|“||[a] team of computer experts (internal or external) organized to protect an organization’s data, systems, and other assets from attack by hackers, viruses, or other compromises.||”|
|“||responsible for providing incident response services to part or all of an organization. The team receives information on possible incidents, investigates them, and takes action to ensure that the damage caused by the incidents is minimized.||”|
Incident response teams are common in corporations as well as in public service organizations. This team is generally composed of specific members designated before an incident occurs, although under certain circumstances the team may be an ad-hoc group of willing volunteers.
Incident response team members ideally are trained and prepared to fulfill the roles required by the specific situation (for example, to serve as incident commander in the event of a large-scale public emergency). As the size of an incident grows, and as more resources are drawn into the event, the command of the situation may shift through several phases. In a small-scale event, usually only a volunteer or ad-hoc team may respond. In small but growing, and large events, both specific member and ad-hoc teams may work jointly in a unified command system. Individual team members can be trained in various aspects of the response. Ideally the team has already defined a protocol or set of actions to perform to mitigate the negative effects of the incident.
Team structures Edit
Three possible structures for an incident response team include the following:
- Central Incident Response Team. A single incident response team handles incidents throughout the organization. This model is effective for small organizations and for organizations with minimal geographic diversity in terms of computing resources.
- Distributed Incident Response Team. The organization has multiple incident response teams, each responsible for a particular logical or physical segment of the organization. This model is effective for large organizations (e.g., one team per division) and for organizations with major computing resources at distant locations (e.g., one team per geographic region, one team per major facility). However, the teams should be part of a single centralized entity so that the incident response process is consistent across the organization and information is shared among teams. This is particularly important because multiple teams may see components of the same incident or may handle similar incidents.
- Coordinating Team. An incident response team provides advice to other teams without having authority over those teams — for example, a departmentwide team may assist individual agencies’ teams. This model can be thought of as a CSIRT for CSIRTs.
- ↑ Internet Banking: Comptroller’s Handbook, at 73.
- ↑ NIST Special Publication 800-61 (rev. 2), at 54.
- ↑ Information about the Coordinating team model, as well as extensive information on other team models, is available in a CERT®/CC document titled "Organizational Models for Computer Security Incident Response Teams (CSIRTs)."
- "Team structures" section: NIST Special Publication 800-61 (ver. 2), at 13.
|This page uses Creative Commons Licensed content from Wikipedia (view authors).|