“We’re definitely seeing an increase in the number of [CSIRTs] being formed,” says Georgia Killcrece, leader of the CSIRT development team at the CERT Coordination Center at Carnegie Mellon University.
In many cases, companies are being driven to create CSIRTs by mandates from Washington, industry groups and the upper reaches of corporate management, she says. New requirements in laws such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act, and California State Law SB 1386, hold companies accountable for the handling and whereabouts of sensitive data, and respond appropriately to any breaches of customer or employee privacy.
At their best, CSIRTs let companies react in a consistent and coordinated way to events that affect IT systems. “Companies don’t want to have to reinvent the wheel each time an incident occurs. They want to know what to do, gather the right information and pull the right people together,” Killcrece says.
To create an incident response team, start by getting the proper participants together. Business managers, network and desktop administrators, and IT security experts have to be involved, Killcrece says. Legal staff, human resources representatives and senior executives who make funding decisions also should participate in the planning.
When drafting your CSIRT plan, start with the basics, recommends Adam Hansen, manager of security at Sonnenschein, Nath & Rosenthal, a law firm in Chicago.
Companies also need to identify the scope of a CSIRT’s responsibilities, says Troy Smith, senior vice president at Marsh Risk Consulting.
“You have to look at the core software applications that you need to sustain yourselves. If you have one set of systems that are really critical, the scope [of the CSIRT] could be narrow. If you’re an organization that’s very dependent on technology, it could be very broad,” he says.
Howard Schmidt, former White House cybersecurity adviser and the current chief security officer at online auction site eBay, recommends a holistic approach to creating CSIRTs.
“The biggest mistake is to think that you can [create CSIRTs] in a short time-that you’ll set it up and it will be in operation next month,” she says.
Ultimately, the success of an organization’s incident response team will depend on its commitment to that team: the resources and funding allocated, the time put into planning and rehearsing incident response scenarios.
Every CSIRT is special: Identify what your company’s core business processes and systems are, what needs to be done to support and protect those, and how they can be quickly restored if need be.
http://www.nwfusion.com/careers/2005/013105man.html?fsrc=rss-security