NIST guide to handling security incidents

The January NIST ITL Bulletin from the National Institute of Standards and Technology Information Technology Laboratory announced the release of the _Incident Handling Guide_ that has been available only in draft form for the last year or so. The following is a severely shortened version of the announcement.

* * *

NIST’s Information Technology Laboratory recently issued Special Publication (SP) 800-61, _Computer Security Incident Handling Guide: Recommendations of the National Institute of Standards and Technology_. Written by Tim Grance, Karen Kent, and Brian Kim, NIST SP 800-61 provides practical guidance to help organizations establish an effective incident response program, analyze and respond to information security incidents, and reduce the risks of future incidents. NIST SP 800-61 is available at https://csrc.nist.gov/publications/nistpubs/index.html … 

A) Planning and Organizing an Incident Handling Capability

Federal departments and agencies are specifically directed by the Federal Information Security Management Act (FISMA) of 2002 to develop and implement procedures for detecting, reporting, and responding to security incidents. Federal civilian agencies are responsible for designating a primary and secondary point of contact (POC) to report all incidents to the Federal Computer Incident Response Center (FedCIRC) in the Department of Homeland Security, and for documenting corrective actions that have been taken and their impact. . . .

B) Using Effective Security Methods for Networks, Systems, and Applications to Reduce the Frequency of Incidents

. . . . Risk assessments should be performed regularly and the identified risks reduced to an acceptable level. Threats to systems and information should be continuously monitored using intrusion detection systems and other methods. The incident response team should have access to tools, resources, and information such as contact lists, encryption software, network diagrams, and security patches. . . .

C) Interacting with Other Organizations

Clear procedures should be established to communicate when necessary with internal groups such as the human resources, public affairs, and legal departments, and with external organizations such as computer incident response teams and law enforcement officials. . . .

D) Maintaining Staff Awareness of the Importance of Incident Detection and Analysis 

Logging and computer security software should be checked for possible signs of incidents. Event correlation software and centralized logging can be of great value in performing an initial analysis of the voluminous data that is collected and in selecting the events that require human review. . . .

E) Developing Written Guidelines for Prioritizing Incidents

Priorities for the handling of individual incidents should be established, based on the following considerations:

* The criticality of the affected resources (e.g., public web server, user workstation)

* The current and potential technical effect of the incident (e.g., root compromise, data destruction). . . .

F) Applying the Lessons Learned from Incidents

After a major incident has been handled, the organization should hold a meeting to review how effective the incident handling process was and to identify needed improvements to existing security controls and practices. . . . An incident database, with detailed information on each incident that occurs, can be another useful source of information for incident handlers. . . .

G) Maintaining Situational Awareness During Large-Scale Incidents

Communications within the organization and with external groups can be challenging and complex when large-scale incidents are handled. . . . Situational awareness in the organization can be maintained when handling large-scale incidents by: 

* Establishing, documenting, maintaining, and exercising on-hours and off-hours contact and notification mechanisms for various individuals and groups within the organization (e.g., chief information officer [CIO], head of information security, IT support, business continuity planning) and outside the organization (e.g., incident response organizations, counterparts at other organizations).

* Planning and documenting guidelines for the prioritization of incident response actions based on business impact.

* Preparing one or more individuals to act as lead officials who are responsible for gathering information from the incident handlers and other parties, and distributing relevant information to the parties that need it.

* Practicing the handling of large-scale incidents through exercises and simulations on a regular basis.

* * *

To subscribe at no cost to the ITL Bulletin, see: https://www.itl.nist.gov/lab/bulletns/subinfo.htm