A computer security incident response team, or CSIRT, receives reports of computer security problems at an organization,...
analyzes them, creates an initial response strategy and then works with the organization to follow response strategy protocols.
There are a number of reasons to create a CSIRT. Some of the most common include the following:
- The organization recognizes its obligation to protect information required to conduct business operations, as well as protect the privacy of its employees, customers and partners.
- The organization operates under a compliance requirement to demonstrate CSIRT capability. For example, the Payment Card Industry Data Security Standard requirement 12.9 stipulates that organizations must "implement an incident response plan" and be "prepared to respond immediately to a system breach" to provide adequate incident response capability.
- The organization wants to buy cybersecurity insurance that requires a CSIRT is in place.
- A very common situation that leads to the development of a CSIRT occurs when an organization has experienced a breach, but had no formal incident response capability. The result was a loss that was larger than it should have been, with huge recovery costs.
The goals of implementing a CSIRT
When responding to a computer security incident, a CSIRT has three main goals:
- Minimize and control the damage. This goal involves regaining control and stopping the incident from letting data exfiltration get any worse.
- Analyze the incident and provide effective incident response capability to limit the damage and reduce the cost of recovery.
- Prevent the occurrence of similar incidents in the future.
Organizations have an obligation to protect their business, employees, customers and partners by securing information. There may be regulatory compliance or contractual obligations to consider, as well. The information and intellectual property required for business operations is an asset that, if left unprotected, can affect business continuity or market differentiation.
Information is not the only critical asset in most organizations. People, business processes, technology and facilities are other assets that must be protected. Any organization that wants to build a CSIRT must identify all of its critical assets. Organizations that know what their critical assets are and how they are prioritized are able to provide more effective incident response capability.
Building the incident response team: Main questions
Once these assets are defined, several more questions need to be answered during development of a CSIRT.
How would your organization respond? If your organization experienced an information breach, it's important to determine who would respond to specific types of incidents. For example, if the organization experienced information technology sabotage or insider theft of intellectual property, who is responsible for handling these incidents? What technology skills and business knowledge must they have, and how must they be trained to adequately respond? Do people with these skills and knowledge exist in the organization, or do they have to be recruited externally?
What departments need to be involved? In addition to the people who would respond, the organization must determine what specific roles and departments should be involved in the CSIRT's responsibilities. How are business management, human resources and the legal department involved? If there are compliance obligations that need to be met after a breach, the organization must determine what part of the CSIRT would handle notifying customers, employees, business partners and regulatory agencies of the breach.
What is your organization's main concern during incident response? When responding to a breach, an organization's leaders must understand the organization's main concerns. Is it stopping the loss of information and restoring normal operations? Or, is it tracking and tracing the intruder? Perhaps the main concern is controlling public perception and impact to reputation, or possibly avoiding fines and legal penalties. Also, consider whether the organization's response and priorities would differ depending on whether the source is a nefarious insider or an external hacker.
How long will the incident response take? Time is a huge factor after an incident; the response should begin as soon as nefarious activity is detected. One important question to consider during CSIRT development is how long it takes for the organization to begin responding after an incident. Also, what is the goal for how long would it take to completely respond to and recover from a cybersecurity incident?
Who makes response decisions? If an information breach should occur, someone needs to be in charge of the response. How will response coordination occur? Who is in charge of recovery? Who will communicate with the various media outlets? Who will make sure all regulatory and contractual compliance obligations are met after an incident? These people must be properly trained in these jobs and know exactly what is required of them -- and the company as a whole -- in each of these instances.
What documentation, policies, procedures and processes are required? There are also a number of very important documents and policies that will need to be developed as part of creating a CSIRT. A good place to start is an incident management plan. The incident management plan should outline the organization's commitment to protecting information assets and provide response policy and response procedures, as well as the roles and responsibilities of everyone involved in computer security incident response.