T8.2.2 - COMPUTER SECURITY INCIDENT RESPONSE TEAM Implementation Guidance
The entity shall establish a Computer Security Incident Response Team (CSIRT) in charge of the incident management and response plan.
Back to T8.2.2 - P2 - COMPUTER SECURITY INCIDENT RESPONSE TEAM
Critical entities shall also take into account any other NESA’s relevant issuances, guidance, and activities in this regard (also refer to National Cyber Response Framework).
Entities should identify members in the entity to form the proper CSIRT. The establishment of the team should take place before developing the Incident Response plan. One of the CSIRT’s responsibilities is to create the IR Plan.
Here are some of the CSIRT members:
- Team leader who is usually a senior manager whose responsibility is to take charge of incidents and direct actions to other team members
- Boundary protection experts. Normally individuals that are expert in firewalls, routers and IDSs that sits at the edge of the network.
- Network administrators
- Physical security members
- Human resources might be involved if the attach was originated by an employee
- Communication might be involved to become the public face for incidents that became public.
Here are some of the primary responsibilities of the CSIRT:
- Develop incident policy, plan, and procedures
- Response to incidents and minimizing the impact
- Investigate incidents and determine the cause
- Prevent future incident by recommending security controls
- Handle incident reporting and communication to all stakeholder involved internally and externally
- Protect collected evidence
Back to T8.2.2 - P2 - COMPUTER SECURITY INCIDENT RESPONSE TEAM
