Creating a CSIRT: Getting Started

To establish a computer security incident response team (CSIRT), you should understand what type of CSIRT is needed, the type of services that should be offered, the size of the CSIRT and where it should be located in the organization, how much it will cost to implement and support the CSIRT team, and the initial steps necessary to create the CSIRT. The resources on this page will help you answer these and other questions. Contact us if you need more information.

Action List for Developing a Computer Security Incident Response Team (CSIRT)
This document provides a high-level overview of the actions to take and topics to address when planning and implementing a CSIRT.

Creating a Computer Security Incident Response Team: A Process for Getting Started
This document provides best practices and resources for starting a CSIRT.

Defining Incident Management Processes for CSIRTs: A Work in Progress
This SEI technical report focuses on a process-oriented approach to defining CSIRT work.

Staffing Your Computer Security Incident Response Team—What Basic Skills Are Needed?
This document provides a short description of some of the types of core knowledge, skills, and abilities that successful CSIRTs seek in staffing their teams.

Steps for Creating National CSIRTs
This white paper provides information that can help a country or economy determine which issues to consider when building a CSIRT.

Best Practices for National Cyber Security: Building a National Computer Security Incident Management Capability (Version 2.0)
This SEI technical report provides best practices that interested organizations and governments can use to begin to develop a national incident management capability.

Limits to Effectiveness in Computer Security Incident Response Teams
This white paper presents a preliminary attempt to gain a better understanding of how a CSIRT can handle a growing work load with limited resources;the document includes a proposed solution for improving long-term performance.

Creating a Financial Institution CSIRT: A Case Study
In this document, a financial institution shares lessons learned after developing and implementing a plan to address security concerns and a CSIRT.

Organizational Models for Computer Security Incident Response Teams
This SEI technical report describes different types of teams and outlines their typical strengths and weaknesses.

CSIRT Frequently Asked Questions
This FAQ provides answers to common questions about CSIRTs.

Forming an Incident Response Team – AusCERT report
This AusCERT paper examines the role a CSIRT may play in the community and the issues that should be addressed both during the formation and after commencement of operations.

Expectations for Computer Security Incident Response (RFC 2350) – Internet Engineering Task Force (IETF) document
This document specifies internet best current practices for the internet community and requests discussion and suggestions for improvements.

Incident Management topics – Build Security In website
The Incident Management section of the BSI website contains articles that provide an introduction to computer security incident management.

Defining Computer Security Incident Response Teams – Build Security In paper
This paper introduces and defines various aspects of CSIRTS including activities, roles, staff, and mission.


Learn How to Create a CSIRT

Creating a Computer Security Incident Response Team is a one-day course that describes the key issues and decisions that managers and project leaders must address when establishing a CSIRT.