Establishing an incident response team
I was recently chatting with Andy after I read his post on breaches and incident response.
Incident Response has always been one of my areas of interest, and I was lucky enough to attend two FIRST conferences in the past. I was privileged enough to speak at the 2006 conference in Baltimore (presentation).
To establish an incident response capability is not a small undertaking.
The steps that I have taken in the past were in line with my policy framework, of which I blogged before. Establishing an incident response capability starts out with getting senior management to publicly acknowledge the importance of information as a critical asset.
Next, I set out to write a "CSIRT pre-initiation document". In the document, I presented my vision on how to limit security incidents from happening and how to mitigate them if they do happen. I outlined how the CSIRT would fit in the existing organization, and how the team was organized itself. Also, I suggested what kind of mandate such a team should have. Lastly, I stressed the need to reach out and establish links with other groups (regionally, nationally and internationally). The document elicited some discussion, but its most important function was to raise security awareness with senior management.
After senior management was made aware of the need to have a capability in place to respond to security incidents, and agreed with it, I proceeded by creating a "CSIRT charter", which included definitions of an information security incident (in line with ISO/IEC 27002), defined the constituency and the services that would be provided and laid down the mandate of the team. The document also described roles and responsibilities of team members, and ways to contact the team. Finally, it addressed incident tracking and documentation requirements. No actual names of persons are mentioned in this document; CSIRT staffing is addressed separately.
With these documents in place (and reviewed and agreed upon by relevant stakeholders), the final step to establishing a team is getting a (signed) Letter of Creation in which senior management states that as of a certain date, the CSIRT will be established and that it will operate according to the charter. In addition, it grants the authority to organize, operate and manage the team. Once that letter has been signed and accepted, the team can publicly announce its existence, establishing processes and procedures and get to work.
Incident Response has always been one of my areas of interest, and I was lucky enough to attend two FIRST conferences in the past. I was privileged enough to speak at the 2006 conference in Baltimore (presentation).
To establish an incident response capability is not a small undertaking.
The steps that I have taken in the past were in line with my policy framework, of which I blogged before. Establishing an incident response capability starts out with getting senior management to publicly acknowledge the importance of information as a critical asset.
Next, I set out to write a "CSIRT pre-initiation document". In the document, I presented my vision on how to limit security incidents from happening and how to mitigate them if they do happen. I outlined how the CSIRT would fit in the existing organization, and how the team was organized itself. Also, I suggested what kind of mandate such a team should have. Lastly, I stressed the need to reach out and establish links with other groups (regionally, nationally and internationally). The document elicited some discussion, but its most important function was to raise security awareness with senior management.
After senior management was made aware of the need to have a capability in place to respond to security incidents, and agreed with it, I proceeded by creating a "CSIRT charter", which included definitions of an information security incident (in line with ISO/IEC 27002), defined the constituency and the services that would be provided and laid down the mandate of the team. The document also described roles and responsibilities of team members, and ways to contact the team. Finally, it addressed incident tracking and documentation requirements. No actual names of persons are mentioned in this document; CSIRT staffing is addressed separately.
With these documents in place (and reviewed and agreed upon by relevant stakeholders), the final step to establishing a team is getting a (signed) Letter of Creation in which senior management states that as of a certain date, the CSIRT will be established and that it will operate according to the charter. In addition, it grants the authority to organize, operate and manage the team. Once that letter has been signed and accepted, the team can publicly announce its existence, establishing processes and procedures and get to work.