As I mentioned in my last column, I am presenting three articles (this is No. 3) based on the work of some of my graduate students during class discussions in a course on computer security incident response team (CSIRT) management. What follows is the last edited segment based on a summary written by students Mani Akella and Rick Tuttle. Today’s topic is the politics of triage.

* * *

Internal politics are a major consideration for any activity in the organization - especially sensitive functions like the CSIRT.

Since the CSIRT, by definition, affects the computer operations of the entire organization during the investigation process, the potential exists for them to interact directly with many of the organization’s personnel over time. For somebody not intimately familiar with CSIRT operation, the brief interaction might seem to be more of an abrasive intrusion rather than a genuine effort to help.

This means that CSIRT members need to be consummate service-oriented personnel with well-developed communication skills. In addition to communication, the team members need to be very sensitive to the political nuances within an organization. They must be able to interpret the true import of any statement rather than taking it at face value. To stay true to their objective and be effective in proper incident resolution, CSIRT members must be able to isolate themselves from political influences in their investigative process.

The potential exists for internal politics to cause help desk staff to misrepresent incident ticket priorities; the team needs to be able to recognize such pressure and to present the situation to their management for appropriate action. At the same time, team members need a healthy respect for authority limits. They must be conscientious in not overstepping their bounds without appropriate reason and permission.

The team needs to be aware of the internal drivers in an organization; business objectives must influence triage priorities. For a financial organization, the prime driver will be financial effect; for a military team, it could be team safety or mission objectives that determine priority rather than cost.

For each organization, service offerings are weighted in light of their perceived relation to the primary business. Additionally, the team members must accept that a person's perceptions are their reality, whether or not they agree with the rest. This acceptance helps the team to respond accordingly and appropriately. Each proposal needs a business case. One posting provides the following example from Rick Tuttle:

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.