Incident Management Mission Diagnostic Method, Version 1.0 - Cert
Incident Management Mission Diagnostic Method, Version 1.0 - Cert
Incident Management Mission Diagnostic Method, Version 1.0 - Cert
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
WHAT IS AN IMC?<br />
An incident management capability (IMC) can take many forms.<br />
Usually, in government, education, and commercial organizations,<br />
parts of this function are performed across a number of business<br />
functions or departments that can include security or information<br />
technology (IT) operations, risk management, human resources, or<br />
legal investigative units. Some organizations have a core team,<br />
generally referred to as a computer security incident response team<br />
(CSIRT) 2 , that focuses on specific parts of the incident management<br />
process, particularly the coordination of response activities. This<br />
CSIRT may be ad hoc, virtual, or a formally defined, dedicated group<br />
of personnel. Whatever its organizational model, the team works with<br />
other parts of the organization, contractors, or other outsourced service<br />
providers to perform successful incident management. The services<br />
provided by an IMC are provided to its customers, called the<br />
constituency 3 .<br />
For the purposes of this document, the term IMC will be used to<br />
represent all of the groups of people who perform incident<br />
management activities for an organization.<br />
2<br />
3<br />
CSIRT is a generic term for organizational entities whose main purpose is to detect, analyze, prevent, and respond<br />
to computer security incidents and vulnerabilities. Such entities may use names and acronyms such as<br />
computer emergency response team (CERT), computer incident response team (CIRT), security incident response<br />
team (SIRT), and other such names. What are typically considered CSIRT functions may also be performed<br />
as one activity within a broader enterprise security or risk management function such as a resiliency team<br />
or crisis-management team.<br />
The constituency is the group to which the CSIRT or incident management capability provides services. For example,<br />
the constituency for a CSIRT in a government organization would be the employees and possibly the clients<br />
of the agency.<br />
4 | CMU/SEI-2008-TR-007