vPLfv
vPLfv
vPLfv
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
2 Incident Management Concepts and<br />
Processes<br />
2.1 Incident Management Requirements<br />
In our CSIRT-related publications and courses, 12 we describe the need for organizations to<br />
have a multilayered approach to secure and protect their critical assets and infrastructures.<br />
This multilayered strategy requires that not only technical but also organizational approaches<br />
be in place to manage computer security incidents as part of the goal of achieving an enterprise’s<br />
business objectives in the face of risks and attacks. Organizations today want to not<br />
just survive attacks but to be resilient to whatever malicious activity may occur. 13<br />
Through our research in the area of incident management, we continue to evolve our understanding<br />
of its processes. In the early history of incident management, where most capabilities<br />
were established CSIRTs, the processes and functions performed by team members were<br />
primarily reactive in nature; actions were taken to resolve or mitigate an incident when it occurred.<br />
14 As teams increased their capability and scope, they began to expand their activities<br />
to include more proactive efforts. These efforts included looking for ways to<br />
• prevent incidents and attacks from happening in the first place by securing and hardening<br />
their infrastructure<br />
• training and educating staff and users on security issues and response strategies<br />
• actively monitoring and testing their infrastructure for weaknesses and vulnerabilities<br />
• sharing data where and when appropriate with other teams<br />
As organizations become more complex and incident management capabilities such as<br />
CSIRTs become more integrated into organizational business functions, it is clear that incident<br />
management is not just the application of technology to resolve computer security<br />
events. It is also the development of a plan of action, a set of processes that are consistent,<br />
repeatable, of high quality, measurable, and understood within the constituency. To be successful<br />
this plan should<br />
12<br />
13<br />
14<br />
These publications and courses are documented at http://www.cert.org/csirts/.<br />
Resiliency in this context means the “the ability of the organization to withstand systemic discontinuities<br />
and adapt to new risk environments” [Starr 03].<br />
For historical background on the development of CSIRTs, see the State of the Practice of CSIRTs,<br />
Section 2.3, “History and Development of CSIRT Capabilities.” This report is available at<br />
http://www.cert.org/archive/pdf/03tr001.pdf.<br />
CMU/SEI-2004-TR-015 15