Incident Management Publications

Creating a CSIRT: Getting Started
To establish a computer security incident response team (CSIRT), you should understand what type of CSIRT is needed, the type of services that should be offered, the size of the CSIRT and where it should be located in the organization, how much it will cost to implement and support the CSIRT team, and the initial steps necessary to create the CSIRT. Our resources will help you answer these and other questions.

Operating and Staffing Your CSIRT
Our resources address practical operational and technical issues that every CSIRT must consider. Contact us if you have questions or need more information.

Developing Incident Handling Cost Models
Our resources provide information about developing cost-analysis models for incident handling.

Collecting Evidence/Forensics
Our resources provide information about CERT forensics work, basic forensic data collection, and forensic methodology.

Incident Management and General CSIRT Publications
We provide links to the following useful publications, which were written by our colleagues in the international community.

Security and Ontology
We are aware of the need for controlled vocabularies, taxonomies, and ontologies to make progress toward a science of cybersecurity. Read about our work in the field of security and ontology.

An Incident Management Ontology
In this paper, the authors describe the shortcomings of the incident management meta-model and how an incident management ontology addresses those shortcomings.

Competency Development
Workforce effectiveness relies on two critical characteristics: competence and readiness. Our work in competency development is designed to help organizations improve their training and development programs. Our researchers identify and document cybersecurity competencies within organizations. As these competencies are identified, the organization begins to understand that competence is not readiness.

  • 2009

  • 09/18/2009 2009 CERT Research Report In this 2009 report, the authors summarize the research conducted by the CERT Division at the Software Engineering Institute in 2009.
  • 02/17/2009 Better Incident Response Through Scenario Based Training In this podcast, Christopher May explains how teams are better prepared to respond to incidents if realistic, hands-on training is part of their normal routine.
  • 2002

  • 11/25/2002 CSIRT Services In this paper, the authors define computer security incident response team (CSIRT) services.

CSIRT Services
This document presents a list of computer security incident response team (CSIRT) services and their definitions. This list provides a common framework for a consistent and comparable description of CSIRTs and their corresponding services.

Case Studies
In these reports and papers, the authors describe case studies related to the insider threat. One effective way for computer security incident response teams or other types of incident management functions to get started and to improve their performance is to read about what other similar teams have done. From time to time, the CSIRT Development and Training team publishes case studies of national information security teams to assist in this process.

Establishing a National Computer Security Incident Response Team (CSIRT)
In this podcast, John Haller and Jeff Carpenter discuss how a national CSIRT is essential for protecting national and economic security.

Tackling Security at the National Level: A Resource for Leaders
In this podcast, Jeff Carpenter describes how business leaders can use national CSIRTs as a key resource when dealing with incidents that have national or worldwide scope.

Handbook for Computer Security Incident Response Teams (CSIRTs)
In this 2003 handbook, the authors describe different organizational models for implementing incident handling capabilities.

Creating a Computer Security Incident Response Team: A Process for Getting Started
This resource outlines best practices, guidance, and processes for creating a CSIRT.

Action List for Developing a Computer Security Incident Response Team (CSIRT)
This document provides a high-level overview of the actions to take and topics to address when planning and implementing a CSIRT.

Best Practices for National Cyber Security: Building a National Computer Security Incident Management Capability (Version 2.0)
In this 2011 report, the authors provide insight that interested organizations and governments can use to develop a national incident management capability.

Steps for Creating National CSIRTs
In this 2004 paper, the authors describe CSIRTs, the problems and challenges they face, and the benefits of developing a response capability at a national level.