A Computer Security Incident Response Team is an organizational unit (which may be virtual) or a capability that provides services and support to a defined constituency for preventing, detecting, handling, and responding to computer security incidents, in accordance with its mission.
A properly deployed CSIRT has a clear mandate, a governance model, a tailored services framework, technologies, and processes to provide, measure, and continuously improve defined services.
Various entities in the CSIRT community have developed their own service lists or frameworks over the years. As technology, tools, and processes changed, the community felt that there were topics and activities missing from the existing lists. FIRST, interested in enabling the global development and maturation of CSIRTs, recognized that this was a key piece in developing a common language for all CSIRTs and other entities who collaborate with CSIRTs. Given the geographical and functional span of the membership of FIRST, it was determined that the community that it constitutes would be an appropriate source for definitive capture and representation of the services provided by CSIRTs. Based on this understanding, a community-driven approach to developing an improved CSIRT services framework was launched, and an initial version was published in 2017.
Since then, a similar approach has been taken to develop a Product Security Incident Response Teams (PSIRT) Services Framework in recognition of many operational aspects that require a different set of services and corresponding activities. All Services Frameworks can be found on the FIRST website.
This is an improved version of the second version of the CSIRT Services Framework. Based on the feedback by several experts on the first version, this edition has been restructured and expanded where necessary. In particular, the internal activities have been removed as those do not constitute service offerings to constituents. Internal and external activities supporting the full life cycle of any service offering can be organized in services and functions just like services designated to be provided to constituents. Those services and functions are mostly known as Support Services. Some examples would be administrative activities like managing staff and hiring, travel reimbursements, or the organization of training events.
Based on our knowledge there are many different ways to provide such Support Services, and most are depending on the organization hosting the CSIRT or related service offerings. For example, hiring and managing of staff is surely required in supporting the CSIRT, but is considered a typical organizational support task and not specific to CSIRTs.
Although internal services and functions are providing the backbone to enable any team or organisational unit to fulfill its mission, such support services are considered out of scope and are not further detailed or discussed within FIRST Services Frameworks.
As CSIRTs will continue to face the ever-changing challenges to keep their constituents secure against new emerging threats, the services covered by this framework will be reviewed, vetted, and extended or amended as needed in future versions.
