|
Establishing a Computer Security Incident Response Capability (CSIRC)
Table of Contents
1. Introduction 1
1.1 Purpose 1
1.2 Audience 1
1.3 Basic Terms 1
1.4 Structure of this Document 2
2. CSIRC Overview 3
2.1 Traditional Agency Computer Security Efforts 3
2.2 The Changing Threat Environment 3
2.3 The Need for CSIR Capability 4
2.4 The CSIRC Concept 5
2.5 CSIRC Constituency and Technology Focus 6
2.6 Proactive vs. Reactive Nature of a CSIRC 6
2.7 CSIRC Relationship to Current Agency Security Efforts 6
2.8 Early Agency CSIRC Efforts 7
3. Issues in Establishing a CSIRC 9
3.1 Determining CSIR Goals 9
3.2 Defining the CSIRC Constituency 10
3.2.1 Constituency Communications Issues 10
3.2.2 Formal and Informal Constituency 10
3.3 Determining the Structure of the CSIRC Effort 11
3.3.1 Centralized, Distinct Organization 11
3.3.2 Decentralized, Distributed Organization 11
3.4 Management Support and Funding 12
3.4.1 Funding and Staffing Issues 12
3.4.2 Effecting Centralized Reporting of Incidents 13
3.5 Creating a Charter 13
3.5.1 Legal Issues in Determining a Charter 13
3.5.2 Components of a CSIRC Charter 14
3.6 Creating a CSIRC Operations Handbook 14
3.7 CSIRC Staffing Issues 15
3.7.1 CSIRC Coordinator 15
3.7.2 Technical Staff 16
3.7.3 Other Support Staff 16
3.7.4 Requirements for Clearances 17
3.7.5 Avoiding Burn-Out 17
4. CSIRC Operational Issues and Activities 19
4.1 Communications with the Constituency 19
4.1.1 Issuing a Press Release 19
4.1.2 Setting Up a Hotline Capability 20
4.1.3 Setting Up Alert Mechanisms 20
4.1.4 Use of an Information Repository 21
4.2 Logging Information 21
4.2.1 Contact Information 21
4.2.2 Activity Logs 22
4.2.3 Incident Logs 22
4.2.4 Information Maintenance 23
4.3 Incident Notification Issues 23
4.3.1 Identifying the Existence of an Incident and its Scope 23
4.3.2 Notifying Appropriate Agency Personnel 23
4.3.3 Notifying Affected Users 24
4.3.4 Requests for Confidentiality 24
4.4 Legal Issues 25
4.4.1 Working With Law-Enforcement and Investigative Agencies 25
4.4.2 Incurred Liabilities 25
4.4.3 Wording of Constituency Communications 26
4.4.4 Logging and Gathering Evidence 27
4.5 Working With the News Media 27
4.6 Post-Incident Analysis 28
4.7 Measuring the Effectiveness of a CSIRC 28
4.8 Additional Assistance 29
5. References 31
Appendix A. Annotated Bibliography 33
Appendix B. Forum of Incident Response & Security Teams (FIRST)
39
|
