Setting up an in-house CERT/SOC (Incident Response Team) – where exactly should you start?

With this post as part of #CyberSec Update, I would like to launch a mini-series on establishing a dedicated team within an organisation whose task is to respond to security incidents in our organisation’s cyberspace.

Regardless of whether we classify such a team as a CSIRT, CERT, SOC or simply a Cybersecurity (Response) Team, we should know what functions we assign to such units and how they should be formed and embedded within the organisational structure.

One of the foundations for the proper positioning of the team within the organisation is granting it the appropriate mandate (authorisation, powers). For private entities, the source of such authority will be internal regulations or decisions by the governing body. Most often, the team’s operation stems from a decision (resolution) by the board of directors to establish such a unit.

Once a decision has been made in this regard, it is also necessary to define the tasks and responsibilities of such a team.

Therefore, if you decide to establish a Cybersecurity Team within your organisation, you should not forget to document its creation through a clear formal act by management (e.g. in the form of a resolution), to communicate this decision, and to ensure that the team members confirm they are aware of their responsibilities. The team must also be properly integrated with internal systems.

The amendment to the #UKSC in connection with the #NIS2 Directive introduces strict requirements regarding the reporting of serious incidents. Initial information in this regard should be provided within 24 hours.

In the vast majority of cases, these responsibilities should fall to the incident response team, including the preparation of periodic incident handling reports. An alternative to a team composed of the organisation’s permanent staff (employees) may be an external SOC as part of a service provided by a specialist provider. If you decide to outsource such a service, ensure that the contractual terms are properly secured. Outsourcing tasks does not relieve management of its duty to ensure these obligations are properly fulfilled.