vPLfv
vPLfv
vPLfv
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
objectives and business drivers has led management in many organizations to distribute that<br />
capability across the organization and, in many cases, outsource much of it to third parties.<br />
This observation has led us to look at incident management outside of its historical boundaries<br />
within the IT department and instead see incident management as a distributed capability.<br />
Just like a CSIRT, an incident management capability can take many forms. It can be a set of<br />
comprehensive policies and procedures for reporting, analyzing, and responding to computer<br />
security incidents. It can be an ad hoc or crisis team with defined roles and responsibilities<br />
that is called together when an incident occurs. It can also be an established or designated<br />
group that is given the responsibility for handling computer security events. So in essence, a<br />
CSIRT is one type of incident management capability.<br />
To summarize this discussion of the definition of CSIRTs and incident management:<br />
• Incident management activities and functions are broad based; they can involve not only<br />
incident analysis and response but also vulnerability analysis, artifact analysis, security<br />
awareness training, intrusion detection, public or technology monitoring, and other services<br />
as listed in the CSIRT Services list in Figure 1.<br />
• In a commercial, educational, military, or government organization where an internal<br />
CSIRT model would be appropriate, the incident management activities are often performed<br />
across multiple parts of the organization, including the CSIRT, as well as across<br />
multiple organizations such as contractors and service providers<br />
• A capability for providing incident management activities can take many forms; a CSIRT<br />
is one type of incident management capability.<br />
Often when working with a newly forming CSIRT or an organization wishing to develop an<br />
incident management capability, we discover that incident management activities are already<br />
occurring in other parts of the organization but are not identified as such. In our publications,<br />
we discuss how important it is to identify what types of incident management activities are<br />
already occurring and who is responsible for performing these activities as part of the planning<br />
and design process of building an incident management capability. This can help shape<br />
and structure the needed services. For example, if the organization is looking to create a<br />
CSIRT, then by looking at what is already in place, the interfaces required between the<br />
CSIRT and any other ongoing incident management activities can be defined. If certain functions<br />
are already being successfully handled, then perhaps the CSIRT can instead focus on<br />
those activities that are not being done. For example, if configuration management, vulnerability<br />
scanning, and security awareness training are already being done by an organization’s<br />
IT department, it may be appropriate to have that area continue to provide those services<br />
while a new CSIRT concentrates on other services such as incident analysis, technology<br />
watch, vulnerability coordination, or incident response support and coordination. 5 The main<br />
change to the existing functions is that there must be some type of formal mechanism or interface<br />
put into place and agreed to by both groups to provide coordination and information<br />
exchange between those IT (or other) functions and any new CSIRT functions.<br />
5<br />
For definitions of these services, see CSIRT Services at http://www.cert.org/csirts/services.html.<br />
CMU/SEI-2004-TR-015 7