search menu icon-carat-right cmu-wordmark

Overview of Creating and Managing CSIRTs - eLearning

This three-hour course provides a high-level, consolidated view of information that is contained in two other CERT courses: Creating a CSIRT and Managing CSIRTs. Its main purpose is to highlight best practices in planning, implementing, operating, and evaluating a computer security incident response team (CSIRT). Much of the course material is also applicable to incident management within other types of security operation teams such as security operation centers (SOCs).

The course will explore the relationship between CSIRTs, incident management, and security operations, and discuss how successful incident management requires an enterprise view and approach. It will present a process-based model for structuring incident management activities and also provide an introductory view of CSIRTs to anyone new in the field. Basic topics discuss the purpose and structure of CSIRTs and a high-level overview of the key issues and decisions that must be addressed in establishing and maintaining a CSIRT. Other topics include a discussion of CSIRT services as well as key policies, procedures, methods, tools, and infrastructure components that are needed to effectively operate a CSIRT.


This tutorial is designed to provide managers and other interested staff and relevant stakeholders with an overview of the issues involved in creating and operating a CSIRT. It will also provide an introductory view of CSIRTs including what a CSIRT is and the type of activities a CSIRT performs. Interested attendees may include

  • individuals tasked with creating a CSIRT
  • C-level managers (chief information officers (CIOs), chief security officers (CSOs), chief information security officers (CISOs) etc.) of organizations with an existing CSIRT or planning a CSIRT
  • CSIRT or SOC managers
  • project leaders and team members related to CSIRT or SOC operations
  • system and network administrators
  • existing security staff, such as privacy officers, audit or risk staff
  • human resources
  • media or public relations staff
  • constituent members
  • law enforcement
  • legal counsel

No previous incident-handling experience is required.


At the end of this course, the attendee will be able to

  • define the terms incident management and CSIRT
  • differentiate between incident management and incident response activities
  • describe activities conducted in the five processes that make up the CERT Incident Management Process Model: Prepare, Protect, Detect, Triage, and Respond
  • identify the type of work that CSIRT managers and staff may be expected to handle
  • explain the purpose and structure of CSIRTs
  • define the variety and level of services that can be provided by a CSIRT
  • identify policies and procedures that should be established and implemented for a CSIRT
  • apply process improvement techniques for operating and evaluating an effective CSIRT


  • Creating an Effective CSIRT
    • What is a CSIRT?
    • What does a CSIRT do?
    • General categories of CSIRTs
  • CSIRT Components
    • Constituency
    • Mission
    • Organizational Issues
    • Funding
    • Services
    • Policies and Procedures
  • Operational Management Issues
    • CSIRT staffing issues
    • Managing CSIRT infrastructures
    • Evaluating the CSIRT's effectiveness
  • Incident Management Processes
    • Prepare
    • Protect
    • Detect
    • Triage
    • Respond

Learners will have one year to complete the course. Upon completing all course elements, the learner is awarded an electronic certificate of course completion.


This course is presented in the form of video instruction presented by experts from SEI/CERT. Learners will also be able to access additional resources, if applicable, related to the subject matter and a downloadable copy of the course presentation slides in .pdf format.


This course has no prerequisites.

To access the SEI Learning Portal, your computer must have the following:

  • For optimum viewing, we recommend using the following browsers: Microsoft Edge, Mozilla Firefox, Google Chrome, Safari
  • These browsers are supported on the following operating systems: Microsoft Windows 8 (or higher), OSX (Last two major releases), Most Linux Distributions
  • Mobile Operating Systems: iOS 9, Android 6.0
  • Microsoft Edge, Firefox, Chrome and Safari follow a continuous release policy that makes difficult to fix a minimum version. For this reason, following the market recommendation we will support the last 2 major version of each of these browsers. Please note that as of January 2018, we do not support Safari on Windows.

This is an eLearning course.

Register Now

Course Fees [USD]

  • eLearning: $450.00


Your access period will begin once you have been added to the SEI Learning Portal and launch the course.

If you wish to purchase this course for a group of learners, please email or telephone at +1 412-268-7388 for group rate details.

Course Questions?

Phone: 412-268-7388

Related Courses

  • Creating a Computer Security Incident Response Team

    1 - Day Course

    This one-day course is designed for managers and project leaders who have been tasked with implementing a computer security incident response team (CSIRT) or similar capability. This course provides a high-level overview of the key issues and decisions that must be addressed in establishing an incident management capability. The course can also be...

    Learn More
  • Managing Computer Security Incident Response Teams

    3 - Day Course

    This three-day course provides current and future managers of computer security incident response teams (CSIRTs) with a pragmatic view of the issues that they will face in operating an effective team. The course provides insight into the work that incident management staff and managers may be expected to handle. The course also provides...

    Learn More

Training courses provided by the SEI are not academic courses for academic credit toward a degree. Any certificates provided are evidence of the completion of the courses and are not official academic credentials. For more information about SEI training courses, see Registration Terms and Conditions and Confidentiality of Course Records.