The following excerpt is from Chapter 2, What's Your Mission? of The Effective Incident Response Team, written by Julie Lucas and Brian Moeller and published by Addison-Wesley.
Read the entire chapter here.
Management courses frequently highlight the importance of mission statements. It is often emphasized that all members of a team or organization should understand the group's mission so they can take ownership of the tasks at hand. The formation of a CIRT team is no different with respect to having a clearly identified mission. Establishing a mission up front by identifying the scope and focus of the team will ease the decision-making process for many later issues. The mission will also have a direct impact on the number and types of resources that need to be allocated to the team. To aid with this task, start by answering a few basic questions.
Questions to help identify the team's mission:
- Who is included in the team's constituency? In other words, who owns the computers the team will be responsible for monitoring and responding to incidents on if they are attacked?
- How dispersed is the constituency? If it is spread out, are there regional information technology resources that may be called upon during a crisis?
- What is the ideal manner for the team to respond to an incident: on site, remotely, or through some combination of these methods?
- Will the team work with law enforcement either directly or indirectly?
- Will the team's strategy be strictly reactive, or both proactive and reactive?
- What services or functions will the team provide?
- What type of activity is considered to be an incident (i.e., to what sort of activity will the team respond)?
- How will incident reports be stored and tracked?
- How will the incidents be counted?
- What statistics need to be provided to reflect the team's activities? Who will need these statistics and how often? How granular should the statistics be?
ABOUT THE BOOK
When an intruder, worm, virus or automated attack persists in targeting a computer system, having specific controls in place and a plan of action for responding to the attack or computer incident can greatly reduce the resultant costs to an organization. The implementation of a Computer Incident Response Team, whether it's formed with internal or external resources, is one safeguard that can have a large return on investment during a crisis situation. This book serves as a guide to anyone contemplating or being tasked with forming a Computer Incident Response Team. The creation of such a team is not a trivial matter and there are many issues that must be addressed up front to help ensure a smooth implementation. This book will try to identify most of these issues to help with the creation process. Once the team is formed and operational, this guide will continue to serve as a resource while the team evolves to respond to the ever-changing types of vulnerabilities.
Julie Lucas, CISSP, is the Security Practice Director at Global Network Technology Services in Columbus, Ohio. As the director, she designs and implements their computer security service offerings. Prior to GNTS, she became the first Naval Computer Incident Response Team (NAVCIRT) officer. She developed the NAVCIRT into a world-class incident response team responsible for detecting and reacting to computer security threats on Navy and Marine Corps systems worldwide. Brian Moeller, CISSP, is a Firewall and Network Security Consultant for the Ohio State University Network Security/Incident Response Team.
This was first published in September 2003