CyberSec Update #16: CERT Scope & Competencies

Incident Response Team – Scope and Competencies

In one of the previous posts in the CyberSec Update series, I discussed the establishment of a CERT (SOC) and its placement within the organizational structure. I also addressed how such a unit can be formally embedded in an organization. If you have not yet had the opportunity to read that material, I encourage you to review the post CyberSec Update #13 – Internal Incident Response Team.

This time, I would like to focus on the scope of activities assigned to the Incident Response Team in the area of cybersecurity services, as well as on a closely related issue, namely the scope of powers granted to such a team.

Scope of Activities of CERT (Incident Response Team)

The scope of activities of a CERT should be analyzed from a broad organizational perspective. As a first step, it is necessary to determine whether the Incident Response Team is intended to support only a single entity. Alternatively, it may provide services to all or selected companies within the same capital group.

The scope of CERT activities also includes technical aspects. In particular, this concerns an inventory of the information systems in use, their classification, and the identification of dependencies between individual environments. Such an analysis is essential both from the perspective of ongoing security oversight and in the context of effective incident handling.

Scope of CERT Powers Within the Organization

Once the scope of CERT activities has been defined, it is necessary to grant the Incident Response Team an appropriate range of powers. Contrary to common assumptions, CERT competencies do not have to be limited exclusively to crisis situations and actions taken in response to security incidents.

The powers of the Incident Response Team may also include activities carried out during so-called “peacetime,” such as issuing recommendations, guidelines, or practical advice in the field of cybersecurity. During incident handling, CERT may also have escalation competencies, including the authority to report incidents to an appropriate CSIRT, for example a sectoral CSIRT.

Formal Sources of the Incident Response Team’s Competencies

As a rule, the powers of the Incident Response Team derive from the organization’s internal documents. Most often, this will be the same act that formally establishes the CERT. In addition, the scope of competencies may result from operational documents, such as incident reporting and incident handling procedures.

From the perspective of powers and competencies, it is particularly important that members of the Incident Response Team clearly understand the “strength” of the authority vested in them. A key issue is whether CERT may only issue non-binding recommendations, or whether it has real supervisory powers that allow it to monitor compliance with issued instructions, guidelines, or orders.

In practice, it is also advisable to clearly define whether certain actions undertaken by the Incident Response Team require prior consultation with, or approval by, the management body. This may apply, for example, to the reporting of an incident to a national or sectoral CSIRT.