- Page 1: Defining Incident Management Proces
- Page 4 and 5: This report was prepared for the SE
- Page 6 and 7: 3.4 Guide to Reading the Incident M
- Page 8 and 9: iv CMU/SEI-2004-TR-015
- Page 12 and 13: viii CMU/SEI-2004-TR-015
- Page 14 and 15: of such benchmarking can help an or
- Page 16 and 17: xii CMU/SEI-2004-TR-015
- Page 18 and 19: • Pamela Curtis - for guiding us
- Page 20 and 21: xvi CMU/SEI-2004-TR-015
- Page 22 and 23: division level handle security even
- Page 24 and 25: Figure 1: CSIRT Services Figure 2 i
- Page 26 and 27: • the firewall manager, who puts
- Page 28 and 29: 1.4 A Process Model for Incident Ma
- Page 30 and 31: This report documents and defines t
- Page 32 and 33: This report can also be a useful re
- Page 34 and 35: e a brief description of the proces
- Page 36 and 37: • integrate into the existing pro
- Page 38 and 39: − reassign events to areas outsid
- Page 40 and 41: Table 1 Review of Incident Manageme
- Page 42 and 43: processes called Respond. These are
- Page 44 and 45: quality information technology (IT)
- Page 46 and 47: keep production systems running and
- Page 48 and 49: Most of the workflow diagrams have
- Page 50 and 51: • single points of failure You ca
- Page 52 and 53: Table 2: Detect Events Workflow Exa
- Page 54 and 55: 2.6 Getting Started Although this r
- Page 56 and 57: 36 CMU/SEI-2004-TR-015
- Page 58 and 59: • make other improvements The ste
- Page 60 and 61:
mation. Understanding interrelation
- Page 62 and 63:
3.4 Guide to Reading the Incident M
- Page 64 and 65:
Symbol Meaning Example Line initiat
- Page 66 and 67:
If event is reassigned outside of i
- Page 68 and 69:
Table 5: Information Category Missi
- Page 70 and 71:
The rest of this section presents a
- Page 72 and 73:
CSIRT process needs From any activi
- Page 74 and 75:
4.2.1 PC: Prepare/Sustain/Improve P
- Page 76 and 77:
4.2.1.1 PC: Prepare/Sustain/Improve
- Page 78 and 79:
4.2.1.2 PC: Prepare/Sustain/Improve
- Page 80 and 81:
Subprocess Subprocess Requirements
- Page 82 and 83:
Subprocess Subprocess Requirements
- Page 84 and 85:
Subprocess Subprocess Requirements
- Page 86 and 87:
Subprocess Subprocess Requirements
- Page 88 and 89:
4.2.1.3 Handoff from Any Activity I
- Page 90 and 91:
Table 7: Handoff from Any Activity
- Page 92 and 93:
4.2.1.4 Handoff from PC: Prepare/Su
- Page 94 and 95:
Table 8: Handoff from PC: Prepare/S
- Page 96 and 97:
4.2.2 PI: Protect Infrastructure Pr
- Page 98 and 99:
• Securing Networks Systematicall
- Page 100 and 101:
4.2.2.1 PI: Protect Infrastructure
- Page 102 and 103:
4.2.2.2 PI: Protect Infrastructure
- Page 104 and 105:
Subprocess Subprocess Requirements
- Page 106 and 107:
4.2.2.3 Handoff from Any Activity I
- Page 108 and 109:
Table 10: Handoff from Any Activity
- Page 110 and 111:
4.2.2.4 Handoff from PI: Protect In
- Page 112 and 113:
Table 11: Handoff from PI: Protect
- Page 114 and 115:
4.2.3 D: Detect Events Process The
- Page 116 and 117:
• CSIRT Services http://www.cert.
- Page 118 and 119:
4.2.3.4 D: Detect Events Workflow D
- Page 120 and 121:
4.2.3.5 D: Detect Events Workflow D
- Page 122 and 123:
Subprocess Subprocess Requirements
- Page 124 and 125:
4.2.3.6 Handoff from Any Activity I
- Page 126 and 127:
Table 13: Handoff from Any Activity
- Page 128 and 129:
4.2.3.7 Handoff from D: Detect Even
- Page 130 and 131:
Table 14: Handoff from D: Detect Ev
- Page 132 and 133:
4.2.4 T: Triage Events (Triage) Pro
- Page 134 and 135:
what format it should be passed. Th
- Page 136 and 137:
4.2.4.1 T: Triage Events Workflow D
- Page 138 and 139:
4.2.4.2 T: Triage Events Workflow D
- Page 140 and 141:
Subprocess Subprocess Requirements
- Page 142 and 143:
4.2.4.3 Handoff from T: Triage Even
- Page 144 and 145:
Table 16: Handoff from T: Triage Ev
- Page 146 and 147:
Technology-to-Person Handoff Handof
- Page 148 and 149:
4.2.5 R: Respond Process The Respon
- Page 150 and 151:
cedures, and plans associated with
- Page 152 and 153:
4.2.5.5 R: Respond Workflow Diagram
- Page 154 and 155:
4.2.5.6 R: Respond Workflow Descrip
- Page 156 and 157:
Subprocess Subprocess Requirements
- Page 158 and 159:
Subprocess Subprocess Requirements
- Page 160 and 161:
4.2.5.7 Handoff from R: Respond to
- Page 162 and 163:
Table 18: Handoff from R: Respond t
- Page 164 and 165:
4.2.5.8 R1: Respond to Technical Is
- Page 166 and 167:
Technical information Technical res
- Page 168 and 169:
4.2.5.9 R2: Respond to Management I
- Page 170 and 171:
Management information Management r
- Page 172 and 173:
4.2.5.10 R3: Respond to Legal Issue
- Page 174 and 175:
External communication with others
- Page 176 and 177:
156 CMU/SEI-2004-TR-015
- Page 178 and 179:
• develop more user-friendly guid
- Page 180 and 181:
160 CMU/SEI-2004-TR-015
- Page 182 and 183:
[Jackson 97] [Johnson 92] [Killcrec
- Page 184 and 185:
[Vermont 01] [West-Brown 03] State
- Page 186 and 187:
Context for PC: Prepare/Sustain/Imp
- Page 188 and 189:
Context for PC: Prepare/Sustain/Imp
- Page 190 and 191:
Context for PC: Prepare/Sustain/Imp
- Page 192 and 193:
Subprocess D1. Notice Events (react
- Page 194 and 195:
Context for T: Triage Applicable Ta
- Page 196 and 197:
T3. Assign Events • Can assign ne
- Page 198 and 199:
Context for R: Respond Outputs - De
- Page 200 and 201:
Context for R: Respond Coordinate T
- Page 202 and 203:
A-18 CMU/SEI-2004-TR-015
- Page 204 and 205:
GAISP HTML IDMEF IDS IODEF ISAC ISP
- Page 206 and 207:
B-4 CMU/SEI-2004-TR-015
- Page 208 and 209:
est practice business drivers busin
- Page 210 and 211:
decision support system establish e
- Page 212 and 213:
organizational CSIRT development pr
- Page 214 and 215:
vulnerability vulnerability assessm
- Page 216 and 217:
Incident Management Workflow Diagra
- Page 218 and 219:
PI Protect Infrastructure Workflow
- Page 220 and 221:
T: Triage Events Workflow Diagram F
- Page 222 and 223:
R1: Respond to Technical Issues Wor
- Page 224 and 225:
R3: Respond to Legal Issues Workflo
- Page 226 and 227:
PC: Prepare/Sustain/Improve Mission
- Page 228 and 229:
Subprocess Subprocess Requirements
- Page 230 and 231:
Subprocess Subprocess Requirements
- Page 232 and 233:
Handoff from PC: Prepare/Sustain/Im
- Page 234 and 235:
Subprocess Subprocess Requirements
- Page 236 and 237:
Handoff from PI: Protect Infrastruc
- Page 238 and 239:
Subprocess Subprocess Requirements
- Page 240 and 241:
Handoff from D: Detect Events to T:
- Page 242 and 243:
Subprocess Subprocess Requirements
- Page 244 and 245:
Technology-to-Person Handoff Handof
- Page 246 and 247:
Subprocess Subprocess Requirements
- Page 248 and 249:
Handoff from R: Respond to PC: Prep