IT Security: Creating a Computer Security Incident Response Team (CSIRT)

- select the contributor at the end of the page -
One of the lessons learned in any profession that looks to protect or prevent an incident of some kind is that no level of protection or prevention is 100% effective. So the next question that you must ask yourself is "What can be done when a security incident does occur?"

Several IT security certifications, including the CompTIA Security+ certification, do touch on this topic. However, most IT security professionals must realize the benefits of having an Incident Response Plan and the risks of not having one.

In this article, we will explore the importance of developing a plan for responding to IT security incidents, beginning with the formation of a Computer Security Incident Response Team (CSIRT). The next article on this topic will go more in depth into incidence response planning as we discuss how to create a Computer Security Incident Response Plan (CSIRP).

Why Do You Need an Incident Response Plan?

There are several benefits for having an incident response plan in place. First of all, IT security plans contain information for dealing with protection and prevention, but also are a part of disaster recovery and business continuity. Other aspects must be considered and those are containment, failure analysis and correction, and risk management.

Creating a structured incident response plan can be a great asset to any organization. Customers that rely on your organization can be assured that information is not only protected, but methods are in place to handle different situations, should they arise. Financial benefits may also be realized as some insurance companies may offer discounts for coverage in case of loss if protection and mitigation plans are in effect.

The downsides to not having an incident response plan are obvious. The inability to contain an incident can lead to repeated incidents. Information of those incidents will eventually leak out of your organization and public opinion of your organization or more importantly, the opinion of your customers will be jeopardized. This continual cycle can only lead to disaster.

So where do we start? You have created your IT security plan and it coincides with the organization's plans for business continuity. The next step is to create a CSIRT -- a Computer Security Incident Response Team -- and identify their mission.

What is a Computer Security Incident Response Team?

The CSIRT is the core team responsible for dealing with IT security incidents and managing the impact in your organization. Assembling the proper team and identifying roles and responsibilities is crucial and should not be taken lightly. IT security professionals may fill several roles on this team, but not always. Let's take a look at what the formation of a CSIRT would look like.

1. CSIRT Team Leader: This is the person responsible for organizing and directing the CSIRT. Typical duties center on managing incident response processes, but also policies and procedure updates to deal with future incidents. This person should have a firm grasp of IT security and risk management.

2. Incident Lead: This is the person designated to coordinate responses to IT security incidents. It is possible that there could be more than one Incident Lead depending on incident types and levels of expertise. This person should be well versed in IT security and the particular type of IT equipment that incidents may occur on (i.e. servers, networks, firewalls, data archives, etc.). All information about incidents must be passed through this person before it leaves the team and is passed on to the organization or the public.

3. CSIRT Support Members: There are several support members that make up the CSIRT team that should be included. Not all organizations require them, but a solid list should include:

  • IT Contact: This is a member of your IT staff and should be familiar with your IT infrastructure. Multi-members that focus on different disciplines may be asked to participate if a multi-disciplined member is not sufficient.
  • Management Representative: Your team should always have a representative from the organization's management team involved. This member is the interface to the management staff and should express concerns and ideas to and from the team. Management involvement is essential when dealing with incidents that can gravely affect the financial or operational status of the organization.
  • Legal Representation: It is advisable to have some legal representation on your CSIRT. Legal ramifications and procedures against individuals that may have caused an IT security incident may need to be dealt with.
  • Public Relations/Communications: This is your outlet to the public and your customer base. Maintaining good PR is always a good idea in a crisis and communicating the details of security incidents and how they are handled can save business relationships.

What Functions Should a CSIRT Perform?

Beyond the roles stated above there are some key functions that a CSIRT can provide to augment IT security staff. Functions can include:

  • Additional in depth review of all IT security plans and procedures (additional pairs of eyes never hurts here).
  • Central communication point when incidents occur.
  • Can promote IT security awareness and can manage audits and drills.
  • Assist in evaluation of new technologies and techniques prevention and containment.
  • Provide risk management analysis of IT implementations and how it affects the organization.
  • Investigating new security vulnerabilities and threats and the most adequate response.
  • Perform the action of the emergency contact group for the organization.
  • Perform the role of IT emergency system management for all remotely stored system critical information such as: passwords, IP lists, network configurations, firewall rule sets, escalation procedures, etc.


So far we have discussed at a high level a key tool that an organization can utilize to effectively deal with IT security incidents. Finding the right members for your CSIRT is very important and can provide a strong resource for IT security teams to manage incidents and prevent future issues.

Maintaining IT infrastructure integrity is always important for your business, but if it is your business, managing or mismanaging incident responses could affect the financial stability of your organization. In our world of IT security threats from various sources, it is imperative to be armed with the best means to combat them.

Get our content first. In your inbox.

Loading form...

If this message remains, it may be due to cookies being disabled or to an ad blocker.


Tracey Wilson

Tracey Wilson has a B.S. in Electrical Engineering and experience in network administration, network architecture and disaster recovery solutions. He’s also an active participant in SCinet, the organization responsible for planning and implementing the “World’s faster Network” as well as IEEE Computer Society and Association for Computing Machinery (ACM). Tracey currently serves as the technical lead and program manager for DICE - Data Intensive Computing Environment, evaluating new and emerging technologies to solve HPC and data management issues. (CCNA, JNCIS, SNIA, MCSE)