When implementing a CIRT plan for an organization, several best practices can be used. Following is a list of some of these:

• Defining a computer security incident—Incidents are interpreted differently by different organizations. When incidents are defined in the CIRT plan, all parties are clear as to which events are incidents.
• Including policies in the CIRT plan to guide CIRT members—These policies can be related to CIRT members attacking back at attackers and can include statements regarding the use of chain of custody or otherwise protecting evidence and policies related to communications and safety, which depend on what is important to the organization.
• Providing training—CIRT members and end users must be trained. The CIRT members should understand their responsibilities and know the best way to respond to different types of incidents, and all personnel should understand the threats as well as basic steps they can take to mitigate them.
• Including checklists—The checklists can be formal step-by-step instructions that must be performed in a specific order or informal bullet statements designed to help ensure the CIRT members don’t overlook key data. Generic checklists or checklists targeted toward specific types of incidents can be included.
• Subscribing to security notifications—Many security bulletins that describe different types of threats, including new emerging threats, are available through email subscriptions. US-CERT regularly sends out emails and alerts. Go to http://www.us-cert.gov/mailing-lists-and-feeds/ to sign up to receive these emails.