CIRT is an essential security strategy for every Indian organization

Anil Sagar, the director of CERT-In explains the need for a computer incident response team (CIRT) in Indian organizations. Sagar also shares CIRT best practices. Is a computer incident response team (CIRT) necessary for every organization?
Incident response capability is essential to quickly detect incidents, minimize losses, reduce damage, mitigate exploited weaknesses, and restore computing services. Incident response management helps enterprises to manage risks and sustain an organization's computing environment, as well as conduct appropriate response actions.

Incident response services can be provided internally by security or network operators. Alternately, it may be outsourced to managed security service providers (MSSPs). An organization's computer security incident response team (CSIRT) can also provide and manage these services.

Although not compulsory, it's recommended that every organization has a computer incident response team. This aids quick recovery and ensures minimal damage from a security incident. Such a team ensures that the organization complies with legal requirements, protects its resources, and sustains business activities. What are the factors that go into the formation of a computer incident response team?
The CISO is responsible for an organization's CIRT formation and incident response management coordination. Establishing an incident response capability includes the following:

• Create an incident response policy and plan.
• Develop procedures to perform incident handling and reporting, based on the incident response policy.
• Set guidelines to communicate with outside parties regarding incidents.
• Select a team structure and staffing model.
• Establish relationships between the incident response team and other groups — both internal (for example, the legal department) and external (such as law enforcement agencies).
• Determine services to be provided by the incident response team.
• Staffing and training the incident response team. Can you share some best practices on how an organization's computer incident response team reacts to an incident?
The incident response process has several phases -- from initial preparation to post-incident analysis. The initial phase involves establishment and training of an incident response team, along with the acquisition of necessary tools and resources.

During preparation, the organization also attempts to limit the number of incidents that occur by selecting and implementing a set of controls based on the results of risk assessments. However, residual risk will inevitably persist after implementation of the controls. Furthermore, no control is foolproof. So detection of security breaches is necessary to alert the organization whenever incidents occur. In keeping with the incident's severity, the organization can act to mitigate the incident's impact through containment and recovery. After adequately handling the incident, the organization issues a report that details the incident's cause and cost, as well as the steps that organizations should take to prevent future incidents.

Factors to be kept in mind while forming a CIRT

While forming a CIRT, an organization needs to keep the following factors in mind:

  • Mission statement: High-level goals, objectives and priorities.
  • Constituency: Constituency type and relationship with the constituency.
  • Place in the organization: Position within the organizational structure (particularly within risk management).
  • Relationship to others: Setting (inter)national CSIRT cooperation, coordination and other interactions.

The incident response process' major phases are as follows.

• Preparation.
• Detection and analysis - Determines whether an incident has occurred. If so, analyze the nature of such incidents, along with identification, protection of evidence, and reporting.
• Containment - To limit the incident's scope quickly and minimize the damage.
• Eradication - To remove the incident's cause.
• Recovery and follow-up, by taking steps to restore normal operation.

Next Steps

Incident response policies and procedures

Read more on Data breach incident management and recovery