| Line 5: | Line 5: | ||
== Overview == |
== Overview == |
||
| + | This publication provides guidance on how to establish and operate an [[incident response]] capability. The guide provides [[information]] on developing procedures for performing [[incident handling]] and reporting, for structuring a team, staffing, and training. The guide defines an [[incident response]] [[life cycle]] encompassing four phases: preparation, [[detection]] and [[analysis]], containment [[eradication]] and recovery, and post-incident activity. |
||
| − | This publication provides guidelines for [[incident handling]], particularly for analyzing [[incident]]-related [[data]] and determining the appropriate response to each [[incident]]. The guidelines can be followed independently of particular [[hardware platform]]s, [[operating system]]s, [[protocol]]s, or [[application]]s. |
||
| + | Although the [[NIST]] [[incident handling]] guide focuses primarily on how to handle [[incident]]s within a single organization, it also provides high-level guidance on how a [[CSIRT]] may [[interact]] with outside parties, such as coordinating centers, [[Internet Service Provider]]s, owners of attacking [[system]]s, victims, other [[CSIRT]]s, and [[vendor]]s. |
||
| − | This document assists organizations in establishing [[computer security]] [[incident response]] capabilities and handling [[incident]]s efficiently and effectively. |
||
| + | |||
| + | This guidance focuses primarily on understanding team-to-team relationships, [[data sharing|sharing]] [[agreement]]s, and the role that [[automation]] techniques may play in the coordination of [[incident response]]. |
||
[[Category:Publication]] |
[[Category:Publication]] |
||
[[Category:Security]] |
[[Category:Security]] |
||
Revision as of 22:06, 23 July 2013
Overview
NIST, Computer Security Incident Handling Guide (NIST Special Publication 800-61) (Rev. 1) (Mar. 2008) (full-text); (Rev. 2) (Jan. 2012) (full-text).
Overview
This publication provides guidance on how to establish and operate an incident response capability. The guide provides information on developing procedures for performing incident handling and reporting, for structuring a team, staffing, and training. The guide defines an incident response life cycle encompassing four phases: preparation, detection and analysis, containment eradication and recovery, and post-incident activity.
Although the NIST incident handling guide focuses primarily on how to handle incidents within a single organization, it also provides high-level guidance on how a CSIRT may interact with outside parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors.
This guidance focuses primarily on understanding team-to-team relationships, sharing agreements, and the role that automation techniques may play in the coordination of incident response.