vPLfv
vPLfv
vPLfv
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
and service offerings. It can also be used to help gather management buy-in and support and,<br />
after support has been obtained, to strategically plan and develop a capability.<br />
Use the Handbook for CSIRTs for specific in-depth guidance for issues relating to the establishment<br />
and operation of a CSIRT. Use Organizational Models for CSIRTs to understand the<br />
specific issues to be addressed when determining the model for your CSIRT. Use the State of<br />
the Practice of CSIRTs report for the historical background on the development of CSIRTs,<br />
for examples of what other teams are doing, and as a reference to existing articles, publications,<br />
books, laws, and training related to CSIRTs and incident management. Use the Defining<br />
Incident Management Processes for CSIRTs report to provide an overview of the processes<br />
and functions and supporting people, technology, and procedures that are involved in<br />
incident management.<br />
Other SEI publications that this report may be used in conjunction with include some Security<br />
Improvement Modules available from the CERT/CC web site, 11 including<br />
• Responding to Intrusions<br />
http://www.cert.org/security-improvement/modules/m06.html<br />
• Detecting Signs of Intrusion<br />
http://www.cert.org/security-improvement/modules/m09.html<br />
• Outsourcing Managed Security Services<br />
http://www.cert.org/security-improvement/modules/omss/index.html<br />
1.9 Structure of the Report<br />
The remainder of this report will detail our progress to date in developing incident management<br />
process maps for CSIRTs.<br />
Section 2, “Incident Management Concepts and Processes,” will expand on the ideas and<br />
concepts of the five top-level incident management processes. This discussion will include a<br />
rationale for including the processes we did, a discussion of incident management as it relates<br />
to the domain of security management, and an example of how we see this work being used<br />
in an organization.<br />
Section 3, “Overview of Process Mapping,” will provide an explanation of what process<br />
mapping is and how it can be applied to incident management. This section also contains a<br />
description of the data elements or components of the process workflows and descriptions,<br />
along with a legend for reading and understanding the process workflow diagram symbols<br />
and drawings.<br />
Section 4, “Incident Management Process Workflows and Descriptions,” contains the main<br />
content of this report. This section includes the process workflow diagrams and supporting<br />
descriptions in the form of process data and handoff templates. Preceding each workflow will<br />
11<br />
Available at http://www.cert.org/security-improvement/#modules.<br />
CMU/SEI-2004-TR-015 13