Context for the SA NREN Computer Security Incident Response Team

The South African (SA) National Research and Education Network (NREN) identified the requirement for a Computer Security Incident Response Team (CSIRT). This paper sets the context for the CSIRT by exploring the business requirements and associated decisions in five areas: the environment, constituency, authority, funding and legal considerations. The SA NREN CSIRT was categorised as an academic sector CSIRT serving the research and education community of South Africa with limited authority. The NREN is comprised of two organisations and the corresponding embedded, but distributed, organisational model makes this CSIRT case particularly interesting. Various cost recovery options and relevant South African laws and regulations were also identified. The resulting "strategic" framework sets the scene for the remainder of the establishment process. This paper is useful to anyone desiring to establish a CSIRT, or equivalent capability, who can follow a similar process to discover where to begin.