search menu icon-carat-right cmu-wordmark

Resources for Creating a CSIRT

These resources help you to get started when creating a new CSIRT.

Publisher:

Software Engineering Institute

To establish a computer security incident response team (CSIRT), you should understand what type of CSIRT is needed, the type of services that should be offered, the size of the CSIRT and where it should be located in the organization, how much it will cost to implement and support the CSIRT team, and the initial steps necessary to create the CSIRT. The resources on this page will help you answer these and other questions.

Create a CSIRT

January 2017

This white paper discusses the issues and decisions organizations should address when planning, implementing, and building a CSIRT.

Action List for Developing a Computer Security Incident Response Team (CSIRT)

November 2006

In this paper, the authors summarize actions to take and topics to address when planning and implementing a Computer Security Incident Response Team (CSIRT).

Defining Incident Management Processes for CSIRTs: A Work in Progress

October 2004

In this report, the authors present a prototype best practice model for performing incident management processes and functions.

Steps for Creating National CSIRTs

August 2004

In this paper, Georgia Killcrece provides a high-level description of a National Computer Security Incident Response Team (NatCSIRT), its problems, and challenges.

Best Practices for National Cyber Security: Building a National Computer Security Incident Management Capability

June 2010

In this report, the authors provide insight that interested organizations and governments can use to develop a national incident management capability.

Best Practices for National Cyber Security: Building a National Computer Security Incident Management Capability, Version 2.0

April 2011

In this 2011 report, an update to its 2010 counterpart, the authors provide insight that interested organizations and governments can use to develop a national incident management capability.

CSIRT Frequently Asked Questions (FAQ)

January 2017

This FAQ addresses CSIRTS, organizations responsible for receiving, reviewing, and responding to computer security incident reports and activity.

CSIRT Services

November 2002

In this paper, the authors define computer security incident response team (CSIRT) services.

Skills Needed When Staffing Your CSIRT

January 2017

This white paper describes a set of skills that CSIRT staff members should have to provide basic incident-handling services.

Limits to Effectiveness in Computer Security Incident Response Teams

August 2005

In this paper, the authors present an attempt to gain a better understanding of how a CSIRT can handle a growing work load with limited resources.

Organizational Models for Computer Security Incident Response Teams (CSIRTs)

December 2003

This 2003 report describes different organizational models for implementing incident handling capabilities, including each model's advantages and disadvantages and the kinds of incident management services that best fit with it.

Incident Management

December 2005

In this paper, the author describes incident management capability and what it implies for controlling security events and incidents.

Build Security In

January 2017

This article lists resources that developers, architects, and security practitioners can use to build security into software during its development.

Columbia CSIRT Case Study

January 2013

This case study describes the experiences of the Columbia CSIRT in getting its organization up and running.

FAQ: Collaboration Between the CERT Coordination Center and Computer Security Incident Response Teams Worldwide

June 2008

This FAQ answers questions related to the collaboration between the CERT/CC and CSIRTs worldwide.

Tunisia Case Study

January 2013

This case study describes the experiences of the Tunisia CSIRT in getting its organization up and running.

Financial Institution CSIRT Case Study

January 2004

This case study describes the experiences of a financial institution CSIRT in getting its organization up and running.

Steps in the Process for Becoming an Authorized User

February 2013

This procedure describes the steps that incident response teams must take to apply for using the CERT mark in their name.

Guidelines for Use of “CERT”

October 2011

These guidelines for using “CERT” help to protect and strengthen the use of the word by everyone.