CERT-SEI

Incident Management Publications

Case Studies
In these reports and papers, the authors describe case studies related to the insider threat. One effective way for computer security incident response teams or other types of incident management functions to get started and to improve their performance is to read about what other similar teams have done. From time to time, the CSIRT Development and Training team publishes case studies of national information security teams to assist in this process.

Establishing a National Computer Security Incident Response Team (CSIRT)
In this podcast, John Haller and Jeff Carpenter discuss how a national CSIRT is essential for protecting national and economic security.

Tackling Security at the National Level: A Resource for Leaders
In this podcast, Jeff Carpenter describes how business leaders can use national CSIRTs as a key resource when dealing with incidents that have national or worldwide scope.

Handbook for Computer Security Incident Response Teams (CSIRTs)
In this 2003 handbook, the authors describe different organizational models for implementing incident handling capabilities.

Creating a Computer Security Incident Response Team: A Process for Getting Started
This resource outlines best practices, guidance, and processes for creating a CSIRT.

Action List for Developing a Computer Security Incident Response Team (CSIRT)
This document provides a high-level overview of the actions to take and topics to address when planning and implementing a CSIRT.

Best Practices for National Cyber Security: Building a National Computer Security Incident Management Capability (Version 2.0)
In this 2011 report, the authors provide insight that interested organizations and governments can use to develop a national incident management capability.

Steps for Creating National CSIRTs
In this 2004 paper, the authors describe CSIRTs, the problems and challenges they face, and the benefits of developing a response capability at a national level.

  • 2002

  • 11/25/2002 CSIRT Services In this paper, the authors define computer security incident response team (CSIRT) services.

Creating a CSIRT: Getting Started

Action List for Developing a Computer Security Incident Response Team (CSIRT)
This document provides a high-level overview of the actions to take and topics to address when planning and implementing a CSIRT.

Creating a Computer Security Incident Response Team: A Process for Getting Started
This document provides best practices and resources for starting a CSIRT.

Defining Incident Management Processes for CSIRTs: A Work in Progress
This SEI technical report focuses on a process-oriented approach to defining CSIRT work.

Staffing Your Computer Security Incident Response Team—What Basic Skills Are Needed?
This document provides a short description of some of the types of core knowledge, skills, and abilities that successful CSIRTs seek in staffing their teams.

Steps for Creating National CSIRTs
This white paper provides information that can help a country or economy determine which issues to consider when building a CSIRT.

Best Practices for National Cyber Security: Building a National Computer Security Incident Management Capability (Version 2.0)
This SEI technical report provides best practices that interested organizations and governments can use to begin to develop a national incident management capability.

Limits to Effectiveness in Computer Security Incident Response Teams
This white paper presents a preliminary attempt to gain a better understanding of how a CSIRT can handle a growing work load with limited resources; the document includes a proposed solution for improving long-term performance.

Creating a Financial Institution CSIRT: A Case Study
In this document, a financial institution shares lessons learned after developing and implementing a plan to address security concerns and a CSIRT.

Organizational Models for Computer Security Incident Response Teams
This SEI technical report describes different types of teams and outlines their typical strengths and weaknesses.

CSIRT Frequently Asked Questions
This FAQ provides answers to common questions about CSIRTs.

Related External Resources

Forming an Incident Response Team
This AusCERT paper examines the role a CSIRT may play in the community and the issues that should be addressed both during the formation and after commencement of operations.

Expectations for Computer Security Incident Response (RFC 2350)
This document specifies internet best current practices for the internet community and requests discussion and suggestions for improvements.

Incident Management topics on the Build Security In (BSI) website
The Incident Management section of the BSI website contains articles that provide an introduction to computer security incident management.

Defining Computer Security Incident Response Teams
This paper introduces and defines various aspects of CSIRTS including activities, roles, staff, and mission.

Operating and Staffing Your CSIRT

Handbook for Computer Security Incident Response Teams (CSIRTs)
This 2003 document provides guidance on forming and operating a CSIRT, and helps an organization to define and document the nature and scope of a computer security incident handling service, which is the core service of a CSIRT.

CSIRT Services
This document describes the services that a CSIRT should provide to its constituency.

State of the Practice of Computer Security Incident Response Teams
This document is a compendium of our understanding of the CSIRT state of the practice.

Incident Management Capability Metrics
This SEI technical report presents metrics to provide a baseline or benchmark of incident management practices.

Incident Management Mission Diagnostic Method
This tool can provide a quick evaluation of the potential for success of an organization's CSIRT or incident management capability.

Avoiding the Trial-by-Fire Approach to Security Incidents
This report assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively.

Related External Resources

Site Security Handbook (RFC 2196)
This handbook offers information about developing computer security policies and procedures for sites that have systems on the internet.

The SANS Security Policy Project
These resources provide information about the rapid development and implementation of information security policies.

The Role of Computer Security Incident Response Teams in the Software Development Life Cycle
This BSI document discusses the role a CSIRT can play in the Systems Development Life Cycle (SDLC).

Incident Response Career Trends
This document provides information about the skills needed today in incident response and describes how professionals can attain or refine those skills.

Developing Incident Handling Cost Models

This section lists various external resources that provide cost models for incident handling.

Developing an Effective Incident Cost Analysis Mechanism
This document discusses calculating damages from computer security incidents.

Incident Cost Analysis and Modeling Project (ICAMP) reports
This document summarizes a study to design a cost-analysis model for IT-related incidents and to gather and analyze a sample of such incidents.

Australian Computer Crime and Security Surveys 2002-2006
This survey provides an authoritative analysis of computer network attack and computer misuse trends in Australia between 2002-2006.

CSI/FBI Computer Crime and Security Survey 2010-2011
This collection of cybercrime statistics was compiled by Computer Security Institute.

Collecting Evidence/Forensics

CERT Digital Intelligence and Investigation (DIID)
The CERT DIID team conducts research and develops technologies, capabilities, and practices that organizations can use to develop incident response capabilities and facilitate incident investigations.

First Responders Guide to Computer Forensics
This 2005 handbook targets performing basic forensic data collection, a critical training gap in the fields of information security, computer forensics, and incident response.

First Responders Guide to Computer Forensics - Advanced Topics
This document features a description of technical operations such as process characterization and spoofed email, and is designed for experienced security/network professionals who already have a fundamental understanding of forensic methodology.

Related External Resources

Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, U.S. Department of Justice
This document outlines ground rules for handling evidence in crimes involving computers.

Guidelines for Evidence Collection and Archiving (RFC 3227)
These guidelines are written for system administrators and are related to collecting and archiving evidence that is relevant to security incidents.

Incident Management and General CSIRT Publications

We provide links to the following useful publications, which were written by our colleagues in the international community.

Identifying a Shared Mental Model Among Incident Responders
In this paper, the authors explore how effective communication might be improved by the development of a mental model internalized by the group's technical staff prior to an incident.

TF-CSIRT: General Information for IRTs/CERTs
This site contains useful information and documents for IRTs/CERTs and describes how to establish new and operate existing IRT/CERT and other related information.

AusCERT
AusCERT provides a collection of presentations and papers.

SecurityFocus Infocus
SecurityFocus provides a helpful collection of Incident Handling articles.

Update to the Handbook of Legal Procedures of Computer and Network Misuse in EU Countries for assisting CSIRTs (2005)
This update to the 2003 handbook, provides a guide matching technical descriptions of incidents to the legal framework of the country in question and which also provides detailed procedures for working with law enforcement to respond to incidents

FIRST Site Visit Requirements and Assessment
This best practice list of requirements can be used in building or benchmarking a team.