- : Executing a Policy
- Security Incident Response
- Computer Security Incident Response Teams
- Preparing for Incident Response
- Management of Security by Teams
- Execution of an Incident Response
- Evaluation of a Security Incident
- Containing the Incident
- Eradicating the Incident
- Recovering From an Incident
- Article Series
- About the Author
- Ordering Sun Documents
- Accessing Sun Documentation Online
Computer Security Incident Response Teams
A computer security incident response team (CSIRT) is a service organization that receives, reviews, and responds to computer security incident reports and activities and helps in recovery. Its services are usually performed for a defined constituency that could be a parent entity such as a corporation, a governmental or educational organization, a region or country, a research network, or a paid client.
A CSIRT can be a formal or an informal team. A formal team performs incident response work as its major job function. An informal team is called together by the organization's worldwide security team (as defined in the first article) to respond to an incident when the need arises. The informal team is referred to as a virtual CSIRT (VCSIRT), as defined in the previous article, along with its membership.
Although initiated by an organization's security team to resolve a particular incident or set of related incidents, a VCSIRT can span several organizations within an enterprise, as shown in the following figure and described in the first article. From the policy execution point of view, there are pros and cons to having VCSIRTs. For instance, virtual teams can be cost-effective from the operational point of view, as such teams do not have to wait for incidents that might not occur on a frequent basis. However, VCSIRTs have disadvantages from the policy execution perspective. Trained experts cannot be summoned at a moment's notice because they are usually in high demand. Secondly, on-the-fly teams do not bond as well as those that are gathered with the purpose of maintaining longer associations.
FIGURE 1 Enterprise and Organization Security Teams
The figure shows the corporate security team that sets security policies, processes, and procedures for the entire enterprise and monitors them for compliance. An enterprise should have an internal CSIRT that responds to the enterprise's internal incidents and sets related policies, processes, and procedures. The security advisory group (SAG) is an entity that can have enterprise-wide representation and is independent of any specific organization within an enterprise. Its primary functions include advising on tactical and long-term strategies, reviewing policies, and providing recommendations. SAGs can be initiated and formed by organizations for indefinite periods of times or as long as they are deemed necessary. SAGs use resources from the entire enterprise.
The above structure of teams might not be possible in a small company; in which case, individuals might represent the functions of the teams, and there might be just one security team in the company that sets and monitors corporate security policies and handles all incidents. Also, in small, medium, and large enterprises, variations in the form of such groups can occur based on business needs. The essence we want to convey is that the functions performed need to be represented in the organizational infrastructure.