The Important Role of a Cyber Security Incident Response Program

Authored by Vibhav Agarwal, Senior Manager of Product Marketing, MetricStream and Dr. Michael Redmond, FBCI, MBCP, CEM, PMP, MBA, PHD, CEO and Lead Consultant Redmond Worldwide


We live and do business in a whole new world; one marked by increasing cyber attacks, and all new rules. Beyond the increase in frequency of attacks, we also face an increase in the types of organizations that have become targets. Today, it goes beyond banks and government-related institutions, to include healthcare providers, retailers, and essentially any entity that owns or has access to the assets and information of its consumers.

Organizations require more focused awareness to bolster their security policies and practices as the foundational structure of an overall risk-management strategy. Furthermore, organizations need to ensure compliance with new laws and regulations that govern how they protect information assets.

It's also critical that organizations buy into the fact that network and systems administrators alone cannot protect corporate systems and information assets - it must be an organizational team effort. A Cyber Security Incident Response Team (CSIRT) is a must in today’s world.

Why is a CSIRT so crucial?

Security breaches and subsequent incidents of fraud are on the rise, both in terms of their frequency and scale. It's evident that financial institutions, retailers, healthcare providers and other targeted organizations are trying to meet this increasingly dangerous challenge as best they can, with the resources they have at their disposal. However, we must face the fact that these threats will also continue to rise. The enemy is a formidable foe indeed; modern day pirate-hackers.

While organizations cannot always prevent a breach, a quick response to a security event can go a long way when it comes to minimizing the financial damage and most importantly, protecting the business and its reputation. In order to reduce the costs associated with increased call center activity, customer education and awareness programs, brand repair campaigns, legal and compliance fines, and expenses associated with any customer settlements, organizations should adopt a proactive approach with timely stakeholder communication.

Cyber Attacks are Not New

In April 2012, a server hack was responsible for a HIPAA violation by the Utah Department of Health, where over 780,000 people were compromised in the server attack at the authentication level, permitting hackers to hijack Social Security Numbers and personal health records.1 It was determined that a vulnerable server was not properly configured as per normal procedure, allowing hackers to gain access into the computer network. Added to that, in January and February 2012, nearly 1.5 million individuals were affected by hackers who successfully infiltrated and gained access to the payment processing system of Global Payments Inc. On December 14, 2014, it was reported that the Dutch government suffered a website outage due to a cyber attack. Allegedly, hackers crippled the Dutch government's main websites for most of the day, rendering back-up plans and contingencies largely ineffective. All of this goes to show the serious loopholes in our current infrastructure and back-up plans.

Cyber Attacks are Happening More Often

The number of data breaches increased by 27.5% in 2014.2 This includes some large corporations like Sony, Target and Anthem, just to mention a few. In 2012, 3.8 million tax records were stolen in the largest state agency attack, in which the hackers made off with both social security and credit card numbers from the South Carolina Department of Revenue. Sources indicate that a phishing email allowed hackers to gain unauthorized access, stealing credentials from users, and penetrate 74GB of both encrypted and unencrypted data.

In February 2015, a US cyber security firm claimed that Chinese hackers hacked Forbes magazine's network in a sinister plot that also penetrated defense contractors, financial firms and other unsuspecting prey that happened to surf the popular news website. The ramifications of these cyber attacks, and the exact depth and scope of these cyber attacks is still being understood. Invincea and iSight Partners outlined what they depicted as a "watering hole" campaign late last year that heavily affected Forbes and other legitimate websites. The hackers were able to compromise their system due to vulnerabilities in Adobe Flash and Internet Explorer browser software, which have now been patched according to the sources at Invincea.

On February 13, 2015, Tennessee healthcare group Franklin Healthcare Associates (SoFHA) alerted employees of a payroll breach that affected their personal information. In this case, a security breach occurred at the third party payroll vendor. To escalate matters, some of the stolen tax information was used to file fraudulent tax returns. All employees were notified, and about 20 to 25 were severely affected. The personal information accessed included payroll information, W-2s and more. As a result of this incident, SoFHA is working with national, state and local law enforcement to identify the culprits and bring them to justice. After notifying its employees, they are also extending an offer of one free year of identity theft protection services. SoFHA took the crucial steps of immediately notifying the authorities of the tax-related identity theft, which is an important step in the wake of an incident of this size and scale.


There are important considerations before starting a program. Some of them are operational and technical issues such as equipment, security, and team staffing considerations. In addition, it’s critical to determine resources needed for both newly formed teams as well as existing teams, including CSIRT consultants, who can be brought on board to help with planning.

CSIRT is Not Just About Responding

Consider incident handling and eliminating duplication of effort. Conduct a Gap Analysis of your current Cyber Program. Include your capabilities to respond to incidents and also harness the resources to alert and inform the constituency. Determine what mitigations are currently in place to deal with all potentially serious effects of a computer security related incident.

When setting up a CSIRT Program and CSIRT Plan, focus on the basics:

  1. 1. Objective
  2. 2. Scope
  3. 3. Assumptions
  4. 4. Ownership
  5. 5. Action Steps
  6. 6. Structure


The organization’s vision is really the best starting point. Who is your constituency? Define your CSIRT mission, goals, and objectives. Select the CSIRT services to provide to the constituency (or others). Outline how the CSIRT supports its mission. Remember to determine the organizational model of CSIRT, and outline the way in which the CSIRT is structured and organized. List out the required resources, including the staff, equipment, and infrastructure needed to operate the CSIRT. Lastly, determine your CSIRT funding. How will the CSIRT be funded during its initial startup, and how will it be maintained and scaled over time?

Who Should Be On Your CSIRT Team?

Business Managers. They need to understand what the CSIRT is and how it can help support their business processes. Agreements must be made concerning the CSIRT's authority over business systems and who will make decisions if critical business systems must be disconnected from the network or shut down.

Representatives from IT. How do the IT staff and the CSIRT interact? What actions are taken by IT staff and what actions are taken by CSIRT members during response operations? Will the CSIRT have easy access to network and systems logs for analysis purposes? Will the CSIRT be able to make recommendations to improve the security of the organizational infrastructure?

Representatives from the Legal Department. When and how is the legal department involved in incident response efforts? Legal staff may also be needed to review non-disclosure agreements, develop appropriate wording for contacting other sites and organizations, and determine site liability for computer security incidents.

Representatives from Human Resources. They can help develop job descriptions to hire CSIRT staff, and develop policies and procedures for removing internal employees found engaging in unauthorized or illegal computer activity.

Representatives from Public Relations. They must be prepared to handle any media inquiries and help develop information-disclosure policies and practices.

Any Existing Security Groups, Including Physical Security. The CSIRT will need to exchange information with these groups about computer incidents and may share responsibility with them for resolving issues involving computer or data theft.

Audit and Risk Management Specialists. They can help develop threat metrics and vulnerability assessments, along with encouraging computer security best practices across the constituency or organization.

Steps to Develop Your CSIRT Program

Step 1: Obtain management support and buy-in

Step 2: Determine the CSIRT strategic plan

Step 3: Gather relevant information

Step 4: Design the CSIRT vision

Step 5: Research best practices

Step 6: Decide on standards and regulations that you will follow and adhere to

Step 7: Decide on the team and its structure

Step 8: Prepare templates

Step 9: Establish and communicate the CSIRT vision

Step 10: Develop and document the CSIRT program, plan, playbooks

Step 11: Train your team

Step 12: Begin CSIRT implementation

Step 13: Announce the operational CSIRT

Step 14: Evaluate CSIRT effectiveness

Defense Is Critical

A strong defense is critical to fighting and winning the battle against cyber crime. Good procedures and processes must be put into place now in order to defend your organization, today and into the future.

1. Collect and develop better information and evidence about attack vectors and threat agents. Management must support the needed level of security required to protect sensitive information and critical assets from cyber threats. This support includes budget requirements that allow for a good program.

2. Design your supra-systems considering a threat that may comprise a sub-system. Build in layers of defense to segment the subsystem including interfaces that are monitored. Validate that the specifications are enforced.

3. Statistics show that 80% of cyber attacks that come from within the organization may not be detected. In order to manage an uncontrolled threat environment, I suggest that you perform a risk assessment that is detailed and realistic. Perform a Gap Analysis of security controls, capabilities, and resources.

4. Monitor and analyze network traffic. An enterprise security incident detection and CSIRT Program are essential.

5. Strategize defensive moves such as analysis to predict possible behavior and actions of attackers. Use the CSIRT to mitigate the risks and to tackle different types of breach scenarios.

6. Risk Early Warning Indicators (REWI) define security analytics and help align security metrics and analytics.

7. Share information with the cyber community. For example, you can submit the malware to multi AV scanning engines such as Virus Total. The FBI also has a program called ‘Info Guard,’ where enterprises can join and share information about different attacks.

8. Collaborate with Information Sharing and Analysis Centers, Computer Emergency Response Teams, or sector specific organizations such as Aerospace, Industries Association, and Defense Industrial Base for the US Government and Defense Industry Partnership.

CSIRT programs are a must in today’s world, filled with complexity, new threats, and lots of unknowns. What remains certain is the increasing probability of cyber crime and the rise of an increasingly sophisticated generation of threat agents and attackers capable of successfully attacking even the largest and most reputable organizations. Time is not on our side; start today and improve tomorrow.


About the Authors

Dr. Michael C. Redmond, PhD, MBCP, FBCI, CEM, PMP, MBA, Major (US Army Reserves Retired), ISO Certified. CEO and Lead Consultant for Redmond Worldwide Dr. Michael C. Redmond is an International Speaker, Author, Trainer and Consultant. She has helped International Organizations create great Cyber Incident Response Programs and has a strong Compliance background. Michael has an Introduction to Cyber Security Audio Training Series and Workbook available at

Vibhav Agarwal, Senior Manager of Product Marketing, MetricStream. Vibhav has 11+ years of progressive experience in Enterprise product marketing, sales management, ERP & CRM program planning and delivery, software vendor selection and implementation across Hi-Tech, Trading & Capital Markets and Internet domains.