Organizational Models for Computer Security Incident Response Teams (CSIRTs)
[Abstract]
[2
Establishing CSIRT Capabilities]
[6
Internal Centralized CSIRT]
[8
Coordinating CSIRT]
[10 Closing Remarks]
Preface
Many organizations today do not provide a formal or focused organizational incident response capability. Computer security and incident response issues are handled by various areas of the organization based on functional and platform expertise. Each area handles and prioritizes security events as they occur on an ad hoc basis. With the increase in the rise of computer security incidents and the decrease in the time organizations have to respond to security events, this uncoordinated approach is no longer sufficient or effective. In light of that, many organizations today are looking to build formalized plans so they are prepared to handle security events when they occur.
Other motivators driving the establishment of formalized computer security incident response team (CSIRT) capabilities today include
- a general increase in the number and type of organizations being affected by computer security incidents
- a more focused awareness by organizations on the need for security policies and practices as part of their overall risk-management strategies
- new laws and regulations that affect how organizations are required to protect information assets
- the realization that systems and network administrators alone cannot protect organizational systems and assets
To help organizations face this situation and create suitable incident response capabilities, The Handbook for Computer Security Incident Response Teams (CSIRTs) [West-Brown 98] was written. This publication has become one of the main resources available regarding the formation and management of CSIRTs. This document was revised and updated in 2003 [West-Brown 03]. However, there are still many areas that were not covered in the desired depth by the Handbook for CSIRTs, and there were also more areas that could have been explored to some degree. One of these areas, the need for more guidance in the selection of the "right" model for an organization's incident response capabilities, is the topic of this new Organizational Models for CSIRTs handbook.
The handbook will focus on the various common organizational structures that a CSIRT might implement, regardless of whether they are from the commercial, educational, government or military sector and regardless of whether they provide an internal service or address an external constituency consisting of many independent organizations. Some of the issues that will be covered for each different model described in this handbook include
We hope that you will find this companion guide to the Handbook for CSIRTs useful in the planning and formation of your CSIRT. You might also find it a useful reference should you need to enhance your already established CSIRT activities. If you think that another organizational structure can better address your organization's needs and requirements, this guide can provide information that may help you determine what model would suit your team and constituency best.
The material in this handbook is based on our experiences in forming and operating our own organization's CSIRTs and through assisting other CSIRTs in their formation and operation. We are always looking to learn from the experiences of other teams. So if you have comments on or suggested additions to this document, or if you want to share your opinions, please contact us. We regularly attend Forum of Incident Response and Security Teams (FIRST) conferences and events,1 and we can be contacted in person or reached as a group by sending email to the following address: csirt-info@cert.org.
1 More information on upcoming FIRST conferences can be found at http://www.first.org/events/.
[Abstract]
[2
Establishing CSIRT Capabilities]
[6
Internal Centralized CSIRT]
[8
Coordinating CSIRT]
[10 Closing Remarks]