This one-day course highlights best practices in planning, implementing, operating, and evaluating a computer security incident response team (CSIRT).

The course will explore the relationship between CSIRTs, incident management, and security management and discuss how successful incident management requires an enterprise view and approach. It will present a process-based model for structuring incident management activities and also provide an introductory view of CSIRTs to anyone new in the field. Basic topics discuss the purpose and structure of CSIRTs and a high-level overview of the key issues and decisions that must be addressed in establishing and maintaining a CSIRT. Other topics include a discussion of CSIRT services as well as key policies, procedures, methods, tools, and infrastructure components that are needed to effectively operate a CSIRT.

Who should attend?

This tutorial is designed to provide managers and other interested staff with an overview of the issues involved in creating and operating a CSIRT. It will also provide an introductory view of CSIRTs to anyone new to the field who is interested in what a CSIRT is and the type of activities a CSIRT performs.

No previous incident-handling experience is required.


  • Review of the CERT Resiliency Engineering Framework
  • Review of Incident Management Process Framework
  • Relationship between Incident Management processes and CSIRTs
  • Creating an Effective CSIRT
  • Operational Management Issues


This course will help participants to

  • define the terms incident management and CSIRT
  • differentiate between incident management and incident response activities
  • describe activities conducted in the five processes that make up the CERT IncidentManagement Process Model: Prepare, Protect, Detect, Triage, and Respond
  • identify the type of work that CSIRT managers and staff may be expected to handle
  • explain the purpose and structure of CSIRTs
  • define the variety and level of services that can be provided by a CSIRT
  • identify policies and procedures that should be established and implemented for a CSIRT
  • apply process improvement techniques for operating and evaluating an effective CSIRT


Participants will receive a course notebook and a CD containing the course materials.


This one-day course meets at the following time:

9:00 a.m.-5:00 p.m.

Course Fees

NZ Industry: $820

Government / Not for profit: $770

International: $1225