Cyber Security Incident Response Team (CSIRT)

A cyber security incident response team (CSIRT) consists of the people who will handle the response to an incident. It may include both internal and external teams and may differ based on the nature of the incident.

The core team will usually be IT or Cyber Security staff. The extended team may include other capabilities, such as PR, HR and legal.

What are the Responsibilities of CSIRT?

Members of the CSIRT analyze the data concerning incidents and discuss methods of prevention. When necessary, they share their insights and or solutions with the rest of the company. They are active players before, during and after cyber security incidents. Responsibilities of CSIRT includes:

• Remediating security incidents.
• Detecting and taking immediate action upon incidents.
• Providing in depth analysis of the past incidents. Preventive protocols are set up in the light of these reports that CSRIT provide after the incidents.
• Training to give the appropriate responses for new threats.
• Reviewing the security measures of networks and systems to detect vulnerabilities.
• Informing related departments about new technologies, policies and changes in protocols after security incidents.
• Maintaining internal communications and supervising operations during and after significant incidents.
• Creating and (when necessary) updating the cybersecurityincident response plan (IRP).
• Preserving confidentiality during incidents.
• Regularly reviewing standard security protocols and if needed, updating them.

Roles of CSIRT Members?

1. Core Team (needed during an incident)

• Senior / Executive management: Available to support critical decisions such as taking an important system offline.
• Incident Manager: Responsible for ensuring all actions are tracked and that the incident is documented , communicated clearly.
• Other department leads: Leads for the aspects of the investigation, such as regulatory or media handling actions. Includes PR, HR, Customer services and Legal.
• Technical Lead / Recovery Manager: Lead technical response and recovery. This gives the incident manager the time to handle the overall response.
• Investigators / Analysts / Cybersecurity SMEs : Performing analysis and potentially helping to lead the investigation.
• IT and infrastructure : Support by taking containment and remediation actions. Sometimes investigating and providing data.

2. Optional Roles:

• Government & Law enforcement : Police and NCA / NCSC may also be involved or provide advice , depending on the incident.
• Crisis Management / Business continuity / Disaster recovery: Theses teams and processes may be involved where there is serious damage, outages.

3. Central co-ordination

It is vital that there is a central point of co-ordination. The person with this responsibility need not be a cyber security expert. Their role is to ensure that all actions and findings are managed, tracked and correlated and that the incident is communicated to all relevant stakeholders.

Contact Us

To learn how Cybersecurity incident response plan document can add value to protect your business systems against cyber-attacks and achieve compliance, speak with us today.