- Page 1: Defining Incident Management Proces
- Page 5 and 6: Table of Contents Preface .........
- Page 7 and 8: 4.2.5.8 R1: Respond to Technical Is
- Page 9 and 10: List of Figures Figure 1: CSIRT Ser
- Page 11 and 12: List of Tables Table 1 Review of In
- Page 13 and 14: Preface Since its inception, the CE
- Page 15 and 16: continue to not only define these p
- Page 17 and 18: Acknowledgements We would like to e
- Page 19 and 20: Abstract This report presents a pro
- Page 21 and 22: 1 Introduction This work showcases
- Page 23 and 24: We have outlined the differences be
- Page 25 and 26: internal CSIRTs, such as commercial
- Page 27 and 28: objectives and business drivers has
- Page 29 and 30: In developing this model, we strive
- Page 31 and 32: The scope of this report is the dra
- Page 33 and 34: and service offerings. It can also
- Page 35 and 36: 2 Incident Management Concepts and
- Page 37 and 38: • Protect Infrastructure (Protect
- Page 39 and 40: formation request, or a suspicious
- Page 41 and 42: Title of Publication Author(s) Step
- Page 43 and 44: agement activities. Often the only
- Page 45 and 46: management. Security management pro
- Page 47 and 48: 2.5 Applying These Incident Managem
- Page 49 and 50: sion of the process?” and “Who
- Page 51 and 52: CMU/SEI-2004-TR-015 31
- Page 53 and 54:
Detect Triage Respond System Users
- Page 55 and 56:
mentioned, a coordinating CSIRT mig
- Page 57 and 58:
3 Overview of Process Mapping 3.1 W
- Page 59 and 60:
• supports decisions about improv
- Page 61 and 62:
mation reported by the constituency
- Page 63 and 64:
Symbol Meaning Example Box labels T
- Page 65 and 66:
The information cannot flow in this
- Page 67 and 68:
Detect to Triage, Triage to Respond
- Page 69 and 70:
4 Incident Management Process Workf
- Page 71 and 72:
for performing an infrastructure ev
- Page 73 and 74:
If a CSIRT capability is initially
- Page 75 and 76:
ments; any human resource policies
- Page 77 and 78:
Coordinate Implementation PC5: Deve
- Page 79 and 80:
Completion Criteria Policies and Ru
- Page 81 and 82:
Key People Technology Other/Miscell
- Page 83 and 84:
Key People Technology and Informati
- Page 85 and 86:
Key People Technology and Informati
- Page 87 and 88:
Key People Technology and Informati
- Page 89 and 90:
CMU/SEI-2004-TR-015 69
- Page 91 and 92:
Completion Criteria Policies and Ru
- Page 93 and 94:
CMU/SEI-2004-TR-015 73
- Page 95 and 96:
Completion Criteria Policies and Ru
- Page 97 and 98:
This last point is basically the im
- Page 99 and 100:
• National Institute of Standards
- Page 101 and 102:
Trigger 1 When the current infrastr
- Page 103 and 104:
Completion Criteria Policies and Ru
- Page 105 and 106:
Key People Technology Other/Miscell
- Page 107 and 108:
CMU/SEI-2004-TR-015 87
- Page 109 and 110:
Completion Criteria Policies and Ru
- Page 111 and 112:
CMU/SEI-2004-TR-015 91
- Page 113 and 114:
Completion Criteria Policies and Ru
- Page 115 and 116:
suspicious activity (D3). The data
- Page 117 and 118:
CMU/SEI-2004-TR-015 97
- Page 119 and 120:
If event is reassigned outside of i
- Page 121 and 122:
Policies and Rules • CSIRT/IT pol
- Page 123 and 124:
Key People Technology Other/Miscell
- Page 125 and 126:
CMU/SEI-2004-TR-015 105
- Page 127 and 128:
Policies and Rules • CSIRT/IT pol
- Page 129 and 130:
CMU/SEI-2004-TR-015 109
- Page 131 and 132:
Completion Criteria Policies and Ru
- Page 133 and 134:
tional analysis to determine the pr
- Page 135 and 136:
CMU/SEI-2004-TR-015 115
- Page 137 and 138:
If event is reassigned outside of i
- Page 139 and 140:
Completion Criteria Policies and Ru
- Page 141 and 142:
Key People Technology Other/Miscell
- Page 143 and 144:
CMU/SEI-2004-TR-015 123
- Page 145 and 146:
Completion Criteria Policies and Ru
- Page 147 and 148:
Transmission/Transportation Modes T
- Page 149 and 150:
those changes. But as all actions a
- Page 151 and 152:
CMU/SEI-2004-TR-015 131
- Page 153 and 154:
Reassigned events To other organiza
- Page 155 and 156:
Completion Criteria Policies and Ru
- Page 157 and 158:
Key People Technology Other/Miscell
- Page 159 and 160:
Key People Technology Other/Miscell
- Page 161 and 162:
a malicious virus. The message is p
- Page 163 and 164:
Completion Criteria Policies and Ru
- Page 165 and 166:
Future work will develop detailed p
- Page 167 and 168:
If technical response is ineffectiv
- Page 169 and 170:
CMU/SEI-2004-TR-015 149
- Page 171 and 172:
If management response is ineffecti
- Page 173 and 174:
CMU/SEI-2004-TR-015 153
- Page 175 and 176:
If event is reassigned outside of i
- Page 177 and 178:
5 Future Work As mentioned at the b
- Page 179 and 180:
We realize that only by actually pi
- Page 181 and 182:
Bibliography URLs are valid as of t
- Page 183 and 184:
[Navy 96] [OGC 03] [SANS 03] [Schul
- Page 185 and 186:
Appendix A: Context for Each of the
- Page 187 and 188:
Context for PC: Prepare/Sustain/Imp
- Page 189 and 190:
Context for PC: Prepare/Sustain/Imp
- Page 191 and 192:
Context for D: Detect Applicable Ta
- Page 193 and 194:
D4. Analyze Indicators • The info
- Page 195 and 196:
Subprocess Subprocess Requirements/
- Page 197 and 198:
Context for R: Respond Applicable T
- Page 199 and 200:
Context for R: Respond R2. Manageme
- Page 201 and 202:
Context for R: Respond Side notes n
- Page 203 and 204:
Appendix B: Acronyms CAIF CERT/CC C
- Page 205 and 206:
SME SOC SOP XML subject matter expe
- Page 207 and 208:
Appendix C: Glossary activity advis
- Page 209 and 210:
computer security incident response
- Page 211 and 212:
incident management incident respon
- Page 213 and 214:
security event security incident se
- Page 215 and 216:
Appendix D: One-Page Versions of th
- Page 217 and 218:
PC: Prepare/Sustain/Improve Workflo
- Page 219 and 220:
D: Detect Events Workflow Diagram I
- Page 221 and 222:
R: Respond Workflow Diagram Externa
- Page 223 and 224:
R2: Respond to Management Issues Wo
- Page 225 and 226:
Appendix E: One-Page Versions of th
- Page 227 and 228:
Subprocess Subprocess Requirements
- Page 229 and 230:
Subprocess Subprocess Requirements
- Page 231 and 232:
Handoff from Any Activity Inside or
- Page 233 and 234:
PI: Protect Infrastructure Workflow
- Page 235 and 236:
Handoff from Any Activity Inside or
- Page 237 and 238:
Detect Events Workflow Description
- Page 239 and 240:
Handoff from Any Activity Inside or
- Page 241 and 242:
T: Triage Events Workflow Descripti
- Page 243 and 244:
Handoff from T: Triage Events to R:
- Page 245 and 246:
Respond Process Workflow Descriptio
- Page 247 and 248:
Subprocess Subprocess Requirements
- Page 249:
REPORT DOCUMENTATION PAGE Form Appr