State of the Practice of Computer Security Incident Response Teams (CSIRTs)

This document discusses a wide variety of issues within the practice of establishing and operating a CSIRT. Although many topics were discussed, we realize that the first edition of this technical report could not be a comprehensive, inclusive look at that state of the practice of CSIRTs. But it is an initial attempt to begin to collect information on the history, practice, structure, services, and challenges of CSIRTs.

There is much more information other teams could have contributed to this body of work, but it was not possible to talk or interact with every team. To that end we would like to get your feedback on this technical document: did it meet your expectations, was it helpful, what was missing, and what was beneficial? We would welcome any data you have collected regarding the issues addressed in this document that you are able and willing to share. We would also welcome hearing about any best practices, case studies, success stories, or other experiences that you or your team may have in creating and operating a CSIRT and that we could incorporate into future editions.

Please feel free to contact us at csirt-info@cert.org.

If you are interested in reading more about CSIRT development and operations, a good place to start is the newly revised Handbook for CSIRTs, which is available on the CERT web site at http://www.cert.org/archive/pdf/csirt-handbook.pdf. You can also find many interesting and helpful articles in the bibliography attached to this document.

If you are interested in learning more about CSIRTs and processes and best practices for incident handling, you may want to attend one of our CSIRT courses. You can find course information and schedules at http://www.cert.org/nav/index_gold.html.

Once again we would like to thank everyone who helped us in the creation and production of this document. Without your support, we would not have been able to publish this state of the practice.

© 2008 Carnegie Mellon University