Chapter 2. Incident Response Teams

Since the Carnegie Mellon CERT Coordination Center (CERT/CC) was established, incident response teams have sprouted in all sorts of places, ranging from government teams to commercial for-profit organizations set up similarly to the CERT/CC. In fact, there are almost as many types of teams as there are teams themselves. This is fortunate in today’s digital world -- organizations that recognize the advantages of instituting a robust incident response program have a multitude of options on how it is best accomplished. From a management perspective, one of the primary considerations between the different incident response capabilities is funding: who pays for the incident response services? From an operational perspective, however, the primary considerations are responsibility and services: to whom or what does the incident response team answer, and what services does it offer?

The answers to these questions determine the team’s priorities. For example, a team funded by a government agency or large community is responsible to that entire agency or community, not just one or two organizations. Thus, the services that it provides must be divided across the community it serves. Depending on the size of that community, the funding model of the team, and the core mission of the team itself, the team will be able to reasonably offer a particular set of services. The reason that the set of services is usually impacted by the size of the community is one ...

Get Incident Response now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.