RFC 2350 (rfc2350) - Page 2 of 38
Expectations for Computer Security Incident Response
Alternative Format: Original Text Document
RFC 2350 Expectations for Computer Security Incident Response June 1998
3.3.3 Sponsoring Organization / Affiliation.................11
3.3.4 Authority.............................................11
3.4 Policies ...................................................11
3.4.1 Types of Incidents and Level of Support...............11
3.4.2 Co-operation, Interaction and Disclosure of
Information...........................................12
3.4.3 Communication and Authentication......................14
3.5 Services ...................................................15
3.5.1 Incident Response ....................................15
3.5.1.1 Incident Triage ..............................15
3.5.1.2 Incident Coordination ........................15
3.5.1.3 Incident Resolution...........................16
3.5.2 Proactive Activities .................................16
3.6 Incident Reporting Forms ...................................16
3.7 Disclaimers ................................................17
Appendix A: Glossary of Terms ....................................18
Appendix B: Related Material .....................................20
Appendix C: Known Computer Security Incident Response Teams ......21
Appendix D: Outline for CSIRT Template ...........................22
Appendix E: Example - 'filled-in' Template for a CSIRT ...........23
4 Acknowlegements ................................................36
5 References .....................................................36
6 Security Considerations ........................................36
7 Authors' Addresses .............................................37
8 Full Copyright Statement .......................................38
1 Introduction
The GRIP Working Group was formed to create a document that describes
the community's expectations of computer security incident response
teams (CSIRTs). Although the need for such a document originated in
the general Internet community, the expectations expressed should
also closely match those of more restricted communities.
In the past there have been misunderstandings regarding what to
expect from CSIRTs. The goal of this document is to provide a
framework for presenting the important subjects (related to incident
response) that are of concern to the community.
Before continuing, it is important to clearly understand what is
meant by the term "Computer Security Incident Response Team." For
the purposes of this document, a CSIRT is a team that performs,
coordinates, and supports the response to security incidents that
involve sites within a defined constituency (see Appendix A for a
more complete definition). Any group calling itself a CSIRT for a
specific constituency must therefore react to reported security
incidents, and to threats to "their" constituency in ways which the
specific community agrees to be in its general interest.
Brownlee & Guttman Best Current Practice