT.
III. Definitions
  • A "CIT computer system" is a computer system that is owned or operated by the CIT. This includes the full range of computer systems, from centrally managed multi-user systems and network servers to single-user microcomputer systems.
  • A "security problem" is a breach, or attempted breach, in the security of a computer system. This includes, but is not limited to, unusual or apparently malicious break-in attempts (either local or over a network), virus or network worm attacks, file or data tampering, unauthorized information access or disclosure, network router or gateway attacks, or any incident where a user, either directly or by using a program, performs functions for which they do not have authorization.
  • IV. Policy
    A. All CIT staff and contractors are responsible for helping to ensure the security of the computer systems which they use and operate. Part of this responsibility is the duty to report any confirmed or suspected security problem in a timely manner.

    B. It is the responsibility of the CIT Computer Emergency Response Team (CERT) Coordinator to coordinate communications with entities outside of CIT (such as the NIH OIRM, Carnegie Mellon CERT, or law enforcement agencies) about a suspected or confirmed security problem on any CIT system, and to coordinate communications in response to external inquiries about such incidents.

    V. Procedures
    If you suspect that there may be a security problem on a CIT computer system which you use or administer, you are responsible for doing the following:
  • If you are a user of a multi-user system, make sure that the designated system or security administrator is quickly made aware of the problem. If you do not know who the administrator is, the CIT Technical Assistance and Support Center (TASC) at 4-CIT (594-3278) can help you determine this information.
  • If you are a system administrator (or if it is your personal system that is involved), you should first try to determine that you really do have an actual security problem, then attempt to determine the magnitude and scope of the incident as much as possible. You should then notify the CIT CERT by either:
    1. Calling TASC and asking to speak to the CIT CERT Coordinator. If it is a potentially serious problem, to avoid any unnecessary delays it is better to call TASC if it is during their open hours, rather than using e-mail.
    2. Sending an e-mail message describing anything known about the problem and your contact information (name, phone number, office location and hours, e-mail address) to the following Internet address:
  • If you do not receive a response from someone within several hours, contact TASC and report the problem as soon as possible. You should not include any potentially sensitive information in e-mail that you send about a problem, such as a user name, password, or other personal information, unless specifically requested to do so.
  • If you suspect a security breach, all files, documents, or logs that may provide evidence or clues about the incident should be duplicated on removable media and preserved.
  • VI. Responsible Organization
    Further information and advice is available from the CIT CERT. You may contact them by calling TASC at the above number.

    CIT Internal Policies & Procedures Return to the CIT Internal Policies & Procedures

    CIT The CIT HRMS Home Page

    CIT The CIT Home Page

    NIH The NIH Home Page.

    Send Comments and questions to : CIT HRMS