Computer Security Incident Response - Part 2

Wednesday, November 10, 2010

John McGloughlin


This is the second of a three part series (Part 1) of articles defining a computer security incident response capability (CSIRC) framework and an implementation schema for computer security incident response teams (CSIRT).

Computer Security Event & Incident Response Capability (CSIRC) - Part 2

This section communicates strategic objectives, the reason for those objectives, and the roles involved with accomplishing and auditing those objectives.

If you don’t have documented objectives for what you’re trying to accomplish related to incident response use this section as a minimal starting point. If you do, congratulations!

If you’re a one man/woman band and you think a better place to start is to put together a flow chart for how to deal with Mal-ware: start here instead. Visualize the “What” and “Why” before tackling the “How” then communicate that in writing.

If you’re part of a policy making body and maybe don’t have very much real world cyber-combat experience - don’t put together a flow chart for how to deal with a reconnaissance threat and hand it to the operational team. You’ll just piss them off and the objective will be lost.

Operational teams are capable of determining the best mechanism for dealing with the “How”. Communicate the “What” and “Why” and then work with those teams to audit the results of the “How”.

The number one objective: “maintain a healthy computer security posture that contributes to fluid business continuity”. Keep that objective in constant focus.

Business Operations

The number one objective of the CSIRC teams is to maintain a healthy computer security posture that contributes to fluid business continuity.

CSIRC teams demonstrate this to the business by implementing an efficient and manageable surveillance, analysis, event handling, containment, remediation, recovery and reporting program that is accountable to the business and its customers.

Risk Management

CSIRC teams conduct risk management activities to understand the probability and degree of impact to the operation or reputation of the company as the result of damage to or loss of an asset or a collection of assets.

Risk management is the principal driver for resource funding therefore it is a goal of the CSIRC teams to be able to effectively demonstrate levels of risk and the cost benefit analysis associated with managing risk to acceptable levels.

Intelligence Gathering

CSIRC teams conduct diligent automated and manual internal and external surveillance activities to formulate risk opinions and determine the best deployment of operational resources that effectively protect the assets of the corporation.

Intelligence gathering is the catalyst to all subsequent strategic and tactical activities undertaken by the CSIRC teams. Possessing more information than attackers have about the enablers and capabilities of their own assets provides the advantage the CSIRC teams require to dominate their adversaries.


CSIRC teams deploy an effective deterrence strategy by promoting their defensive and offensive capabilities to the attacker through both subtle and aggressive means.

Through effective communication programs, those that promote a common societal goal for corporate asset protection, the CSIRC teams create a native environment of deterrence and specifically create awareness directed at insiders that intend to cause harm to the corporation.


CSIRC teams are staffed by experts and equipped with weapons that provide combat and containment capabilities against events and incidents that are designed to create a loss to the corporation and its customers.

Containment activities are used to arrest an attack and prevent it from achieving its motive.


CSIRC teams perform strategic level and tactical level reporting to both management and operations interests within the organization. These reports provide the aforementioned concerns with the necessary intelligence to shape proactive and reactive decision making.

These reporting functions are also used to satisfy compliance and regulatory requirements.

Policies & Compliance

CSIRC team activities are guided by organizational policies that include compliance and regulatory commitments.

These policies are disseminated to each of the teams within the CSIRC so that the particular operational aspects within a team are aligned with overall organizational policy objectives.

Roles & Responsibilities


CSIRC management is responsible for the overall strategic direction of each of the CSIRC teams. Each of the remaining CSIRC teams is accountable to this function. They are the liaison to IT teams, human resources, legal, and executive management.

They are responsible for funding the CSIRC teams. They have final authorization on incident declaration. They are responsible for macro level reporting.


CSIRC governance is responsible for developing organizational security policies, aligning those policies to compliance and regulatory requirements, and disseminating those policies to the CSIRC teams and other community teams that may be affected by the policies. They are also responsible for micro level reporting.


CSIRC operations teams are responsible for the day-to-day intelligence gathering, event handling, combat and containment, remediation and recovery. These teams staff the security operations center (SOC). They are also responsible for micro level reporting.

Internal Audit

CSIRC internal audit is responsible for preparing the corporation in advance of an external audit. They are responsible for GAP analysis communication to management in advance of an external audit. They are also responsible for micro level reporting.

External Audit

External auditors represent external endeavors responsible for auditing the organization in accordance with compliance and regulatory commitments with respect to computer security. This group would work with the CSIRC internal audit team.


CSIRC teams recognize the positive power its community of allies can have in the overall asset protection strategy. It uses the community to its advantage as a force multiplier by continuously delivering consistent messages that promote knowledge and awareness.

Cross-posted from GuardSight

Possibly Related Articles:
Risk Management Security Strategies Incident Response Governance
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.