A CSIRT functions in much the same way as an urban or rural fire department. A fire department has specifically trained professionals who are tasked with responding to emergency situations with specialized equipment to contain and eradicate a fire. In order to engage a fire department, a citizen must contact emergency services and provide key information, such as the nature of the emergency, the location, and if there are any lives in danger. From here, that information is passed on to the fire department, which dispatches resources to the emergency.
The process of engaging a CSIRT is very similar to engaging a fire department. Internal or external personnel need to escalate indications of a cyber security incident to the appropriate personnel. From here, resources are dispatched to the appropriate location/s, where those on the ground will take the lead in containing the incident, and eradicating or limiting potential downtime or loss of data. To make this process as efficient as possible, the following are critical components of the engagement process:
- CSIRT models provide a framework that places the CSIRT and the associated escalation procedures within the organizational structure.
- A war room describes the location from which the CSIRT manages the incident.
- Communications address the ability of the CSIRT to communicate properly.
- Staff rotation examines the need to rest personnel during a prolonged incident.
Engaging a CSIRT, much like a fire department, requires a set path of escalation. In the following sections, there are three CSIRT models that describe some options when looking at a proper escalation.