IT departments should have a process in place for managing a computer incident. An incident can include any activity outside normal operations. Often incidents can escalate and require decisive action. In such cases, a Computer Incident Response Team (CIRT) would be appropriate. The CIRT is responsible for five major actions:
- Monitor – Every network must be monitored for a number of events such as failure events, unusual network traffic, excessive login attempts, etc.
- Alert and Mobilize – This may involve shutting down servers, firewalls, or other services if an unusual or suspicious event has occurred. In this case a CIRT member should alert appropriate team members and mobilize for action.
- Assess and Stabilize – Once the immediate threat has been stopped, the CIRT team will assess the situation and attempt to stabilize it.
- Resolve – A resolution may involve restoring using backups, updating operating systems, or changing settings on servers. This can be done after determining the nature and extent of an incident.
- Review – As with many events once the incident has been resolved it is necessary to go over the case and determine how it occurred, how to avoid similar problems in the future, and how to better understand the recovery process.
The CIRT most likely has day-to-day responsibilities as part of standard IT operations. It is very important that the Computer Incident Response Team’s responsibilities are integrated into a company’s Business Continuity and Disaster Recovery plan.