vPLfv
vPLfv
vPLfv
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Preface<br />
Since its inception, the CERT ® Coordination Center (CERT/CC) has had a strong commitment<br />
to transition lessons learned about computer security incident handling to the broader<br />
Internet community. The ultimate goal of this transition work is the development of a community<br />
equipped to recognize, prevent, and effectively respond to computer security risks<br />
and threats against their organizations.<br />
To accomplish this transition work, our basic strategy is to develop a body of knowledge that<br />
will codify best practices for creating, managing, and sustaining incident management capabilities,<br />
based on the 15+ years of experience of the CERT/CC and other national and international<br />
teams. We then make this body of knowledge and resulting products available through<br />
publications, training courses, collaboration, and direct assistance to organizations interested<br />
in building or improving incident management capabilities.<br />
Incident management capabilities 1 can take many forms—they can be an ad hoc group that is<br />
pulled together in a crisis, they can be a defined set of procedures that are followed when an<br />
incident occurs, or they can be a designated group of people assigned explicit responsibility<br />
for handling computer security incidents, generically called a computer security incident response<br />
team, or CSIRT. 2<br />
In our work, we are often asked for a “roadmap” or set of processes and templates that can be<br />
used by an organization to guide the development of their incident management capability.<br />
Correspondingly, we are asked how best to evaluate and measure the success and quality of<br />
an existing incident management capability. With these questions in mind and with an objective<br />
to continue our work in not only codifying best practices for incident management but<br />
also in building an overarching framework for our developing body of knowledge, we began<br />
a project to outline a methodology for planning, implementing, improving, and evaluating an<br />
incident management capability.<br />
This methodology will identify key components for building consistent, reliable, and repeatable<br />
incident management processes. It will include a set of requirements or criteria against<br />
which an organization can benchmark its current incident management processes. The results<br />
®<br />
1<br />
2<br />
CERT and CERT Coordination Center are registered in the U.S. Patent and Trademark Office by<br />
Carnegie Mellon University.<br />
The definition of incident management services and capabilities will be explored in the rest of this<br />
document.<br />
The term “CSIRT” is a generic, common name for an organization that provides services to a defined<br />
constituency to prevent and handle computer security incidents. Other synonymous names<br />
are discussed in Section 2.4, “What’s in a Name?” of the handbook Organizational Models for<br />
CSIRTs [Killcrece 03a].<br />
CMU/SEI-2004-TR-015<br />
ix