This summer, I was delighted to lead an 11-week graduate course on computer security incident response team (CSIRT) management in the Master of Science in Information Assurance program in the School of Graduate Studies of Norwich University.

The course used material I wrote for this column over several years and which I collected in a monograph available on my Web site.

Our courses have three weekly online discussion topics from weeks 1 through 10 and I am always on the lookout for publishable work our students have created. Mani Akella and Rick Tuttle took up my suggestion that they compile commentary from a number of students of diverse backgrounds in our cohort (class) into a usable series for this column. Mani and Richard worked with their fellow students to ensure corporate approval from all the employers, and this is the first in three short articles resulting from their work. As always, I have edited the students’ work for publication.

Today’s topic is triage.

* * *

For this cohort, many represented organizations that do not have a separate formal CSIRT. Instead, organizations use the IT help desk and associated incident-escalation process to perform CSIRT response functions. For those cases where a separate CSIRT exists, organizations often utilize a single help desk as point of contact for all incidents. Help desk staff then use the triage process to assign the incident response to the appropriate functional team.

The prime business of the organization takes the leading role in determining the response and escalation process. For example, credit-card data loss is a high-priority incident for a financial organization. For these organizations, the response activity affects, and possibly stops, all other CSIRT members’ work tasks until the incident is resolved. For a retailer, the same data loss may only affect the functional area controlling transactions and sales. Management attention to the incident parallels the group response as they view the incident in terms of its disruption either of the entire organization or of the individual group.

Cohort members agreed that training is vital to successful CSIRT operation. Because the help desk is the point of contact, CSIRT-provided training ensures that help desk staff capture all relevant information when creating the incident report. Training also ensures that the triage process functions appropriately. In addition, the training helps ensure that the response team captures all relevant information and evidence in a forensically correct fashion to preserve the chain of evidence.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.