State of the Practice of Computer Security Incident Response Teams (CSIRTs)

[Abstract]   [Title Page]
[Who is the CERT CSIRT Development Team and What Do They Do?]   [Preface]
[Acknowledgements]   [1 Introduction]   [2 Computer Security Incident Response Teams]
[3 Current State of the Practice of CSIRTs]   [4 Summary]   [5 Future Work]
[6 Closing Remarks]  [Appendix A: CSIRT Organizational Survey]
[Appendix B: Comparison of Incident Response Steps and Processes]
[Appendix C: Training Sources for CSIRTs]   [Appendix D: Cyber Crime Law Resources]
[Appendix E: Sample Incident Reporting Forms and Flowcharts]   [Bibliography]   [PDF File]

5 Future Work

Based on the information collected in this State of the Practice of CSIRTs report, we believe the following areas of work are prime candidates for future development:

State of the practice survey--continue collection of data with a new and updated survey that can be used to feed information into CSIRT best practice development

CSIRT best practices--development of a series of best practice recommendations on CSIRT operations based on the current information collected and continued research

CSIRT criteria--for developing teams, determining staffing skills, and determining team effectiveness

CSIRT process guidelines--for offering various services

As a starting point, included below is a list of suggested topic areas where we see the need for more discussion or for more specific resources and guidelines to be developed. In many of these areas, work has already begun, or a prototype may even exist that can be used as a basis for further development.

a new taxonomy specifically for CSIRT processes, incident data, and incident activity that can be accepted throughout the CSIRT community, perhaps through the development of an RFC

agreed-upon criteria for what constitutes a CSIRT, including different types of teams

a mechanism or mechanisms to identify and validate teams

more formalized resources to help new teams, including sample forms, checklists, and templates for CSIRT processes and operations

tools customized specifically for incident response work

models for estimating the cost and size of a CSIRT based on sector and services offered

guidelines on the services and processes needed for different CSIRT models and CSIRTs in different sectors

guidelines and references to cyber crime laws and legal issues (on a country basis) for incident handlers

use of certification criteria to develop new incident handler training and mentoring programs or enhance existing ones

We are seeking opportunities to collaborate with others in the CSIRT community who are interested in working on these types of issues with us. This collaboration can occur at a variety of different levels: provision of information, joint development of white papers and criteria, or even funding some of the needed research and resulting outputs related to these areas. If you are interested in collaborating with us, please contact csirt-info@cert.org.