search menu icon-carat-right cmu-wordmark

CERT Division Releases Assessment Guide for Incident Management

CERT Division Releases Assessment Guide for Incident Management

January 17, 2019—Computer security incident response teams (CSIRTs) and security operations centers (SOCs) that are interested in assessing their effectiveness currently do not have many options. A new tool released recently by the SEI's CERT Division changes that.

The Incident Management Capability Assessment provides an extensive workbook to evaluate incident management and other supporting functions to help CSIRTs and SOCs identify strengths and weaknesses and improve their effectiveness.

"The assessment is broader than incident management and looks at other functions that support or interface with incident management activities, such as vulnerability management and risk management," said Robin Ruefle, team lead, CSIRT Development and Training. "If you want to learn what your strengths and weaknesses are with respect to incident management, then this workbook can help you. You can also use the capabilities and associated indicators as guidance for building or improving your incident management function."

Successful management of incidents that threaten an organization’s computer security is a complex endeavor. Frequently, an organization’s primary focus is on response, which results in a failure to manage incidents beyond simply reacting to threatening events, yet incident management is more than just responding when a threatening event occurs.

The capabilities presented in this workbook provide a baseline or benchmark of incident management practices for an organization. This benchmark can be used by an organization to assess its current incident management capability, guide process improvement, and help assure system owners, data owners, and operators that their incident management services meet a high standard of quality within acceptable levels of risk.

Organizations can use this workbook to do a self-assessment (instructions are included) or they can have a third party use it as an assessment tool.

To download the Incident Management Capability Assessment visit