CERT-SEI

Action List for Developing a CSIRT

This document provides a high-level overview of actions to take and topics to address when planning and implementing a Computer Security Incident Response Team (CSIRT). It also identifies some common problems teams may encounter in their implementation. The list draws on material presented in depth through CERT training courses and publications, and incorporates lessons learned by staff during their experiences planning and implementing CSIRTs. Use this list as a starting point to plan a CSIRT. More detailed information can be found in the list of resources at the end of this article.

Contents

1 Identify Stakeholders and Participants
2 Obtain Management Support and Sponsorship
3 Develop a CSIRT Project Plan
4 Gather Information
5 Identify the CSIRT Constituency
6 Define the CSIRT Mission
7 Secure Funding for CSIRT Operations
8 Decide the Range and Level of Services the CSIRT Will Offer
9 Determine the CSIRT Reporting Structure, Authority, and Organizational Model
10 Identify Required Resources Such as Staff, Equipment, and Infrastructure
11 Define Interactions and Interfaces
12 Define Roles, Responsibilities, and the Corresponding Authority
13 Document the Workflow
14 Develop Policies and corresponding Procedures
15 Create an Implementation Plan and Solicit Feedback
16 Announce the CSIRT When It Becomes Operational
17 Define Methods for Evaluating the Performance of the CSIRT
18 Have a Backup Plan for Every Element of the CSIRT
19 Be Flexible

1 Identify stakeholders1 and participants.

  1. Determine who needs to be involved at each level of the CSIRT planning, implementation, and operation.
  2. Determine who is served or supported by the CSIRT.
  3. Identify people with whom you will coordinate or share information, both inside and outside the organization. (You may want to talk with them as you gather information. Consider asking them to participate in the development project or to help review CSIRT design and implementation plans.)
  4. Identify people performing security or incident response functions and talk to them.
  5. Identify which internal and external organizations might interface with or participate in the CSIRT.

Common problems: a full range of stakeholders and participants are not identified and included in the planning and development phase; failure to identify and  understand where computer security incident response activities are performed and how this will change with any new plans for a CSIRT.

2 Obtain management support and sponsorship.

  1. Find an executive manager to sponsor and champion the CSIRT's establishment. This person can be a good liaison to other executive and business managers in the constituency2 or parent organization.
  2. Present a business case to management outlining the benefits the CSIRT will bring to the organization or constituency.
  3. Obtain management support for the time and resources the team will spend researching and gathering information during the planning process.
  4. If establishing a CSIRT within an organization, explain the ideas, concepts, and benefits to other business function managers.
    If establishing a national team, explain the concepts and benefits to key organizations and potential strategic partners that will be supported by the CSIRT.
  5. Request management to announce the formation of the CSIRT project and ask people to provide information as needed during the planning and implementation phases.

Common problems: relevant stakeholders, participants, business managers, and strategic partners are not aware that a CSIRT is being planned.

3 Develop a CSIRT project plan.

  1. Form a project team to help plan and establish the CSIRT.
  2. Appoint a project leader. This person can inform management about the progress made in planning.
  3. Apply project management concepts to the task of setting up a CSIRT.

Common problems: the project team does not involve a diverse set of stakeholders; a reasonable time frame is not established for the project's completion—often time frames are too short or unrealistic for a CSIRT to become fully operational; a project leader is not established and the project languishes without direction or completion.

4 Gather information.

  1. Hold conversations with a variety of stakeholders to
    • determine the needs and requirements of the constituency and any parent or host organization
    • collect information about types of incidents already occurring to better understand the expertise and services the CSIRT will need to provide
    • understand any incident management or response that is already occurring
    • understand legal, political, business, or cultural issues that will define the environment in which the CSIRT will operate
    • understand data ownership and intellectual property (IP) issues and authority, related to any type of publications, products, or information collected or developed by the CSIRT
  2. Define political and compliance3 issues, including any public, private, academic, government, or military rules, regulations, or policies that must be followed or addressed as the CSIRT is established.
  3. Understand the previous history.
    • Find out if anyone attempted to create a CSIRT in the organization before. If so, find out what happened and check for any information you can use.
    • Identify any organizational expectations of the CSIRT, based on this previous activity, that the team will need to correct.
    • Determine if the desired domain name is available (i.e., if the CSIRT will have its own domain name). If the name is available, obtain it as soon as possible.

Common problems: the CSIRT does not involve or gather input from all stakeholders; there are disagreements over who owns the data and intellectual property, which can cause delays in providing CSIRT information to the constituency.

5 Identify the CSIRT constituency.

  1. Determine the initial group of individuals or organizations to which the CSIRT will provide service and support.
  2. Identify what types of services the CSIRT will provide to different segments of the constituency. For example, services provided to the general public may be different than services provided to government organizations or critical infrastructures. Understanding the constituency will also help define what groups to target for marketing CSIRT services.
  3. Identify and establish strategic partners, if applicable. Strategic partners can
    • help guide the priorities and direction of the CSIRT, and help define and mature the CSIRT's capabilities and services
    • engage in information sharing and research
    • participate in customized interactions with the CSIRT
    • help increase the visibility and influence of the team
    • help promote the adoption and use of security best practices throughout the enterprise or constituency
  4. Identify how the constituency members obtain services from the CSIRT.
  5. Identify constituents that the CSIRT may not initially support, but may support in the long term, after the CSIRT has been operational and is ready to expand its services.

Common problems: not all constituents are addressed or defined, so they have no formal interface with the CSIRT; the CSIRT does not properly create an understanding of the benefits its services can provide for the defined constituency; it is not clear how the constituency should contact the CSIRT and obtain assistance; the CSIRT tries to support too many diverse constituencies during its startup.

6 Define the CSIRT mission.

  1. Determine the mission of the CSIRT. This process is long term and general in nature. The mission should not change much over time, so it should be written broadly enough to accommodate any change in services or functions while still succinctly defining the purpose and function of the CSIRT. The mission statement should provide value to both the constituency and the parent or host organization.
  2. Determine the primary goals and objectives of the CSIRT. These will be more practical and may be changed as the CSIRT expands its scope or services.
  3. Obtain agreement on the mission from all relevant stakeholders (e.g., management, constituency, collaborators, and staff); ensure everyone understands the mission.

Common problems: staff don't understand the mission and "mission creep"4 occurs (the CSIRT loses focus on its defined purpose  and becomes less effective); outside parties (such as politicians) may have a perspective on the mission that doesn't match the CSIRT mission and try to pull the team into activities it is not prepared to handle.

7 Secure funding for CSIRT operations.

  1. Obtain funding for start-up, short-term and long-term operations. This will include
    • initial staffing, short-term and long-term professional development, and training
    • equipment, tools, and network infrastructure for detecting, analyzing, tracking, and responding to computer security incidents
    • facilities for protecting and securing CSIRT data, systems, and staff
  2. Decide what funding model you will use to support the CSIRT; this could include fee-for-service, membership subscriptions, government sponsorship, or a parent organization budget line.

Common problems: CSIRTs can lose effectiveness by not funding efforts to help staff keep up with emerging technologies or by not enabling staff to attend conferences and training to improve their skills, knowledge, and abilities; this can make the team less able to handle new threats, attacks, and risks that affect their constituency.

8 Decide on the range and level of services the CSIRT will offer.

  1. Start small and grow. Be realistic about the type and number of services the new CSIRT can provide given existing expertise and resources.
  2. Determine the services the CSIRT will provide and identify to which part of the constituency they will be offered.
  3. Define the process for delivery of services (e.g., hours of operation, contact methods, methods for information dissemination, and related processes).
  4. Decide how the CSIRT will market its service.

Common problems: people want the CSIRT to perform services before it is ready; the CSIRT tries to offer too many services at once; tries to play too many roles; creating services that are not needed or that another organization is offering; or does not market needed services.

9 Determine the CSIRT reporting structure, authority, and organizational model.

  1. Determine where the CSIRT will fit into the organizational structure. For instance, a national-level CSIRT may function within the government, as a separate national entity, or as part of another organization. If placed within another organization, how is it perceived by the constituency and how will those perceptions affect its operation?
  2. Create an organization chart and keep it current.
  3. Determine if the CSIRT must report "up" the hierarchy to any other organization or parent entity.
  4. Prepare to educate people about the work the CSIRT will be able to do. Team members may need to diplomatically refuse some work requests and should prepare appropriate responses.

Common problems: non-CSIRT assignments are imposed by outside stakeholders that take staff away from their primary CSIRT functions and inhibit effective performance of normal services.

10 Identify required resources such as staff, equipment, and infrastructure.

  1. Determine how the CSIRT infrastructure will be protected, secured, and monitored, especially the physical premises and data repositories.
  2. Define processes for collecting, recording, tracking, and archiving information.
  3. Create job descriptions that list the required knowledge, skills, and abilities (KSAs) for each CSIRT position.
  4. Create a mentoring and training plan for staff, and ensure they are cross-trained on unique expertise or services.
  5. Determine requirements for appropriate background checks, certifications, or security clearances.

Common problems: staff is not cross-trained, resulting in 'single points of failure' if someone performing a function requiring  a unique skill leaves; staff are not given opportunities and a path for professional or career development, resulting in burnout and high levels of job turnover.

11 Define interactions and interfaces.

  1. Identify interactions and interfaces with key parts of the constituency, stakeholders, and with any internal or external partners, collaborators, or contractors.
  2. Determine what other entities the CSIRT will coordinate with.
  3. Identify how information flows between these entities.
  4. Define and establish interfaces and methods of collaboration and communication with others as appropriate, including law enforcement, vendors, critical infrastructure components, internet service providers (ISPs), other security groups, and other CSIRTs.
  5. Ensure there are good methods for internal communication among the CSIRT staff.
  6. For all these interfaces, understand
    • who owns the data that is shared
    • who has authority and responsibility for data
    • how the data is shared and with whom it is shared
    • how the data is protected, controlled, and securely stored
  7. Define methods to disseminate information to the constituency and relevant stakeholders.
  8. Develop and explain standard document types for disseminating information to the constituency.

Common problems: data is not shared in a controlled and secure manner, resulting in confidences being broken; CSIRT staff is not informed about CSIRT activities, reducing effectiveness in normal work roles; defined interfaces are not established, causing a process breakdown when escalation or data sharing and coordination is required.

12 Define roles, responsibilities, and the corresponding authority.

  1. Develop roles and responsibilities for all CSIRT functions.
  2. Define and develop the interfaces between CSIRT functions and other external functions and collaborations.
  3. Identify areas where authority may be ambiguous or overlapping, and define functions and roles between groups.

Common problems: people don't know where their role ends and someone else's begins; more than one group is given the same responsibility; no one is given a specific responsibility and the task is never completed.

13 Document the workflow.

  1. Create a diagram (swimlane chart, flow chart, etc.) to document the CSIRT processes and corresponding interactions, including who performs the work and where in the process the interfaces and hand-offs occur.
  2. Build quality assurance measures and components into the CSIRT processes and corresponding workflows.

Common problems: staff is uncertain how to follow certain processes or perform various coordination and collaboration activities.

14 Develop policies and corresponding procedures.

  1. Establish definitions for terminology (e.g., "computer security event and incident") along with other terms unique to the organization.
  2. Determine corresponding incident categories, priorities, and escalation criteria.
  3. Identify initial policies and procedures that need to be formalized before operation, and those that can be created after the CSIRT is operational.
  4. Develop incident reporting guidelines for the constituency and ways to publicize them.
  5. Define and document criteria for providing CSIRT services to ensure consistent, reliable, and repeatable processes are followed by staff.

Common problems: common definitions are not shared between the CSIRT and constituency, resulting in confusion and misunderstanding; inability to summarize data on incident trends because there is no clear definition of terms; lack of formalized policies can delay response time because processes must be defined each time an incident occurs.

15 Create an implementation plan and solicit feedback.

  1. Obtain input about the implementation plan from stakeholders and constituents (or other CSIRT experts), ask for their comments, and ensure the plan matches the mission.
  2. Update and improve the plan based on feedback.
  3. Obtain management and constituent support for the implementation.

Common problems: the constituency is not informed about the CSIRT implementation and does not provide support, which may result in incidents not being reported to the CSIRT or CSIRT advice and recommendations not being followed; the implementation plan is not sent for review, resulting in a plan that is not supported or implemented.

16 Announce the CSIRT when it becomes operational.

  1. Ask management to make a formal announcement.
  2. Provide marketing materials and incident reporting guidelines explaining how the constituency should interact with the CSIRT.
  3. Incorporate training about CSIRT services and interactions into staff orientation programs.
  4. Find ways to disseminate information about CSIRT services such as organizational intranets, websites, brochures, seminars, and training classes.

Common problems: the CSIRT is not formally announced, and no one understands how or when to interface with the team.

17 Define methods for evaluating the performance of the CSIRT

  1. Define baselines for incident reporting and handling within the organization before the CSIRT is implemented. Use the baselines to compare performance once the CSIRT is operational.
  2. Define measurement criteria and quality assurance parameters so that the CSIRT can be measured in a consistent way.
  3. Define methods for obtaining constituency feedback.
  4. Implement reporting and auditing procedures to ensure that the CSIRT is performing efficiently and meets established service level agreements or performance metrics.

Common problems: no methods are instituted for evaluating whether the CSIRT is accomplishing its mission; methods for process improvement are not implemented; performance metrics do not adequately measure CSIRT performance.

18 Have a backup plan for every element of the CSIRT.

  1. Identify key and critical CSIRT functions, services, and equipment.
  2. Design a disaster recovery and business continuity plan for critical CSIRT services and processes; these plans should tie into similar plans for the parent organization.
  3. Plan what will happen if someone cannot fulfill their role or cannot provide space or equipment needed by the CSIRT.
  4. Institute mock exercises to test whether CSIRT functions and facilities can be operational during emergency situations.

Common problems: the CSIRT has no reach-back5 capability ready if additional staffing is needed during peak or emergency situations; key CSIRT systems and networks that provide critical functions and services are not backed-up, resulting in the CSIRT not being able to function during an emergency situation.

19 Be flexible.

  1. Do not try to do too much at once. However, be ready to adapt and take advantage of good opportunities when they arise; if such opportunities will not severely tax the CSIRT resources and cause problems delivering existing CSIRT services.
  2. Understand that services may evolve over time and be ready to learn new skill sets and gain new knowledge.
  3. Keep learning about changing technologies to ensure response strategies are effective for dealing with new threats and risks.
  4. Look for ways to collaborate with others in the CSIRT and security fields.

CSIRT Resources

Footnotes

1 A "stakeholder" is any individual or group with an interest in the success of the CSIRT and its mission. Stakeholders can be those who will report to the CSIRT, receive help from the CSIRT, provide funding and sponsorship to the CSIRT, or interface with the CSIRT through information sharing or the coordination of incident and vulnerability handling activities.

2  The "constituency" is the collection of people or organizations serviced or supported by the CSIRT.

3 "Compliance" refers to making sure the CSIRT policies or procedures agree with applicable laws or policies that are in place organizationally, locally, nationally, or internationally. For example, in the U.S. there are many state laws that require companies to notify customers if their personal data is released without their consent or authorization. If a CSIRT in a state with such laws is tasked with handling computer security breaches, it (or its parent organization) must comply with the law regarding any required notification.

4 "Mission creep" refers to a situation in which a CSIRT begins to perform activities outside the scope of its mission or defined purpose and function.

5 Reach-back capability is the ability to call in additional staff outside your normal CSIRT staff during peak times. For example, if you are using a contractor to supplement CSIRT staff and a major incident occurs, a reach-back capability would allow the contractor to call in more people to help handle the incident. In this case the contractor would "reach back" into their total pool of employees to temporarily supplement the CSIRT staff until the incident was resolved and operations returned to normal. If a CSIRT does not have contractors providing staff, then reach-back might be handled by pulling people from other parts of the organization to help until the incident was resolved.