CSIRT Roles and Communication - Paiet/Tech-Journal-for-Everything GitHub Wiki
-
Stakeholders (Key CSIRT Members)
-
HR
- Not useful for the technical investigation
- Useful for when incident involves employees
-
Legal
- Provides legal advice to the team
- Helps with proper evidence collection/handling
- Advises on liability
- Provides legal advice to the team
-
Marketing/PR
- Aids in dealing with reputation
- Helps with getting buy-in from other key departments
-
Management
- See role-based responsibilities - Purpose of communication processes
-
Limit communication to trusted parties
-
Disclosure based on regulatory/legislative requirements
-
Prevent inadvertent release of information
-
Secure method of communication
- Tested
- Documented
- Make it policy - Role-based responsibilities
-
Technical
- Specialists/SME
- Performs/Advises for esoteric matters
- Current IT staff
- Becomes subordinates/support of the CSIRT
- Specialists/SME
-
Management
- Authorize and facilitate the resources required to respond to an incident
- OK's the decisions to
- Turn off critical infrastructure
- Speak with outside entities
- Law enforcement
- News outlets
- Makes official statements
- OK's the spending
- OK's the decisions to
- Authorize and facilitate the resources required to respond to an incident
-
Law enforcement
- Used when criminal activity is detected
-
Retain incident response provider
- Professional Incident Response Team
- Highly skilled experts
- $$$$$
- Have hand-off procedures in place