A computer incident response team, or CIRT, is a lot like a firefighting crew - both are composed of individuals trained to respond quickly to specific incidents with the goal of limiting damage and reducing recovery time and costs.
"Like a fire department, you can use [CIRTs] for actual incident response and for cleanup, for education and for drills," says Richard Mogull, an analyst at GartnerG2 in Stamford, Conn.
A CIRT may be activated by virus or hacker attacks, internal sabotage or even suspicious activity, such as successive attempts to gain access to a system or transactions that fall outside preset boundaries - such as a money transfer exceeding $1 million.
Incident response at companies that don't have a CIRT tends to be expensive and ad hoc, says Steve Romig, manager of the network security group at Ohio State University in Columbus.
And there's more than money on the line. Companies that fail to react quickly to security incidents stand to suffer damage to their reputations and lose customers.
A CIRT's key mission, therefore, is to orchestrate a speedy and organized companywide response to computer threats. The following are some tips for building that capability:
Know Your Constituency Decide which computers, address ranges and domains will be monitored for incidents, says Romig. Know what services the CIRT will provide and to whom. Develop policies for when to disclose security breaches and when to report an incident to law enforcement agencies, Romig says. And be sure to advertise contact information for the CIRT throughout the company, he adds.
Assemble the Team Figure out which department the CIRT should be in and who should head it. Many companies put the team within the IT group, although others add the CIRT to the security or audit group, or make it a stand-alone function, says Georgia Kilcrece, a member of the CERT Coordination Center at Carnegie Mellon University in Pittsburgh.
"Wherever it sits, [a CIRT] will not succeed without management support," she says, because the team may require cooperation among multiple departments, such as legal and human resources.
The incident response team at the University of Wisconsin-Madison has a process for calling in its legal department and local law enforcement when incidents involve activities such as computer-related harassment, says Kim Milford, information security manager at the university.
Companies that can afford it sometimes maintain a formal team of specialists whose sole task is to respond to external and internal security breaches.
For example, one financial services firm has a core incident response team of 12 full-time specialists. Additional members are pulled in from the company's human resources and legal departments to assist this core team if necessary, says the company's IT director, who requested anonymity.
The University of Wisconsin-Madison has entrusted the task of coordinating incident response to one full-time worker. That person acts as a central point of contact for reporting and responding to incidents. Along with the university's IT security group, the employee is responsible for assessing the scope, priority and threat level of an incident, as well as for suggesting a response, Milford says.
Create a SWAT team Maintaining a full-time incident response team can be expensive, so many companies choose to have an ad hoc incident response team that can come together quickly when needed, says Mogull.
Providence Health System creates SWAT teams to respond to specific incidents, such as virus infections, says David Rymal, director of technology at the Seattle-based health care provider.
"We use pager alerts and call an incident response meeting of the functional groups designated to respond to such incidents. In that meeting, we'll set a plan of action and a communication plan" for dealing with the threat, Rymal explains.
But, he adds, Providence Health System doesn't have formal methods of maintaining a CIRT beyond knowing the key players and who responds to which types of incidents.
Get Organized Have written policies and procedures and assign responsibilities upfront, says the financial services firm's IT director. "We maintain a formal list with names, cell phone numbers and beeper [numbers] of people who can be called in to assist the core team," he says.
Figure out what equipment you'll need, where you'll house it and how you'll protect the CIRT function. You don't want unauthorized people accessing information that a CIRT may uncover during a response, Kilcrece says.
None of this does any good if the plan merely sits on a shelf. Conduct frequent drills and mock exercises, especially for ad hoc teams, the financial services IT director says, adding, "Remember, it is a process that you have to do right but hope you never have to use."
The Security Action Plan
Stories in this report:
- The Security Action Plan
- The Story So Far: IT Security and Disaster Recovery
- Maximum Security Returns
- Manage Those Patches!
- Build a Computer Incident Response Team
- Let the Pros Investigate Computer Crimes
- Watch Out for Wireless Rogues
- For Disaster Recovery, Put Your IT Eggs in Different Baskets
- Denying Network Service
- Think Like a Terrorist
- Field Report: Out from the Shadows
- How to Thrive in the IT Security Market
- The Next Chapter: Predictions about IT security
- IBM's view of the hot trends in IT security
- Case studies in IT security and disaster recovery
- Intrusion-detection systems are evolving
- Reporter's Notebook: IT Security
- Top 10 Vulnerabilities in Today's Wi-Fi Networks