Overview of Creating and Managing CSIRTs

This one-day course provides a consolidated view of information that is contained in two other CERT courses: Creating a CSIRT and Managing CSIRTs. Its main purpose is to highlight best practices in planning, implementing, operating, and evaluating a computer security incident response team (CSIRT).

The course will explore the relationship between CSIRTs, incident management, and security management and discuss how successful incident management requires an enterprise view and approach. It will present a process-based model for structuring incident management activities and also provide an introductory view of CSIRTs to anyone new in the field. Basic topics discuss the purpose and structure of CSIRTs and a high-level overview of the key issues and decisions that must be addressed in establishing and maintaining a CSIRT. Other topics include a discussion of CSIRT services as well as key policies, procedures, methods, tools, and infrastructure components that are needed to effectively operate a CSIRT.

Who should attend?

This tutorial is designed to provide managers and other interested staff with an overview of the issues involved in creating and operating a CSIRT. It will also provide an introductory view of CSIRTs to anyone new to the field who is interested in what a CSIRT is and the type of activities a CSIRT performs. Interested attendees may include

  • individuals tasked with creating a CSIRT
  • C-level managers (chief information officers (CIOs), chief security officers (CSOs), chief information security officers (CISOs) etc.)
  • CSIRT managers
  • project leaders and team members
  • system and network administrators
  • existing security staff, such as privacy officers, audit or risk staff
  • human resources
  • media or public relations staff
  • constituent members
  • law enforcement
  • legal counsel

No previous incident-handling experience is required.

Topics

  • General Foundational Knowledge
    • Review of the CERT Resiliency Engineering Framework
    • Review of Incident Management Process Framework
    • Relationship between Incident Management processes and CSIRTs
  • Creating an Effective CSIRT
    • What is a CSIRT?
    • What does a CSIRT do?
    • General categories of CSIRTs
  • CSIRT Components
    • Constituency
    • Mission
    • Organizational Issues
    • Funding
    • Services
    • Policies and Procedures
  • Operational Management Issues
    • CSIRT staffing issues
    • Managing CSIRT infrastructures
    • Evaluating the CSIRT's effectiveness
  • Incident Management Processes
    • Prepare
    • Protect
    • Detect
    • Triage
    • Respond

Objectives

At the end of this course, the attendee will be able to
  • define the terms incident management and CSIRT
  • differentiate between incident management and incident response activities
  • describe activities conducted in the five processes that make up the CERT Incident Management Process Model: Prepare, Protect, Detect, Triage, and Respond
  • identify the type of work that CSIRT managers and staff may be expected to handle
  • explain the purpose and structure of CSIRTs
  • define the variety and level of services that can be provided by a CSIRT
  • identify policies and procedures that should be established and implemented for a CSIRT
  • apply process improvement techniques for operating and evaluating an effective CSIRT

Prerequisites

There are no prerequisites for this course.

Materials

Participants will receive a course notebook and a CD containing the course materials.

Schedule

This one day course meets at the following times:
9:00 a.m. - 5:00 p.m.

Course Details

 
This course may be offered by special arrangement at customer sites.


For More Information

E-mail: course-info@sei.cmu.edu
Phone: 412-268-7622


Help us improve

Visitor feedback helps us continually improve our site.

Please tell us what you
think with this short
(< 5 minute) survey.