The Computer Security Incident
Response Team (CSIRT)
It would be a
mistake to think that
any response plan
can be created and
then effectively held
in cold storage.
The CSIRT is a centre of information
security, incident management and
response within an organisation. It is
designed to quickly respond to incidents
such as cyberattacks.
While it has a very practical application,
the existence of such a team also helps
foster a culture of security within the
business, which is incredibly important
if all employees are to develop and
maintain risk mitigation and compliance
behaviours. However, before launching
a CSIRT programme, it’s important to
consider all operational and technical
issues. These include equipment,
security and resourcing.
Start by conducting a gap analysis of
your current cyber programme: include
your capabilities to respond to incidents
and the mitigations that are currently
in place to deal with cybersecurity
incidents. With this in hand, you can
seek management support and buy-in to
64
the programme, which will be essential
for it to be successful.
Once you have this, you can begin
determining the CSIRT strategic plan
and go on to:
1.
2.
3.
4.
Gather relevant information
Design the CSIRT vision
Research best practices
Determine the standards and
regulations you need to follow and
adhere to
5. Outline the team and its structure
6. Prepare templates
7. Establish and communicate the
CSIRT vision
8. Develop and document the
programme, plan and playbooks
9. Train the team
10. Begin implementation
11. Announce the CSIRT
12. Evaluate its effectiveness
Building the right team
The CSIRT team should include:
• Business managers: they are the
front line of the business’ processes
and therefore need to buy-in to what
the CSIRT is there to do and the
authority it will need to have to make
decisions should critical business
systems have to be disconnected
from the network or shut down
• IT: IT must be represented as
they are custodians of the IT
infrastructure and network within the
organisation. Clear guidelines must
be set on how IT and the CSIRT
interact as well as ‘who does what’
should a response be triggered by
Issue 19
|
www.intelligentciso.com