Software Engineering Institute Carnegie Mellon

Organizational Models for Computer Security Incident Response Teams (CSIRTs)

[Abstract]   [Title Page]   [Preface]   [Acknowledgements]   [1 Introduction]  
[2 Establishing CSIRT Capabilities]   [3 Operational Issues]  
[4 Security Team--Using Existing IT Staff]   [5 Internal Distributed CSIRT]  
[6 Internal Centralized CSIRT]   [7 Combined Distributed and Centralized CSIRT]  
[8 Coordinating CSIRT]   [9 Choosing the Right CSIRT Model for Your Organization]  
[10 Closing Remarks  [Appendix Summary of Services Offered [Bibliography]  [PDF File]

Bibliography

[Killcrece 02]

Killcrece, Georgia; Kossakowski, Klaus-Peter; Ruefle, Robin; & Zajicek, Mark. CSIRT Services List. Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2002.

 

[Killcrece 03]

Killcrece, Georgia; Kossakowski, Klaus-Peter; Ruefle, Robin; & Zajicek, Mark. State of the Practice of Computer Security Incident Response Teams (CSIRTs) (CMU/SEI-2003-TR-001). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2003.

 

[Kossakowski 01]

Kossakowski, Klaus-Peter. Information Technology Incident Response Capabilities. Hamburg: Books on Demand, 2001 (ISBN: 3-8311-0059-4).

 

[West-Brown 98]

West-Brown, Moira J.; Stikvoort, Don; & Kossakowski, Klaus-Peter. Handbook for Computer Security Incident Response Teams (CSIRTs) (CMU/SEI-98-HB-001). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 1998.

 

[West-Brown 03]

West-Brown, Moira J.; Stikvoort, Don; Kossakowski, Klaus-Peter; Killcrece, Georgia; Ruefle, Robin; & Zajicek, Mark. Handbook for Computer Security Incident Response Teams (CSIRTs) (CMU/SEI-2003-HB-002). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2003.

 

 

[Abstract]   [Title Page]   [Preface]   [Acknowledgements]   [1 Introduction]  
[2 Establishing CSIRT Capabilities]   [3 Operational Issues]  
[4 Security Team--Using Existing IT Staff]   [5 Internal Distributed CSIRT]  
[6 Internal Centralized CSIRT]   [7 Combined Distributed and Centralized CSIRT]  
[8 Coordinating CSIRT]   [9 Choosing the Right CSIRT Model for Your Organization]  
[10 Closing Remarks  [Appendix Summary of Services Offered [Bibliography]  [PDF File]

 

 

 

The Software Engineering Institute is a federally funded research and development center sponsored by the U.S. Department of Defense.

Copyright 2004 by Carnegie Mellon University.

NO WARRANTY

THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

Use of any trademarks in this report is not intended in any way to infringe on the rights of the trademark holder.

Internal use. Permission to reproduce this document and to prepare derivative works from this document for internal use is granted, provided the copyright and "No Warranty" statements are included with all reproductions and derivative works.

External use. Requests for permission to reproduce this document or prepare derivative works of this document for external and commercial use should be addressed to the SEI Licensing Agent.

This work was created in the performance of Federal Government Contract Number F19628-00-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The Government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose the work, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to the copyright license under the clause at 52.227-7013.

For information about purchasing paper copies of SEI reports, please visit the publications portion of our Web site (http://www.sei.cmu.edu/publications/pubweb.html)

 

 

REPORT DOCUMENTATION PAGE Form Approved OMB No. 0704-0188

Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188), Washington, DC 20503.

1. agency use only (leave blank)

 

2. report date

December 2003

3. report type and dates covered

Final

4. title and subtitle

Organizational Models for Computer Security Incident Response Teams (CSIRTs)

5. funding numbers

F19628-00-C-0003

6. author(s)

Georgia Killcrece, Klaus-Peter Kossakowski, Robin Ruefle, & Mark Zajicek

7. performing organization name(s) and address(es)

Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213

8. performing organization
report number

CMU/SEI-2003-HB-001

9. sponsoring/monitoring agency name(s) and address(es)

HQ ESC/XPK
5 Eglin Street
Hanscom AFB, MA 01731-2116

10. sponsoring/monitoring
agency report number
11. supplementary notes

 

12.a distribution/availability statement

Unclassified/Unlimited, DTIC, NTIS

12.b distribution code
13. abstract (maximum 200 words)

When a computer security attack on an organization occurs, an intrusion is recognized, or some other kind of computer security incident occurs, it is critical for the organization to have a fast and effective means of responding. One method of addressing this need is to establish a formal incident response capability or a Computer Security Incident Response Team (CSIRT). When an incident occurs, the goal of the CSIRT is to control and minimize any damage, preserve evidence, provide quick and efficient recovery, prevent similar future events, and gain insight into threats against the organization.

This handbook describes different organizational models for implementing incident handling capabilities, including each model’s advantages and disadvantages and the kinds of incident management services that best fit with it. An earlier SEI publication, the Handbook for Computer Security Incident Response Teams (CSIRTs) (CMU/SEI-2003-HB-002), provided the baselines for establishing incident response capabilities. This new handbook builds on that coverage by enabling organizations to compare and evaluate CSIRT models. Based on this review they can then identify a model for implementation that addresses their needs and requirements.
14. subject terms 

CSIRT, computer security incident response team, incident handling, incident response, computer emergency response team, incident management, incident response management, CERT/CC, CERT Coordination Center, CSIRT models

15. number of pages

156

16. Price Code
17. security classification
of report

UNCLASSIFIED

18. security classification of this page

UNCLASSIFIED

19. security classification
of abstract

UNCLASSIFIED

20. limitation of abstract

UL

NSN 7540-01-280-5500

 

 

Standard Form 298 (Rev. 2-89)
Prescribed by ANSI Std. Z39-18
298-102

 

[Abstract]   [Title Page]   [Preface]   [Acknowledgements]   [1 Introduction]  
[2 Establishing CSIRT Capabilities]   [3 Operational Issues]  
[4 Security Team--Using Existing IT Staff]   [5 Internal Distributed CSIRT]  
[6 Internal Centralized CSIRT]   [7 Combined Distributed and Centralized CSIRT]  
[8 Coordinating CSIRT]   [9 Choosing the Right CSIRT Model for Your Organization]  
[10 Closing Remarks  [Appendix Summary of Services Offered [Bibliography]  [PDF File]