A Computer Security Incident Response Team (CSIRT) is “an organization or team that provides services and support to a defined constituency for preventing, handling, and responding to computer security incidents’’. These incidents can include hacking, denial of service, intellectual property theft, data breaches, compromised systems, malware, etc. A CSIRT attempts to isolate, mitigate the effects of, disable and assist with recovery from these incidents. Additionally, a CSIRT can provide a number of proactive services to prevent these incidents from occurring in the first place. A CSIRT provides planned and prepared, rather than ad-hoc, handling and prevention of IT security incidents.
An SA NREN CSIRT will facilitate a coordinated response to incidents affecting the community (that is all SANReN beneficiaries and TENET customers). It can provide a central source of skills and expertise accessible by the entire community, for the community, in a cost-efficient manner. Furthermore, a coordinating CSIRT has insight that individual institutions may not have regarding the bigger picture and scope of an incident. This facilitates effective response for the whole community. Common incident prevention tasks (e.g. advisory dissemination) can also be coordinated to optimise resources. Besides acting as a centralised reporting point for the constituency, the CSIRT can also act as an intermediary to national and/or international partners as required.
The aim of this workshop is to discuss the desire for and a model of a CSIRT for the constituency of the South African NREN with the following sub-objectives:
- Determine the community’s support for such a team
- Workshop the following (as interrelated concerns):
- Services that the CSIRT must/should/can provide
- An appropriate structure for the CSIRT
- Funding model
- The formation of an establishment team (steering committee) with supporting working groups to implement the CSIRT focussing on areas such as:
- Policies and processes
- Tools and technologies
- Legal aspects (e.g. POPI compliance)
Venue: Kopanong Hotel and Conference Centre
Date: 26 and 27 May 2015
Start Time: Day 1 – 09h30 for 10h00; Day 2 – 09h00
 Alberts, C., Dorofee, A., Killcrece, G., Ruefle, R., & Zajicek, M. (2004). Defining incident management processes for CSIRTs: A work in progress (Tech. Rep.). Carnegie Mellon University. (www.sei.cmu.edu/reports/04tr015.pdf)