This document provides an overview of managing the infrastructure components of a Computer Security Incident Response Team (CSIRT). It discusses the key components of a CSIRT infrastructure, which include the physical location and security of staff and data, office and home equipment, networks and defenses, tools and applications used for incident handling, and data repositories. It outlines that securing this infrastructure involves protecting data security, physical security, equipment, networks and systems, and CSIRT tools. In particular, data security is important because CSIRTs receive sensitive intellectual property and log files from their constituencies.

1. Managing the CSIRT Infrastructure Components
Table of Contents
Notices ............................................................................................................................................ 2
Managing the CSIRT Infrastructure................................................................................................. 2
Purpose ........................................................................................................................................... 3
Infrastructure Components ............................................................................................................ 4
Outline ............................................................................................................................................ 5
Page 1 of 5

2. Notices
41
Managing CSIRTs
© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
Managing the CSIRT Infrastructure
1
Managing CSIRTs
© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213
[DISTRIBUTION STATEMENT A] Approved for public release
and unlimited distribution.
Managing the CSIRT
Infrastructure
Managing Computer Security
Incident Response Teams
(CSIRTs)
**001 Hello, This module is Managing
the CSIRT Infrastructure.
Page 2 of 5

3. Purpose
2
Managing CSIRTs
© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
Purpose
To provide an overview of the components of a CSIRT infrastructure
To discuss various issues in managing this infrastructure
To outline how and why to protect CSIRT data and information
**002 The purpose of this module is
to provide an overview of the
components that make up the CSIRT
infrastructure, not only computer
security but laboratory space, office
space, what have you, to discuss the
various issues related to managing
this infrastructure and to outline how
and why to protect the CSIRT data
and information that you have within
your organization.
Page 3 of 5

4. Infrastructure Components
3
Managing CSIRTs
© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
Infrastructure Components
The CSIRT infrastructure includes
• physical location and security of CSIRT staff and data
• staff office and home equipment
• CSIRT networks, systems, and internal/external defenses such as routers, firewalls,
and IDS
• CSIRT tools and applications to support incident handling and other provided services
- databases, data repositories, and data analysis tools for storing CSIRT and incident
information
- mechanisms or applications for secure email and voice communications
- test labs or test environments for analyzing malicious code and vulnerabilities
• organizational data classification schemas
**003 So the infrastructure consists
of all of these things: the physical
location and security of the staff and
the data; this includes office staff and
especially these days home
equipment, where people work
remotely not only from home but
they may relocate temporarily for
other reasons; you need to take into
account all of those places. The
CSIRT network; systems; internal
and external defenses, meaning
routers, firewalls, intrusion detection
systems, intrusion prevention
systems; and then also all of the
tools and applications and the
databases that those tools are used
to create. Whatever data
repositories, data analysis tools,
incident information; the mechanisms
for secure email like PGP keys, voice
communications, secure voice, secure
fax, what have you; and then also
test labs where you may have
Page 4 of 5

5. malicious code or you're exploring
vulnerabilities. All of these need to
be secured, taking into account your
data classification schemes.
Outline
4
Managing CSIRTs
© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
Outline
Data security
Physical security
Equipment
Networks and systems
CSIRT tools
**004 When we talk about securing
the infrastructure for a CSIRT, we're
really talking about these five things.
We're talking about securing data
that the CSIRT gets its hands on,
physical security of office space,
etcetera, the equipment, networks
and systems, and finally CSIRT tools.
Now, as has been said before, data
security is particularly important
because CSIRTs get intellectual
property from their constituency and
log files which can contain credentials
as well as other sensitive information.
So this makes a CSIRT a target for
intruders to gain access to information
of their constituencies that can then be
used to attack those constituencies.
Page 5 of 5