RFC 2350 (rfc2350) - Page 2 of 38

Expectations for Computer Security Incident Response

Alternative Format: Original Text Document
< Previous
Next >
RFC 2350  Expectations for Computer Security Incident Response June 1998


         3.3.3 Sponsoring Organization / Affiliation.................11
         3.3.4 Authority.............................................11
     3.4 Policies ...................................................11
         3.4.1 Types of Incidents and Level of Support...............11
         3.4.2 Co-operation, Interaction and Disclosure of
               Information...........................................12
         3.4.3 Communication and Authentication......................14
     3.5 Services ...................................................15
         3.5.1 Incident Response ....................................15
               3.5.1.1 Incident Triage ..............................15
               3.5.1.2 Incident Coordination ........................15
               3.5.1.3 Incident Resolution...........................16
         3.5.2 Proactive Activities .................................16
     3.6 Incident Reporting Forms ...................................16
     3.7 Disclaimers ................................................17
   Appendix A: Glossary of Terms ....................................18
   Appendix B: Related Material .....................................20
   Appendix C: Known Computer Security Incident Response Teams ......21
   Appendix D: Outline for CSIRT Template ...........................22
   Appendix E: Example - 'filled-in' Template for a CSIRT ...........23
   4 Acknowlegements ................................................36
   5 References .....................................................36
   6 Security Considerations ........................................36
   7 Authors' Addresses .............................................37
   8 Full Copyright Statement .......................................38

1 Introduction

   The GRIP Working Group was formed to create a document that describes
   the community's expectations of computer security incident response
   teams (CSIRTs).  Although the need for such a document originated in
   the general Internet community, the expectations expressed should
   also closely match those of more restricted communities.

   In the past there have been misunderstandings regarding what to
   expect from CSIRTs.  The goal of this document is to provide a
   framework for presenting the important subjects (related to incident
   response) that are of concern to the community.

   Before continuing, it is important to clearly understand what is
   meant by the term "Computer Security Incident Response Team."  For
   the purposes of this document, a CSIRT is a team that performs,
   coordinates, and supports the response to security incidents that
   involve sites within a defined constituency (see Appendix A for a
   more complete definition).  Any group calling itself a CSIRT for a
   specific constituency must therefore react to reported security
   incidents, and to threats to "their" constituency in ways which the
   specific community agrees to be in its general interest.



Brownlee & Guttman       Best Current Practice
< Previous
Next >