CIRT management: Introduction

In an upcoming series of short articles, I will summarize the key points in creating and managing a computer incident response team (CIRT), also sometimes known as a computer emergency response team (CERT).

The main resources used in writing this summary are shown at the bottom of this introduction; specific references will be provided in each of the remaining articles.

As everyone should know, the value of time is not constant. Spending an hour or a day planning so that one’s emergency response is shortened by a few seconds may save a life or prevent a business disaster. Organizing people to respond to computer security incidents is worth the effort not only when you actually have an incident but also because the analysis and interactions leading to establishment of the CIRT bring benefits even without an emergency.

This series will explore the following topics:

* Creating the CIRT

– CIRT functions

– Defining service levels

– Establishing policies and procedures

– Staffing the CIRT

* Responding to computer emergencies

– Triage

– Technical expertise

– Tracking incidents

– Critical information

– The telephone hotline

* Managing the CIRT

– Securing your CIRT

– Professionalism

– Setting the rules for triage

– Avoiding burnout

* Continuous Process Improvement

– The post-mortem

– Sharing knowledge within the organization

– Sharing knowledge in the security community

Resources:

* “Computer emergency quick-response teams,” Chapter 40 in _Computer Security Handbook, 4th Edition_.

* Introduction to Computer Incident Response Team (CIRT) Management, by the Defense Information Systems Agency, U.S. Department of Defense. To download a full PDF catalog of free training materials, see:

https://iase.disa.mil/eta/