302 C.2 Security Management Areas of Responsibility
manager must consider when establishing an Incident Response Group.
What are the goals the group needs to accomplish? What should this team
be relied upon to do in a consistent and professional manner? Who are
they providing this service to (i.e., what is the incident handling group’s
constituency)? It is important to understand the constituency, because
what is provided for one audience may be inadequate for another. For
example, if your constituency is a distributed data center operation, their
incident response needs will be quite different from those of a retail Web
site selling T-shirts and such.
Once the constituency is known, the next step is to begin determining
what the structure of the incident response group will look like. Should it
be a centralized organization or a decentralized, distributed organization?
This decision greatly effects the staffing and funding requirements. Once
you have determined the structure best suited to the needs of a constitu-
ency, your organization’s management team must support the decision and
agree to the funding requirements.
As you begin to set up the operation, set up a centralized mechanism for
the constituency to report incidents or potential incidents. A team must be
assembled to respond to those incidents, and the team should operate from
a high-level “guidebook” or charter. Creating a charter for the team will get
everyone on the team working towards achieving the same goals. How they
go about achieving those goals is defined by process and procedures, usually
put in place by creating an Incident Response Group Operations Hand-
book. This handbook is considered the starting point for handling all inci-
dents, and the team members must be instructed to update it, making it a
living document as environmental conditions change. Finally, when an
incident is reported, investigated, and resolved, there should be a manage-
ment reporting function in place to let management understand what hap-
pened and the impact the event had on the organization.
C.2.4 Alerts and Advisories
Alerts and advisories that detail newly discovered vulnerabilities and other
security information are released almost daily. This information may
require immediate action on the part of the system administrators, the inci-
dent response group, or the users. Advisories come from a variety of
sources, such as vendors and product manufacturers. There are also places
like the CERT
® Coordination Center (CERT®/CC) and the Federal
Computer Incident Response Capability (FEDCIRC), now both a part of
the new National Strategy to Protect Infrastructure. To help develop ways of
better protecting our critical infrastructures, and to help minimize vulnera-