The IT Law Wiki
Line 5: Line 5:
 
== Overview ==
 
== Overview ==
   
  +
This publication provides guidance on how to establish and operate an [[incident response]] capability. The guide provides [[information]] on developing procedures for performing [[incident handling]] and reporting, for structuring a team, staffing, and training. The guide defines an [[incident response]] [[life cycle]] encompassing four phases: preparation, [[detection]] and [[analysis]], containment [[eradication]] and recovery, and post-incident activity.
This publication provides guidelines for [[incident handling]], particularly for analyzing [[incident]]-related [[data]] and determining the appropriate response to each [[incident]]. The guidelines can be followed independently of particular [[hardware platform]]s, [[operating system]]s, [[protocol]]s, or [[application]]s.
 
   
  +
Although the [[NIST]] [[incident handling]] guide focuses primarily on how to handle [[incident]]s within a single organization, it also provides high-level guidance on how a [[CSIRT]] may [[interact]] with outside parties, such as coordinating centers, [[Internet Service Provider]]s, owners of attacking [[system]]s, victims, other [[CSIRT]]s, and [[vendor]]s.
This document assists organizations in establishing [[computer security]] [[incident response]] capabilities and handling [[incident]]s efficiently and effectively.
 
  +
  +
This guidance focuses primarily on understanding team-to-team relationships, [[data sharing|sharing]] [[agreement]]s, and the role that [[automation]] techniques may play in the coordination of [[incident response]].
 
[[Category:Publication]]
 
[[Category:Publication]]
 
[[Category:Security]]
 
[[Category:Security]]

Revision as of 22:06, 23 July 2013

Overview

NIST, Computer Security Incident Handling Guide (NIST Special Publication 800-61) (Rev. 1) (Mar. 2008) (full-text); (Rev. 2) (Jan. 2012) (full-text).

Overview

This publication provides guidance on how to establish and operate an incident response capability. The guide provides information on developing procedures for performing incident handling and reporting, for structuring a team, staffing, and training. The guide defines an incident response life cycle encompassing four phases: preparation, detection and analysis, containment eradication and recovery, and post-incident activity.

Although the NIST incident handling guide focuses primarily on how to handle incidents within a single organization, it also provides high-level guidance on how a CSIRT may interact with outside parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors.

This guidance focuses primarily on understanding team-to-team relationships, sharing agreements, and the role that automation techniques may play in the coordination of incident response.