Managing the CIRT: Professionalism

This is another in an occasional series of articles looking at Computer Incident Response Team management. The primary source for this series is the U.S. Defense Information Systems Agency training course listed at the end of the article.

The DISA course wisely emphasizes the importance of professional behavior by all members of the CIRT. The authors write:

“The survival of your CIRT may well depend upon using a Code of Conduct, which will earn the trust and respect of the commands you support. The conduct of any single team member reflects upon the entire CIRT organization. If the commands don’t trust your CIRT, they won’t report to you. It is important, therefore, not only to have a Code of Conduct, but to shake it out and dust it off every once in a while. Remind team members what it is and why it is important… and use it.”

Here are some of the practical recommendations from that course (although I have put them in my own words for the most part):

* Write down the rules – a Code of Conduct – that represent your ideals of courteous, professional service to your clients.

* Train the team to understand and apply the Code.

* Review the Code periodically with the team.

* Speak clearly and avoid techno-babble.

* Tell people exactly what you intend to do.

* Never hesitate to say, “I don’t know – but I’ll find out.”

* Don’t criticize other people in your interactions with clients.

* Respect the confidentiality of your clients.

* Be respectful of your callers: don’t belittle them or make them feel bad.

I was a member and then team leader of the Phone-In Consulting Service (PICS) at Hewlett-Packard (Canada) Ltd. in Montreal in the early 1980s and later was director of technical services at a big service bureau in that city. Those experiences support the correctness of DISA’s advice.

Notice how consistently DISA (and I) refer to clients; this usage emphasizes that both technical support teams and CIRTs all perceive users as those to whom we owe service. There is no benefit to allowing an adversarial relationship between the technical support team or a CIRT and the client base. Don’t allow a gulf to develop between the CIRT and the client community; clamp down on disparaging terms and derogatory comments about users. Ensure that team members understand why such language is harmful.

Identify CIRT members with a chip on their shoulders: don’t let them adopt a defensive, arrogant or aggressive attitude toward the users. If a computer-security incident can be traced to procedural errors, the person reporting the problem should be thanked for the information, not criticized for having experienced or identified the problem.

No one in a CIRT has ever regretted being professional. Go out there and be NICE.

“Introduction to Computer Incident Response Team (CIRT) Management” is offered by the Defense Information Systems Agency, U.S. Department of Defense. A full PDF catalog of free training materials is available for download.