Computing & Information ServicesISGBrown University
Box 1885 3 Davol Square Providence, RI 02903 401.863.7266
INCIDENT HANDLER REPORTCORRECTIVE ACTION PLANfor Brown Compromised Systems
Although a determined person can access a protected machine if so desired, systems are generally compromised because they are somehow left vulnerable. In order to minimize the number of compromised systems at BrownUniversity, we are asking those who manage systems to document each incident and generate a simple plan to improve local processes so that the same type of incident does not recur.
The appropriate department personnel should complete the following INCIDENT HANDLER REPORT & CORRECTIVE ACTION PLAN for IT Security within 5 business days of the incident. The plan does not have to be implemented within 5 business days, but we do want to know what the implementation dates will be for the plan. At any time, an individual can contact IT Security or other CIS technical personnel to request assistance in developing their plan for going forward.
This exercise is meant to minimize risk to the department and to Brown, as well as to reduce the possibility that the same kind of incident will recur. It is important to remember that a compromised system is often not isolated, and many times is used to scan and attack other machines on or off campus.
NOTE: PASSWORDS USED TO ACCESS AFFECTED MACHINES (OR APPLICATIONS FROM THE AFFECTED MACHINES) MUST BE CHANGED IMMEDIATELY. (See Password Policy at)
Section 1Date and time of incident: / Department:
Date of Incident Notification (from CIS): / DeskProTicket #:
Name of DCC or SysAdm: / Phone:
Department chair/head: / Phone:
Incident type: compromised machine malicious code policy violation other
If other, please specify:
Work station used by:single- user multi-users / Location:
Name(s) of user(s):
What is the machine’s function?
Was Brown Confidential Information stored on affected machine(s) and potentially "exposed" to unauthorized individuals or groups? Yes No
If yes, what kinds of information?A. PII requiring disclosure B. PII not requiring disclosure
Describe information.Note: If PII requires disclosure, please attach a copy of email completed(#3 on Incident Handler Checklist.
How was the machine compromised? (to the best of your knowledge)
Are there other systems that share a trust relationship with the compromised machine that we should be worried about? Yes No If yes, please describe.
Identified vulnerabilities: (underlying cause of incident)
Approximate cost of incident:(incl. hrs of labor)
/ Date of Corrective Action Plan:(submit within 5 days)
Person responsible for the plan: / Person responsible for the plan’s implementation:
Section 2
Steps to be taken (Attach other sheets as needed) / Dates
Section 3 (Email routing may be used in lieu of hardcopy signatures)
Password Change(s)completed by:
Please Print Name / Date
Signature of Responsible Person / Date
Signature of Chief Information Security Officer
(must be signed by CISO prior to Department Head signature) / Date
Signature of Department Head / Date
Section 4 (The following fields to be completed by the Director of IT Security)
Follow up meeting held with: / Date:
Status report title: / Completed on:
Written response prepared by: / Delivered on:
Problem resolved on: / Date:
Incident Handler Rpt & Corrective Action Plan / Current as of: 03/18/2016
brown.edu/go/cirt