Organizational Models for Computer Security Incident Response Teams (CSIRTs)
[2
Establishing CSIRT Capabilities]
[4
Security Team--Using Existing IT Staff]
[6
Internal Centralized CSIRT]
[8
Coordinating CSIRT]
[10 Closing Remarks]
10 Closing Remarks
The focus of this document has been the presentation of several organizational models for providing a CSIRT capability. While there is no "best" model, each one of them has distinct benefits for a particular situation or environment. Care has been taken to elaborate on the description of possible services to help you make an appropriate selection of a model in terms of a package of services. It is important to note that there is no easy answer for which model would best suit an organization; each organization's structure and requirements must be carefully considered. Also, while not every organization will fit a specific model for a CSIRT, every organization needs to be prepared to address computer security incidents and problems in its day-to-day operations.
We have also described some of the issues an organization is likely to encounter in the delivery of incident handling services. It is our hope that the descriptions for how delivery of each service might work within the models has helped you gain a better understanding of the strengths and limitations of each model.
Once your organization has selected a model, you should refer to the Handbook for CSIRTs [West-Brown 03] to learn more about how to implement and operate your CSIRT.
If you have comments about any of these models or if you know of a model that differs from those described here (or offers other services we haven't described), let us know. Please email us at csirt-info@cert.org with any comments, criticisms, or recommendations concerning this document, Organizational Models for CSIRTs. We'd like to hear from you.
[2
Establishing CSIRT Capabilities]
[4
Security Team--Using Existing IT Staff]
[6
Internal Centralized CSIRT]
[8
Coordinating CSIRT]
[10 Closing Remarks]