- What is CSIRT?
The Computer Security Incident Response Team (CSIRT) is a team charged with incident response, handling all security incidents affecting an organization in a timely and effective manner. They are responsible for protecting the confidentiality, integrity and availability (CIA) of business assets, mainly computer systems and networks, as well as the organization’s valuable data.
Some large organizations maintain an in-house, dedicated CSIRT team. But many organizations cannot sustain the cost of a full security operations center (SOC), and so they outsource the CSIRT to external service providers (MSSPs). In smaller organizations, hybrid teams are often assembled to respond to security incidents, where only some of the members are dedicated security staff and others work in IT or other departments.
What is a Computer Security Incident Response Team?
The CSIRT is the core team responsible for dealing with IT security incidents and managing the impact in your organization. Assembling the proper team and identifying roles and responsibilities is crucial and should not be taken lightly. IT security professionals may fill several roles on this team, but not always. Let’s take a look at what the formation of a CSIRT would look like.
1. CSIRT Team Leader: This is the person responsible for organizing and directing the CSIRT. Typical duties center on managing incident response processes, but also policies and procedure updates to deal with future incidents. This person should have a firm grasp of IT security and risk management.
2. Incident Lead: This is the person designated to coordinate responses to IT security incidents. It is possible that there could be more than one Incident Lead depending on incident types and levels of expertise. This person should be well versed in IT security and the particular type of IT equipment that incidents may occur on (i.e. servers, networks, firewalls, data archives, etc.). All information about incidents must be passed through this person before it leaves the team and is passed on to the organization or the public.
3. CSIRT Support Members: There are several support members that make up the CSIRT team that should be included. Not all organizations require them, but a solid list should include:
IT Contact: This is a member of your IT staff and should be familiar with your IT infrastructure. Multi-members that focus on different disciplines may be asked to participate if a multi-disciplined member is not sufficient.
Management Representative: Your team should always have a representative from the organization’s management team involved. This member is the interface to the management staff and should express concerns and ideas to and from the team. Management involvement is essential when dealing with incidents that can gravely affect the financial or operational status of the organization.
Legal Representation: It is advisable to have some legal representation on your CSIRT. Legal ramifications and procedures against individuals that may have caused an IT security incident may need to be dealt with.
Public Relations/Communications: This is your outlet to the public and your customer base. Maintaining good PR is always a good idea in a crisis and communicating the details of security incidents and how they are handled can save business relationships.