The work of Killacree [Georgia Killacree, 2006] shows that the IS main threats to an enterprise come from Disgruntled Employees (often the chief source of internal threats - a critical tasks for enterprise HR! ) so-called ‘hackers for hire’, organized crime, competitors, cyber vandals and governments (the latter particularly applies to technology developments, as the rewards accrue to those who apply and sell a new technology rather than those who develop it! ). Of these, to a typical enterprise, the most severe IS threat comes from competitors, who may be so unethical as to suborn ‘home’ employees - another key reason for carrying out three-monthly Probity Checks. Killacree makes it abundantly clear that CSIRTs in general need to react quickly - in a manner of minutes if a major cyber attack is being mounted.
The response needs to include: immediate notification, automated incident handling, easy and efficient collation and interpretation of key information, and effective mechanisms to share collated and interpreted information. The work of Kabay [M. E. Kabay, PhD, CISSP, 2009] explains the key tasks in organising a CSIRT in order to carry out the roles outlined by Killacree . These fall into two basic categories: proactive services (or preventative tasks) and security quality management services (remedial tasks, in other words.
Kabay [2009, Page 5] defines the proactive services as: announcements, technology watch, security audits or assessments, the configuration & maintenance of security tools, applications and infrastructures, the development of security tools, intrusion detection services and security-related information dissemination. These fully accord with practical IS workplace experience.
Kabay defines the key security quality management services as: risk analysis, business continuity and disaster recovery planning (also vital in case of physical risks to the enterprise’s data center), IS consulting (something best placed in the hands of outside experts in smaller enterprises), awareness building (usually done through regular seminars conducted by the enterprise’s ISO), education and training (likewise), and IS product evaluation or certification (also a key ISO task). The work of Profitt [Timothy Proffitt, 2007] builds on the themes defined by Kabay , but places them in the specific context of a large enterprise.
Profitt defines three categories: passive services, such as vulnerability assessments, announcements and information disclosure, and an intrusion detection service.
Andrew Cormack, Miroslaw Maj, Dave Parker, Don Stikvoort . 15th September 2005. CCoP - CSIRT Code of Practice – approved version 2.1 v2.1/ Approved Version 15 September 2005. Retrieved from : https://www.trusted-introducer.org/CCoPv21.pdf
Jose J. Gonzalez, Ying Qian., Agata Sawicka. n.d.. Managing CSIRT Capacity as a Renewable Resource . Management Challenge: An Experimental Study. Retrieved from :
M. E. Kabay. September 18, 2007. Network World. CSIRT Management: Triage. Students discuss triage in a CSIRT. Retrieved from : http://www.networkworld.com/newsletters/2007/0917sec1.html
M. E. Kabay, PhD, CISSP-ISSMP . Assoc Prof of Information Assurance. School of Business & Management. Norwich University. 2009. CSIRT Management. Retrieved from : http://www.mekabay.com/infosecmgmt/csirtm.pdf
Georgia Killacree. 2006. CERT. CERT/CC Overview & CSIRT Development Team Activities. Retrieved from : https://www.enisa.europa.eu/activities/cert/events/files/ENISA_An_overview_of_CERT-CC_Killcreece.pdf
Timothy Proffitt. 2007. SANS Institute InfoSec Reading Room. Creating and Managing an Incident Response Team for a Large Company. Retrieved from : http://www.sans.org/reading-room/whitepapers/incident/creating-managing-incident-response-team-large-company-1821
Gavin Reid. Dustin Schieber, n.d.. CISCO. CSIRT Case Classification (Example for Enterprise CSIRT). Retrived from : http://www.first.org/_assets/resources/guides/csirt_case_classification.html
Omar Santos. Oct 12, 2011. Cisco Support Community. Creating a Computer Security Incident Response Team (CSIRT). Retrieved from : https://supportforums.cisco.com/blog/150836/creating-computer-security-incident-response-team-csirt
University of Scranton Information Security Office. 1/27/2009. Computer Security Incident Response Team Operational Standards. [Online]. Retrieved from : http://www.scranton.edu/pir/documents/CSIRT%20Operational%20Standards%20Manual.pdf
Blackley, J. A., Peltier, J., & Peltier, T. (2003) Information Security Fundamentals, 1st Edition. Boca Raton, FL. Auerbach Publications. ISBN: 08493-19579-9780849319570
Layton, T. (2007). Information Security: Design, Implementation, Measurement, and Compliance. Auerbach Publications Taylor & Francis Group. ISBN 08493-70876