What does a Computer Incident Response Team (CIRT) do? (Composition, Process, Framework)

Computer Incident Response Team (CIRT) is a team that deals with computer security breaches. CIRT professionals, which comprise team members from certain departments and specialties, must manage such occurrences quickly despite the fact that most firms have procedures in place to prevent security concerns.

A CIRT is an organized entity with a defined mission, structure, and duties and responsibilities, according to this definition. Any ad hoc or informal incident response action that lacks a defined constituency or stated roles and duties are excluded from this assumption.

The "FIRST CIRT Framework" was issued by the Forum of Incident Response and Security Teams, an international organization of incident response teams. This comprehensive publication expands on the guidelines provided by the Computer Emergency Response Team Coordination Center (CERT/CC) in the late 1980s. The framework also describes the kind of services that CIRTs might provide to constituents, such as information security event management and incident response.

Composition of CIRT

A CIRT focuses on the incident to guarantee that the harm does not worsen and that the organization survives the incident. The following people are usually members of the CIRT −

  • A member of the management team with the power to lead and make decisions.

  • A member of the INFOSEC team with the knowledge and experience needed to contain the event, discover the cause and design a computer system recovery strategy.

  • IT personnel who are aware of which portions of the information system and network are affected, as well as if particular areas should be restricted.

  • An IT auditor to verify that all procedures are properly handled and that any obsolete procedures are recognized.IT auditors are most beneficial after an issue has happened, as they are entrusted with determining why the incident occurred and devising future prevention tactics.

  • A member of staff in charge of physical security to aid in identifying the scope of physical harm.

  • To provide legal advice, you'll need an attorney.

  • A human resources representative to provide guidance on dealing with personnel difficulties and post-incident procedures.

  • After an event, a public relations professional is needed to correctly communicate firm information.

  • For insurance purposes, a financial auditor will examine the harm that has occurred.

Process Followed by CIRT

When a system administrator reports a probable security event, the CIRT procedure begins.

  • Isolating the compromised system from the network − Unless network connections can be used to assess the scope and type of the event, the computer is isolated.

  • Evidence preservation − No interaction with the equipment will occur until the incident response team is in place to minimize evidence destruction and optimize the chances of identifying the intruder.

  • Putting together an incident response team − If the problem requires more attention, the CIRT contact and the reporting system administrator form an incident handling team. The team, under the direction of the CIRT contact, will −

    • Investigate the scope and nature of the occurrence and assess whether it is a security issue, maybe through disc imaging and analysis. If this is the case, the team notifies law enforcement, the UC San Diego University Counsel, and relevant campus leaders.

    • Collaborate with the system administrator and law enforcement to gather appropriate evidence and assess the incident's effect.

    • Meet with CIRT and law enforcement to prepare a formal report for senior management. The report describes the nature and scope of the incident, as well as the steps that must be taken and those that are advised to prevent similar events.

Cleaning and repairing the system entails the following steps − After the official report is submitted, this procedure begins.

  • Notifying the affected department or equipment owner − This is done in accordance with the ECP unless law enforcement advises that it will obstruct the investigation. The IT policy coordinator advises on the ECP notification procedure and requirements.

  • Taking stock of how the matter was handled −The CIRT and incident handling team review the reaction and notification procedure after the mandatory notification.

Framework of CIRT

The interactions between four fundamental aspects provide the basis for CIRT services −

  • Service Areas

  • Services

  • Functions

  • Sub-Functions

These components are defined as follows −

Service Areas

Services linked to a common theme are grouped together in service areas. They assist in the organization of services along a top-level category to aid comprehension and communication. A "Description" element would be included in the specification for each service area, consisting of a generic, high-level narrative text defining the service area and a list of services inside the service area.


A service is a collection of recognized, well-coordinated functions aimed at achieving a certain goal. Constituents, or on behalf of or for the stakeholder of a business, may anticipate or need such results. The following template describes a service −

  • A "Description" field that describes the service's nature.

  • A "Purpose" field that describes the service's goal.

  • An "Outcome" field that describes any measurable service results.

Functions and Sub-Functions

A function is an action or combination of activities that aim to achieve a certain service's goal. Any function might be shared and utilized across several services. The following template describes a function −

  • A field called "Description" describes the function.

  • A "Purpose" field that describes the function's goal.

  • An "Outcome" field that describes any quantifiable function outcomes.