Software Engineering Institute Carnegie Mellon

Organizational Models for Computer Security Incident Response Teams (CSIRTs)

[Abstract]   [Title Page]   [Preface]   [Acknowledgements]   [1 Introduction]  
[2 Establishing CSIRT Capabilities]   [3 Operational Issues]  
[4 Security Team--Using Existing IT Staff]   [5 Internal Distributed CSIRT]  
[6 Internal Centralized CSIRT]   [7 Combined Distributed and Centralized CSIRT]  
[8 Coordinating CSIRT]   [9 Choosing the Right CSIRT Model for Your Organization]  
[10 Closing Remarks  [Appendix Summary of Services Offered [Bibliography]   [PDF File]

7 Combined Distributed and Centralized CSIRT

7.1 Overview

In this model a dedicated, centralized CSIRT is established that interacts with team members who are distributed throughout the organization in various geographic sites and divisions. The centralized team provides high-level analysis and recommends recovery and mitigation strategies. It also provides incident, vulnerability, and artifact response support for the distributed team members and other parts of the enterprise. The distributed team members at each site implement the strategies and provide expertise in their areas of responsibility. This model is referred to as the "combined CSIRT" throughout the rest of this document.

This model maximizes the utilization of existing staff in strategic locations throughout the organization with the centrally located coordinating capability of the dedicated team to provide a broader understanding of the security threats and activity affecting the constituency. It has management support in assigning needed resources during times of crisis.

It builds on the infrastructure and expertise in the local areas where the distributed team members facilitate incident analysis and response (working with others in the organization--system, network, and security administrators, software developers, LAN/WAN managers, etc.--who are not part of the CSIRT). The CSIRT responds to reports of abnormal activity or other incident reports, participates in incident and vulnerability analyses, lends expertise in testing or assessing the security of the enterprise, and plays a proactive role in promulgating computer security awareness and training throughout the organization.

The model provides a centralized team that can collect information from a wide variety of constituent sources and quickly synthesize and disseminate it across the enterprise.

The combined team works best if it has full authority to analyze activity and shared authority to respond to incident activity as it occurs. No enterprise-wide action is taken or recommended without the approval of the CSIRT manager and possibly upper management such as a CIO, CSO, or CRO. The team also has the authority to enforce recovery and mitigation strategies with the approval and consent of the management. Divisional and functional unit managers are notified of any action to be taken in their areas and are involved in the decision-making process to determine how to implement a response.

The team has the authority to release organization-wide advisories and other documents, including best practices, response and recovery steps, and security updates. The team can also be responsible for reviewing and analyzing all IDS or other network, system, or application logs. It should be pointed out that in some commercial organizations the CSIRT may have to play a subordinate role to a crisis management "team" during an incident. This is a team that is pulled together by management to handle any type of emergency situation. If this is the case, again, it will be important to clearly delineate roles, responsibilities, communication paths, and authority.

7.2 Supported Constituencies

This model works best for very large distributed organizations or constituencies. Although conceptually this model will work in a small organization, it is probably not necessary, and a centralized model would work better.

This combined model may have the same problems as the centralized CSIRT if the constituency is a large organization with multiple affiliate or subsidiary companies or groups.1 In this case, although seen as part of the same parent entity, each affiliate or subsidiary might have its own management structure, policies, procedures, and authority, or even its own internal CSIRT. This may cause problems in how much authority the combined CSIRT has over the systems, networks, and incident handling efforts in the affiliates/subsidiaries and may also cause problems in effecting a consistent level of response across these disparate units. Although a combined CSIRT can work in this organizational situation, a coordinating model may work better (see Section 8).

7.3 Organizational Structure

The combined team merges the characteristics and structure of the distributed CSIRT model and the centralized CSIRT model.

The combined team has a central location close to and reports to a top-level manager (such as a CIO, CSO, or CRO). The manager or designee represents the CSIRT in any organizational activities and groups related to computer security, internally as well as externally. There is generally a small, centralized core staff and then the distributed members are scattered throughout the organization.

There are a multitude of ways that a combined CSIRT can be configured regarding work assignments.

It is possible in this model to have smaller teams of centralized and distributed team members pulled together to handle a specific incident. This can work well in organizations with a relatively small number of incidents. In larger organizations, a more formalized structure may be needed. Another approach to using the distributed staff is to identify individuals throughout the organization with defined subject matter expertise. The centralized team can then perform the majority of the incident handling tasks but call on these subject matter experts (SMEs) as needed.

Distributed team members can either be dedicated to CSIRT operations on a full-time basis or they can work part-time for the CSIRT in addition to their normal responsibilities. If the distributed members only perform CSIRT work part-time, then established agreements are necessary to outline when and how the distributed team members will work with the CSIRT. The distributed team member must be able to devote time to incident handling activities as required by the needs of the CSIRT. It is not recommended to have centralized staff members working on a part-time basis. However, in some instances, due to budget constraints, it may not be possible to have all full-time centralized team members. Instead there may be a core set of assigned staff who share responsibility for CSIRT functions. So there is always someone on the centralized team, but each staff member rotates on and off the team periodically.

All team members will need to use secure email or a secure intranet or extranet to communicate with members of the distributed team in the various operational units across the organization.

As part of a mentoring process, distributed team members can spend a period of time working in the central office to more fully understand the CSIRT services and operational framework, policies, procedures, and processes. This is also a way to develop personal relationships between central and distributed team members. In correlation with this, members of the centralized staff can spend some time at the distributed sites to better understand their working environment and computer security needs.

7.4 Triage

In the combined model, triage can be offered through two different structures. In the first, all reports and requests come into the central CSIRT office and are categorized, sorted, and prioritized there. In the second, reports come into the distributed sites, where initial triage is done and activity, events, or requests that cannot be handled by the distributed team are passed to the central office staff. In either case the centralized staff synthesize and track all reports.

No matter what structure is used to deliver the triage service, centralized incident and vulnerability tracking databases must be available and accessible by all members of the combined CSIRT, centralized and distributed alike. The team members access the central database to

Although accessible by all members of the CSIRT staff, these databases are owned and maintained by the central office.

As in the centralized and distributed models, well-defined policies and procedures for reporting incidents are available to constituents, and constituents are encouraged to report activity without fear of retribution.

7.5 Available Services

The following sections describe how CSIRT services might be provided in a combined CSIRT. It is recognized that every team is different, so these are general descriptions based on observations of and discussions with other teams. The method in which the service is delivered assumes a certain level of infrastructure, staff, and equipment, which are discussed in further sections.

7.5.1 Core Services

The core services characterizing this model do not differ significantly from those listed earlier in Section 5.5.1 (core services for an internal distributed CSIRT) or Section 6.5.1 (core services for a centralized CSIRT). The basic difference is in the approaches by which the services are offered and managed.

Alerts and Warnings

In a combined model, all alerts and warnings coming into the CSIRT or parent organization from other security experts, vendors, or CSIRTs are received by the centralized team component of the CSIRT. Information is usually received through some designated point of contact such as a CSIRT phone number or email alias. From there the alerts and warnings are disseminated to various points of contact throughout the organization, which are usually the distributed members of the team but which also might include system and network administrators, business managers, or security teams at distributed sites.

General alerts and warnings that affect all members of the constituency are sent to a predetermined mailing list by the centralized team. In this way a common message with a consistent set of steps to prevent or respond to any activity or security incidents can be sent throughout the organization. For this service to work efficiently there must be an up-to-date list of people and units to notify. This service fits well in a combined model.

If alerts, warnings, or advisories for the CSIRT's constituency need to be developed, these are assigned by the CSIRT manager to a member of the centralized team. The assigned staff can enlist the help of others in the organization or other members of the distributed team who have expertise that might be needed. They may also want to work with a technical writer to produce the final versions. If a technical writer is not on staff as part of the CSIRT, it may be possible to use staff with the needed skills from the constituency or parent organization. Whatever arrangement is used to obtain technical writing assistance, it should be established in advance, so that the technical writer can be called as needed.

Incident Analysis

The combined CSIRT incorporates a full-time, dedicated, centralized team with a distributed team that draws on existing expertise across the enterprise. Like the centralized CSIRT, the combined CSIRT has the resources to coordinate incident analysis at a higher level, to understand what is occurring across the enterprise, and to work with the local administrators to implement incident response actions as required.

The combined team uses resources throughout the enterprise (e.g., software testing labs, specific platform or software expertise) to conduct analysis. Tasks such as reviewing logs or monitoring intrusion detection systems can be assigned to distributed team members or handled by the central team. If handled at the local level, the results of these reviews are then shared with the centralized team members, who consolidate the data to determine patterns and trends across the organization and identify any additional work or follow-up actions to be passed back to the distributed team members for implementation.

Results of analysis are archived and accessible in a CSIRT database for daily operations and for future reference by all team members.

Incident Response Support

Combined CSIRT members work together to develop materials and disseminate information to the rest of the enterprise. For example, once solutions are identified and distributed by the centralized team, the distributed team members communicate the appropriate information to the local system, network, and security administrators and provide guidance and assistance on implementing recovery procedures for the reported activity.

Part of this service can be to provide direct assistance via telephone or email to the distributed members. It can also include providing this support to system, network, and security administrators across the enterprise. The amount of this work done will depend on the depth and breadth of services provided by the CSIRT and the size and expertise of the staff in both the central and distributed parts of the team.

CSIRT staff develop and document mitigation and recovery strategies to address the immediate threat for distribution to the rest of the organization as necessary. This notification can be achieved through secure mailing list aliases, secure web intranet or extranet servers, or even via phone or fax. Timely information that is important for all organizational staff to receive can be distributed via internal employee mailing lists if necessary.

One of the strengths of building a robust combined CSIRT is that the centralized and distributed members of the entire team all have a coordinated approach to handling CSIRT activities and they work in concert to ensure that remediation and response is handled appropriately. So, in those cases where immediate action must be taken, the distributed members have the requisite authority and understanding of what to do to activate responses independent of direction from the centralized part of the team. That is, they can undertake response or repair systems without receiving information, alerts, advisories, or guidance from the centralized team. However, as the distributed teams initiate such responses, they also communicate their actions with the centralized team to ensure the overall coordination of any enterprise-wide efforts.

Incident Response Coordination

This service is mainly provided by the centralized staff of the CSIRT. As the focal point for incident analysis and response, they coordinate the activities of the distributed team members to respond to enterprise-wide events and activity. The distributed team members, in turn, confirm that the local administrators have implemented the appropriate actions and relay this information back to the centralized team.

The centralized staff also acts as the liaison to other external CSIRTs, security experts, and sites that the CSIRT might need to contact or collaborate with. The CSIRT is the main point of contact for all incident and vulnerability work. They are also the liaison with legal counsel, human resources, upper management, and any other organizational group dealing with security issues.

Vulnerability and Artifact Response Coordination

Just like the centralized team, a combined CSIRT is better positioned than a security or distributed team to perform effective vulnerability and artifact response coordination, provided the necessary expertise exists in the team. With dedicated resources, the centralized team component of the CSIRT can provide comprehensive tracking, recording, and dissemination of information to the enterprise. By consolidating the information collected, the team is better able to identify similar attacks, artifacts, exploits, trends, and patterns. Potential new threats to the enterprise can also be identified. In this model, it is important that the team have expertise or familiarity with all platforms and operating systems used in the organization. If this does not exist within the centralized team component, then there must be mechanisms in place to collaborate with the distributed team members or other organizational experts who can provide the required knowledge.

Based on the results of the analysis of any vulnerability or artifact information, the CSIRT coordinates the release of remediation, detection, and recovery steps throughout the enterprise as required.

Even with centralized CSIRT component, many teams find they do not have the skills, expertise, or time to be able to provide this vulnerability and artifact coordination service effectively, so they depend on other CSIRTs to provide analysis and recommendations to the community (e.g., vendor sites, members of FIRST, computer security experts, the CERT/CC, or other CSIRTs). In this case, the centralized component of the CSIRT would be a point of contact for receiving this information from other experts and disseminating it as appropriate throughout the enterprise. This does not preclude distributed members from receiving information from security mailing lists and advisory lists. Anything the distributed members receive from external sources should be shared with the centralized team to ensure that everyone has seen the information.

Announcements

The centralized component of the CSIRT is in a position to be a good point of contact for all incoming information from external and internal sources regarding incident activity, vulnerabilities, and intruder trends. As part of the centralized function the team can review and filter all incoming information and pass it on to the distributed team members and to any other designated parts of the organization.

For this service to work properly established channels and mechanisms for communicating information to the rest of the constituency must be in place and understood by the recipients. Established document types and distribution procedures should also be in place. Announcements might be about intruder trends noted in the general Internet community but not yet affecting the constituency, vulnerabilities that have been discovered, or new incident information that may have an impact on the enterprise. Mechanisms for disseminating announcements may include mail distribution lists, advisory mailing lists, CSIRT web page posts, or even recorded messages in phone systems.

Technology Watch

Having a dedicated staff in the centralized component of the combined team model means there will probably be sufficient resources to provide a technology watch service. This service could be offered in a number of ways. The centralized staff could take all responsibility for doing the research and synthesis of this information, or assignments could be made to members of the distributed team, based on their expertise and interest.

No matter who collects and researches the information, the centralized team consolidates the information and disseminates it to the rest of the combined team and to any other appropriate members of the enterprise. Consolidated information can include current threats and trends, new technologies, new attacks, new tools, or even legal issues that may potentially affect the organizational operations of the enterprise or the CSIRT. The distributed members of the team can then pass this information along to those at their site who they feel should see it.

Security-related information that affects the organization can be posted to a mailing list or an intranet discussion site as a means of keeping network, system, and security administrators up to date. This notification can also be used to raise the level of security awareness for all members of the enterprise. Such an information distribution site can provide educational benefits by allowing people to post questions that can be answered by the CSIRT staff if time permits.

Security-Related Information Dissemination

In the combined model, the centralized team component allows the CSIRT to focus on providing security-related information to the rest of the organization.

The CSIRT can establish a centralized web site (and FTP site, if appropriate) to provide organization-wide access to appropriate security-related information. They can also use these sites to disseminate information from other external sources that has been tailored to the needs of the constituency in regard to supported technologies and software. Information can also be distributed via newsletters and mailing lists. Special communication plans between the centralized and the distributed team members need to be in place along with a supporting infrastructure so that the two areas can communicate in a secure fashion when needed, and can quickly get a hold of each other. This may mean special mailing lists, phone trees, or other communication channels need to be established and kept up to date.

Information disseminated includes current activity reports, threat trends and patterns, security awareness tutorials, incident reporting forms and guidelines, current updates on CSIRT developments, and any special security-related information on various applications, protocols, and security or attack tools.

If the CSIRT web and FTP sites are not maintained by the team but by other parts of the IT group, then it will be important for the CSIRT to work closely with the administrators to ensure the server is adequately protected and that information is updated in a timely manner.

7.5.2 Additional Services

In addition to its core services, a combined CSIRT may choose to offer other services. The following services are those most likely to be provided.

Incident Response On Site

On-site assistance is possible in this model when supported by the distributed team members. While the centralized team continues to provide CSIRT services such as incident response support, the knowledge and expertise of distributed team members can substantially increase the ability of the organization to handle incidents effectively and efficiently at the local levels.

If this service is offered it will most likely be done by the distributed team members who know the systems and networks at the remote sites. For this to work effectively they must have good relationships with the existing system, network, or security administrators at the sites. In most cases, they are probably system, network, or security administrators themselves.

Intrusion Detection Services

In this model the overall authority for reviewing and summarizing intrusion detection reports can be given to the centralized component of the combined CSIRT, if appropriate. This gives a dedicated and focused group the responsibility for this task. Distributed team members can be called upon to provide more in-depth operational and business knowledge and assistance for the analysis as required. If other parts of the organization provide intrusion detection services, the CSIRT should establish agreements and channels of communication for getting information from or access to their logs when necessary.

For the delivery of this service the central CSIRT can be responsible for monitoring the IDS for the whole enterprise. Alternatively, the initial review of the logs can be done by the distributed team members or even other system and network administrators at the local level. Logs are still sent to the central CSIRT for further analysis, where they can be synthesized to determine if there are any patterns or trends that would indicate specific network activity that cannot easily be seen by doing a daily review at the local level.

In this combined model all involved personnel need specialized IDS training. The centralized CSIRT, with input from the distributed members, provides guidance on distinguishing normal and abnormal network behavior and identifies appropriate response mechanisms and processes for any abnormal activity seen.

Vulnerability and Artifact Analysis

If the centralized component of the combined team has staff dedicated to CSIRT work, they may have the resources and expertise to engage in technical vulnerability and artifact analysis.

If analysis is not done, information about vulnerabilities and artifacts is obtained from other entities such as other external CSIRTs and security experts, as described in "Vulnerability and Artifact Response Coordination" in Section 5.5.1.

However, for the centralized team component of the CSIRT to be able to gauge the impact and threat of a particular vulnerability or artifact across their infrastructure, they may need to rely on the expertise of the operational staff that run the various parts of the infrastructure and the business managers who are responsible for each area.

Security Audits or Assessments

With its technical expertise and experience handling new vulnerabilities, real incidents, and artifacts, the centralized component of the combined CSIRT could participate with an audit or assessment team in the provision of this service, or provide input into the development of compliance criteria and requirements.

The centralized team can also provide the lead in coordinating and maintaining any proactive vulnerability scanning or penetration testing that may occur. However, various members of the distributed team could also provide part of these services for their particular section of the organization and report the results back to the centralized component.

Configuration and Maintenance of Security Tools, Applications and Infrastructures

Configuration and maintenance of security tools, applications, and infrastructures could be part of the assigned tasks given to the distributed members of the combined CSIRT if this is part of their normal operational work or if they are the system and network administrators for the related parts of the infrastructure. If the distributed team members do not have technical skills, this would not be a service they would provide.

Although it is possible for the staff of the centralized team component of the combined CSIRT to perform configuration and maintenance of security tools, applications, and infrastructures, that is not usually one of their primary functions. However, for some team structures, the CSIRT staff may indeed maintain border firewalls, do network monitoring, and also recommend security configurations for various systems and services on the network infrastructure. If such tasks are performed, the CSIRT staff will need to have a good understanding of the mission and function of all critical infrastructure components and their relationship to each other.

The system and network components configured and maintained can include firewalls, VPNs, IDS, and even virus scanners. Work may also involve user account and password management or the review of network, system, security, and accounting logs.

Development of Security Tools

If the centralized component of the combined team has dedicated resources, these team members may develop extensive expertise related to programming and software development. In such cases members of a centralized team might develop tailored tools to provide workarounds or temporary fixes to help resolve situations in which no patch or mitigation strategy is available. Delivery of such a service will depend on the expertise of the team members and the priority of other duties and functions. It is also possible that various members of the distributed team, if they have a background or operational knowledge as system and network administrators, may also be able to develop such tools for use in their part of the infrastructure.

7.5.3 Impact on Security Quality Management

By having a distributed team working in conjunction with a centralized team, a framework for incident management is established that provides a dedicated staff with skills in incident analysis and response and distributed members with expertise in the various business systems scattered throughout the enterprise.

The centralized team can focus on analyzing patterns of activity across the enterprise. They can use this information and the knowledge gained by doing incident and vulnerability handling to provide recommendations on defensive strategies to implement to protect the critical assets of their constituency. They can use this information to create configuration guidelines, security awareness briefings, technical reports, and training.

The distributed CSIRT members have a connection to the various sites within the enterprise. They should have established working relationships with business managers and IT staff at these sites, so that they can implement the recommendations and strategies provided by the centralized CSIRT staff. Their work at the sites provides the CSIRT with an operational understanding of the enterprise that a centralized staff by itself would not have.

The CSIRT manager makes assignments (such as authoring best practice documents and developing bulletins, alerts, and checklists) to the appropriate centralized and distributed team members who have experience in the related platform or system. Short-lived, ad hoc teams may come together to develop particular materials, providing more opportunity for the distributed and centralized team members to work together and share information.

This combined team creates a two-way line of communication between the distributed sites and the centralized component of the CSIRT. Staff can use this information flow to get information into the team and to pass security awareness training, response steps, or general knowledge back to the local administrators.

The centralized team, with input from the distributed team, works with human resources (or a similar department) to identify needed computer security training for the organization. The CSIRT bases its input on the common types of activity that are seen and the tools used by the constituency. A security curriculum is developed that is geared to the functional responsibility of the CSIRT constituency and staff.

Members from both the centralized and distributed teams can be assigned to visit various organizational site locations to provide briefings, security awareness training, and instruction on security issues, tools, and recovery techniques. Distributed team members can rotate through periodic assignments in the centralized team office to broaden their security training and help them better interact with the centralized team. The central staff members can also do periodic rotations at the distributed team locations to better understand their processes and needs.

Incident and vulnerability trends, knowledge about weaknesses in the enterprise and needed security precautions, and other information gathered by the CSIRT is useful in many security quality management services, including the provision of audits and assessments, business continuity planning, and disaster recovery planning.

Having a distributed team can provide the centralized team more time to devote to product evaluation or security consulting. The CSIRT, due to its position in the organization, should be heavily involved in the development of enterprise-wide security policies. Where appropriate, members of the distributed team may be pulled into security quality management initiatives and services based on their technical knowledge and operational understanding of the business functions of the enterprise.

7.6 Resources

The following staffing, equipment, and infrastructure resources should be considered when implementing a combined CSIRT model.

7.6.1 Staff

A combined CSIRT provides a centralized staff that devotes 100% of their time to incident response services. The distributed team supplements and supports the CSIRT core activities on a full- or part-time basis.

The centralized staff contains the following individuals:

The distributed staff is composed of

The size of the distributed team is determined by the size and diversity of the organization. It can consist of 10 members or 50 or even more. It might be comprised of several smaller teams dispersed throughout the organization (e.g., geographically located or organizationally delineated) that serve a specific division, area, or set of individuals.

7.6.2 Equipment

Equipment is needed to support the centralized CSIRT staff. This includes (but is not limited to) the following:

The distributed team members use computer equipment, telephones, pagers, etc. that are already part of the organization's infrastructure or that are purchased for the CSIRT's use. In either case, they need access to secure phones, email, and intranets/extranets to be able to effectively and securely correspond with the centralized team. This might be easier if the computer equipment is also fully controlled by the CSIRT.

7.6.3 Infrastructure

The infrastructure provides a secure environment for CSIRT day-to-day operations. This includes (but is not limited to) the following:

The distributed team members will need to use some type of protected network connection such as a VPN or extranet to work collaboratively with the centralized team. In essence a separate CSIRT network is required throughout the enterprise to protect the incident and vulnerability handling information and related materials such as emails, advisories, and any other site sensitive data that the team members will access. Secure access to the central incident tracking system will be paramount for this model to work effectively.

As with the distributed model, if needed equipment cannot be borrowed or purchased, collaborative agreements can be made with other trusted experts to conduct needed analysis and testing.

7.7 Summary

In the combined CSIRT a dedicated, centralized team is augmented with distributed team members from the functional business operating units.

7.7.1 Impact on Constituency

This combined model provides the organization with a clear mechanism for proactively managing its computer security risks and provides a broader understanding of the security threats and activity affecting the constituency. The model leverages the CSIRT capabilities of the distributed team members to provide a localized view into the constituency. This increases their ability to assess the state of the enterprise very rapidly by sharing information between the distributed and centralized team members. This information allows the organization to analyze potential threats and risks across the enterprise and to determine the appropriate levels of prevention and mitigation necessary to provide adequate levels of security.

The major impact to the constituency is that now it must interface with the CSIRT. This means that the constituency must understand the function and purpose of the CSIRT. It must be trained in how and when to contact the CSIRT. Divisions that previously handled their own incident and vulnerability response must now learn to work with the CSIRT. New policies and procedures, organizational processes, and communications mechanisms must be developed. The CSIRT work and functions must be integrated into the existing enterprise. The transition to this model, however, can be facilitated by the distributed team members, who are already working at the local level and are known to the constituents.

In turn, the centralized CSIRT must take the time and effort to understand not only the enterprise infrastructure but also the business needs and priorities of each part of the organization. This will require establishing good channels of communication between the CSIRT and other parts of the organization and a methodology for interacting with other business sectors to get their input and expertise during incidents that affect their systems and networks. Again, the distributed team members can help facilitate this interaction.

The CSIRT must be included in all long-term strategic planning regarding not only infrastructure support but also the implementation of new business services. This will help them to understand the service from its beginning so that they can provide insight into any security problems or issues that must be addressed, and also so they can understand the priority and function of this service so that they can provide the best response possible.

The CSIRT should also be involved in any change management or configuration management systems or communications channels that exist in the organization. The CSIRT needs to be aware of changes in the infrastructure and also needs to understand what type of configuration defenses are in place. Based on their understanding of current security problems and intruder trends, the CSIRT can also provide input into best practices for configuring systems in a secure fashion.

7.7.2 Constraints

The main constraints in this model are the difficulty of building and operating a dispersed team across a variety of geographical and physical locations. Other challenges include ensuring that the distributed and centralized staff work together effectively and implementing a feedback mechanism to ensure that response efforts are carried out according to the CSIRT's guidelines.

If the distributed parts of the organization are in other countries or are separate affiliated companies, there may also be difficulties in coordinating actions because of differences in policies, languages, laws, and time zones.

7.7.3 Strengths and Weaknesses of the Model

The strengths of this combined model are that it provides a CSIRT composed of a stable core of professionals along with a network of affiliated members in the operating units. The centralized members provide the stability, expertise, and permanent infrastructure, while the distributed members provide the operational knowledge and expertise, along with established connections to the business units at the local levels.

The greatest weakness to this approach is that now there are two systems to manage and coordinate. If not handled well, the result may be a disconnected centralized team along with an ineffectual distributed component.

The strengths and weaknesses of this model include the following:

 

1 As described in Section 6.2, "Supported Constituencies," for an internal centralized CSIRT.

 

 

[Abstract]   [Title Page]   [Preface]   [Acknowledgements]   [1 Introduction]  
[2 Establishing CSIRT Capabilities]   [3 Operational Issues]  
[4 Security Team--Using Existing IT Staff]   [5 Internal Distributed CSIRT]  
[6 Internal Centralized CSIRT]   [7 Combined Distributed and Centralized CSIRT]  
[8 Coordinating CSIRT]   [9 Choosing the Right CSIRT Model for Your Organization]  
[10 Closing Remarks  [Appendix Summary of Services Offered [Bibliography]   [PDF File]