Tutorial: Creating and Managing CSIRTs

Monday, May 25
Cristine Hoepers and Klaus Steding-Jessen, CERT.br

 

Course Description:

This one-day course provides a consolidated view of information that was contained in two other CERT courses: Creating a CSIRT and Managing CSIRTs.
Its main purpose is to highlight best practices in planning, implementing, operating, and evaluating a computer security incident response team (CSIRT).

The course explores the relationship between CSIRTs, incident management, and security management and discuss how successful incident management requires an enterprise view and approach.
It present a process-based model for structuring incident management activities and also provides an introductory view of CSIRTs to anyone new in the field.

Objectives:

  • Define the terms incident management and CSIRT.

  • Differentiate between incident management and incident response activities.

  • Describe activities conducted in the five processes that make up the CERT Incident Management Process Model: Prepare, Protect, Detect, Triage, and Respond.

  • Identify the type of work that CSIRT managers and staff may be expected to handle.

  • Explain the purpose and structure of CSIRTs.

  • Define the variety and level of services that can be provided by a CSIRT.

  • Identify policies and procedures that should be established and implemented for a CSIRT.

  • Apply process improvement techniques for operating and evaluating an effective CSIRT.

Topics:

General Foundational Knowledge

  • Review of the CERT Resiliency Engineering Framework
  • Review of Incident Management Process Framework
  • Relationship between Incident Management processes and CSIRTs

Creating an Effective CSIRT

  • What is a CSIRT?
  • What does a CSIRT do?
  • General categories of CSIRTs

CSIRT Components

  • Constituency
  • Mission
  • Organizational Issues
  • Funding
  • Services
  • Policies and Procedures

Operational Management Issues

  • CSIRT staffing issues
  • Managing CSIRT infrastructures
  • Evaluating the CSIRT's effectiveness

Incident Management Processes

  • Prepare
  • Protect
  • Detect
  • Triage
  • Respond

Audience:

This tutorial is designed to provide managers and other interested staff with an overview of the issues involved in creating and operating a CSIRT. It will also provide an introductory view of CSIRTs to anyone new to the field who is interested in what a CSIRT is and the type of activities a CSIRT performs.

 

LACNIC 2009
For website comments, email webmaster@lacnic.net
For general inquiries, email comunicaciones@lacnic.net
Rambla República de México 6125 :: CP 11400 Montevideo Uruguay
Tel: (+598-2) 604 2222* :: Fax: (+598-2) 604 2222 int. 112