Computer Incident Response Team (CIRT)

A 2001 SANS Institute whitepaper by author Michelle Borodkin, titled “Computer Incident Response Team“, explains CIRTs and how they can be formed.

What is a Computer Incident Response Team – CIRT?

A CIRT is a “carefully selected and well-trained” group of people whose purpose is to “promptly and correctly” handle an incident so that it can be quickly “contained, investigated, and recovered from.”

Who typically belong on a CIRT?

CIRT members are from within the organization. They must be people that can drop what they’re doing (or redelegate their duties), have the authority to make decisions, and take actions.
Members are usually from the following teams-

  • Management,
  • Information Security,
  • IT infrastructure (Server & Network teams),
  • Physical Security,
  • Internal Audit,
  • Legal,
  • Human Resources, and
  • Public Relations

How does an organization form an effective CIRT?

1. The initiative typically originates from the I.T. Security team

2. Get C-suite executive buy-in

3. Identify team members

4. Discuss and document the answers to questions like-

  • What constitutes a “security incident”?
  • At what point should be the team be called together?
  • What is the process to call the team together? Is there a CIRT team leader who contacts the other members at points in time, depending on the incident?
  • What is the function of each member?
  • Who will document the incident and how it was handled?
  • Do members need training?

5. Document work and non-work contact numbers for all members

6. Train members if necessary

7. Revisit policies and make updates if necessary

8. Do mock incident response exercises

9. Document all incidents and how they were handled

10. Regroup after an incident is handled and review.


Borodkin, M. (2001). Computer Incident Response Team. Retrieved from