Professional Documents
Culture Documents
The Computer Security Incident Response Team (CSIRT) is the set of people, policies,
procedures, technologies, and information necessary to detect, react, and recover from an
2. What is the difference in the roles between the CSIRT and the IRPT?
Whereas the IRPT is primarily responsible for developing and implementing the policy
and plans associated with incident response (IR), the CSIRT is responsible for responding
3. What is the most essential reason to involve upper management in the CSIRT
formation process?
Only when top management authorizes it will subordinate managers ensure that these
individuals are allowed to spend time away from their primary responsibilities to work on
Management support is not a one-time thing, needed only for the start-up of the CSIRT
organization. The support must be constant and ongoing in order to sustain the efforts of
the team and ensure long-term success in their efforts in managing incidents.
5. Among the skills needed by the CSIRT staff, what is required beyond technical skill?
In addition to the technical skills, managerial experience at creating and following policy
Models used to develop IR teams tend to fall into one of three structural categories:
IR teams are often developed along one of these three staffing models: employees,
8. How does the need for 24/7 operations affect staffing decisions?
Larger organizations, as well as smaller ones that support critical infrastructures with
9. How does the need to manage employee morale affect staffing decisions for CSIRTs?
IR work is very stressful, as are the on-call responsibilities of most team members. This
makes it likely that IR team members will become overly stressed. Many organizations
struggle to find willing, available, experienced, and properly skilled people to participate,
10. How does the organizational structure impact staffing design for CSIRTs?
11. Once created, must a plan be maintained? How often should it be revisited?
Any plan will become outdated if not routinely reviewed and modified. At a minimum,
12. What are the guiding documents for CSIRT creation or maintenance?
The formal Incident Response Policy and the existing CSIRT plans that are derived from
forming a CSIRT?
Establishing the scope and responsibilities of the CSIRT is one of the first tasks to be
performed.
This is an explanation of what systems fall under the responsibility of the CSIRT.
A mission statement establishes the tone for the team and provides a path to the
16. What are the two approaches that define a CSIRT’s philosophy with respect to
incident response?
At one extreme is the protect and forget approach. At the other extreme is the apprehend
17. The services of a CSIRT can be grouped into which three categories?
CSIRT services can be grouped into three categories: reactive services, proactive
18. Identify one advantage and one disadvantage of full-interruption testing of CSIRT
plans.
Because each student may choose a different answer, see the text section on this topic to
The AAR is a detailed examination of the events that occurred, from first detection to
final recovery. It is a useful tool in assessing and improving the operations of the CSIRT.
20. Why are performance measures collected for CSIRT activities?
This information can be used as a baseline in determining the effect of the CSIRT on the
constituency and also used to tune and adjust CSIRT operations to make them more
effective.