In a partially outsourced staffing model, IR duties can be divided among the organization and outsourcers in many ways. Describe two commonplace arrangements for partial outsourcing.

What will be an ideal response?

---

Although IR duties can be divided among the organization and one or more outsourcers in many ways, a few arrangements have become commonplace:

The most prevalent arrangement is for the organization to outsource 24-hour-a-day, 7-day-a-week (24/7) monitoring of intrusion detection sensors, firewalls, and other security devices to an off-site managed security services provider (MSSP). The MSSP identifies and analyzes suspicious activity and reports each detected incident to the organization's CSIRT. Because the MSSP employees can monitor activity for multiple customers simultaneously, this model may provide a 24/7 monitoring and response capability at a skill and cost level that is preferable to a comparable internal team.

Some organizations perform basic IR work in-house and call on contractors to assist with handling incidents, particularly those that are more serious or widespread. The services most often performed by the contractors are computer forensics, advanced incident analysis, incident containment and eradication, and vulnerability mitigation.