Computer Security Incident Response Teams
When computer security incidents occur, organizations must respond quickly and effectively. The SEI supports the international community of computer security incident response teams (CSIRTs) that protect and defend against cyberattacks.
Helping Organizations Protect Themselves
We help government and industry organizations develop, operationalize, and improve their incident management capabilities so they can protect themselves from attack and limit the damage and scope of attacks.
Evaluating Incident Management Capabilities
We offer two methods that organizations can use to evaluate and improve their capability to manage computer security incidents:
- Incident Management Capability Metrics
The IMCM provides organizations with a baseline against which they can benchmark their current incident management processes or services.
- Mission Risk Diagnostic for Incident Management Capabilities
MRD-IMC is a risk-based approach for assessing how well an incident management function is positioned to achieve its mission and objectives.
We support CSIRTS with resources for planning, developing capabilities and skills, networking, and staying up to date. Your participation and feedback make these resources useful and successful. Contact us to get more information or suggest improvements.
Reading our case studies about national information security teams can be an effective way for incident management teams to get started or improve their performance.
Between 2000 and 2009, Colombia’s Internet penetration grew rapidly from 3% to 45%. The government soon realized that something had to be done about computer security, and after a thorough investigation of different possibilities, colCERT was formed.
Use of the CERT Mark and Graphic
CSIRTs that share our commitment to improving the security of networks connected to the Internet may apply for authorization to use the CERT mark in their names and use a special graphic on their website. In this way, they can indicate that their CSIRT is part of a network of teams that provide similar services. See Authorized Users of the CERT Mark.
Our extensive collection of resources covers an array of CSIRT topics, including how to create and operate a CSIRT.
Building an International Network of CSIRTs
Working together is the most effective way to challenge cyberattacks. We foster relationships among over 50 National CSIRTs worldwide by providing mechanisms for cooperation and collaboration.
Networking and a Community of Practice
A CSIRT with National Responsibility (or "National CSIRT") is a CSIRT that has been designated by a country or economy to have specific responsibilities in cyber protection for the country or economy. A National CSIRT can be inside or outside of government, but it must be specifically recognized by the government as having responsibility in the country or economy. View a complete list of National CSIRTs.
The National CSIRT Collaboration Wiki helps you cooperate and collaborate with your fellow National CSIRTs to solve common problems, exchange information about technical projects, and discuss other relevant work.
Annual NatCSIRT Meeting
Since 2006, the CERT Coordination Center has been hosting an annual meeting for National CSIRTs (“NatCSIRTs”) immediately following the FIRST Conference. This meeting provides an opportunity for organizations responsible for protecting the security of nations, economies, and critical infrastructures to meet and discuss the unique challenges of their roles.
Beneficial to both new and established National CSIRTs, the meeting provides a forum for networking and collaboration. Discussions are participantdriven and often focus on current issues, tools, and methods relevant to the National CSIRT community. We also allocate some sessions for CSIRTs representatives to give presentations about their collaborative work or research. If your team is involved in a collaborative or unique project that would be of interest to other National CSIRTs, we encourage you to consider presenting.
International Community Resources
Our colleagues in the international community offer many valuable resources—including those linked below—on topics such as incident response and CSIRTS.
In Identifying a Shared Mental Model Among Incident Responders, the authors explore how effective communication might be improved developing a mental model internalized by the group’s technical staff prior to an incident.