search

Which of the following is not a phase in the nist infosec performance measures development process?

1 Jahrs vor
Kommentare: 0
Ansichten: 77

A computer security incident response team, or CSIRT, is a group of IT professionals that provides an organization with services and support surrounding the assessment, management and prevention of cybersecurity-related emergencies, as well as coordination of incident response efforts.

Show

The main goal of a CSIRT is to respond to computer security incidents quickly and efficiently, thus regaining control and minimizing damage. This involves following National Institute of Standards and Technology's (NIST) four phases of incident response:

  1. preparation
  2. detection and analysis
  3. containment, eradication and recovery
  4. post-incident activity

To do so, CSIRTs may take on many responsibilities, including the following:

  • create and update incident response plans;
  • maintain and communicate information to internal and external entities;
  • identify, assess and analyze incidents;
  • coordinate and communicate response efforts;
  • remediate incidents;
  • report on incidents;
  • manage audits;
  • review security policies; and
  • recommend changes to prevent future incidents.

A central assumption of this definition is that a CSIRT is an organized entity with a defined mission, structure, and roles and responsibilities. This assumption excludes any ad hoc or informal incident response activity that does not have a defined constituency or documented roles and responsibilities. This assumption is driven by the belief that, without a formalized incident response capability, it is not possible to deliver effective incident response.

The Forum of Incident Response and Security Teams, an international association of incident response teams, released the "FIRST CSIRT Framework." This detailed document builds on Computer Emergency Response Team Coordination Center (CERT/CC) guidance that has been used since the late 1980s. The framework also outlines service areas CSIRTs could offer constituents, including information security event management, infosec incident management, vulnerability management, situational awareness and knowledge transfer.

CSIRT attributes and processes

While every CSIRT is unique to its organization, in general, CSIRTs have three attributes that differentiate them from other incident response teams: their mission statement, constituency and list of services.

Mission statement

The CSIRT mission is a statement of purpose or its reason for existing. A CSIRT's mission defines its areas of responsibility and serves to set expectations with its constituency.

An example CSIRT mission statement may be: "It is the mission of XYZ CSIRT to protect XYZ Corp. by creating and maintaining the capability of detecting, responding and resolving computer and information security incidents."

Constituency

A CSIRT constituency must be clearly defined. This is the customer base or recipients of incident response services. The constituency is assumed to be unique to a given CSIRT and is often its parent organization.

List of services

The CSIRT mission is carried out through the delivery of CSIRT services to its constituency. CSIRTs may offer several services, but there are fundamental ones that a CSIRT must offer to be considered a formal incident response team. At its most basic level, a CSIRT must be able to do the following:

  • Receive an incident report from a constituent. In order to receive an incident report from a CSIRT constituency, the constituency first needs to know the CSIRT exists. Constituents also need to understand what the CSIRT does and how its services are accessed, as well as the service and quality levels it can expect. Thus, the CSIRT needs to have defined its mission and services, announced itself to its constituency and published guidance on how incident services are requested. This includes publishing an incident response policy, processes, procedures, forms and resources necessary to inform and enable constituencies to file incident reports.
  • Analyze an incident report to validate and understand the incident. Once an incident report has been received, the CSIRT analyzes the report to validate that an incident or other type of activity that falls under the CSIRT mission has indeed occurred. The CSIRT then determines if it understands the report and the incident well enough to create an initial response strategy that fulfills the goals of regaining control and minimizing damage. Part of being able to analyze an incident report and respond efficiently is having staff that can perform a variety of tasks. Members of the CSIRT should have written plans, policies and procedures that document their specific roles and responsibilities.
  • Provide incident response support. Depending on how the CSIRT is organized and the services offered, a CSIRT may provide incident response support via the following:
    • on-site incident response services delivered directly to the constituent;
    • incident response services delivered over email or the phone; or
    • coordinated incident response services that combine and allocate the efforts of multiple incident response teams across multiple constituents.

In some situations, an organization's CSIRT may only develop and oversee incident response strategies and services rather than implement them. For example, other groups or departments, such as network engineers or system and data owners, may carry out the response strategy with the CSIRT managing the effort.

CSIRT structures

How a CSIRT is structured depends on its parent organization's needs. For example, consider if 24/7 coverage is needed, the availability of trained employees, whether full- or part-time team members are required, and operating costs.

There are several common CSIRT structures, including the following:

  • Centralized CSIRT. In a centralized CSIRT, a single incident response team serves the entire organization, and all incident response resources are contained within the dedicated unit. This model is well suited for small organizations or organizations with limited geographic scope.
  • Distributed CSIRT. In a distributed CSIRT, several independent incident response teams exist. The distribution of CSIRT resources may depend on wide geographic scope of the organization or the location of its major facilities. Other attributes that include whether a company is organized by a business unit structure or simply by the distribution of employees and information assets may also influence the CSIRT's distribution. Additionally, most distributed CSIRT models require a coordinating CSIRT.
  • Coordinating CSIRT. This CSIRT manages other, often subordinate, CSIRTs. This CSIRT coordinates incident response activities, information flow and workflow among distributed teams. A coordinating CSIRT may not provide any independent incident response services itself. Instead, it focuses on the efficient and effective use of resources in the distributed teams. For example, CERT/CC, the Software Engineering Institute's (SEI) computer emergency response team, is a coordinating CSIRT that orchestrates activities among national, governmental and regional CSIRTs.
  • Hybrid CSIRT. A hybrid CSIRT combines attributes of centralized and distributed CSIRTs. The central CSIRT component is often full time, and the distributed component is composed of subject matter experts (SMEs) who may not be attached to incident response activities except as needed during security events. In this model, when the central CSIRT detects a potential event, it analyzes the incident and determines the response needs. Then, the appropriate distributed CSIRT experts can be called up to assist in these activities. Though a hybrid CSIRT relies on SMEs who are not full-time CSIRT members, it is definitively a formal incident response team. The hybrid CSIRT's distributed units of experts are designated as incident response professionals with defined roles and responsibilities and receive formal incident response training. They may also be required to obtain and maintain incident handler certifications.
  • CSIRT/SOC hybrid. In this specialized hybrid model, the security operations center (SOC) is responsible for receiving all alerts, alarms and reports indicating potential incidents. If the SOC requires help with additional analysis, the CSIRT is activated. In general, the SOC acts as a front end for the CSIRT, performing incident detection, and then passes incidents to the CSIRT to handle.
  • Outsourced CSIRT. An outsourced CSIRT can be a helpful option for companies that lack the resources or staff to build an in-house team. This CSIRT model involves staffing an internal CSIRT with contractors rather than employees or outsourcing CSIRT tasks and services that may be only occasionally needed, such as digital forensics.

How to build a CSIRT

Developing an effective incident response strategy means an organization can detect and respond to a computer or infosec incident in a way that limits damage and keeps recovery costs as low as possible.

When developing an incident response team, consider the following:

  • Decide what types of technical backgrounds, roles and responsibilities are required.
  • Assign a team leader to oversee CSIRT efforts, as well as communicate incidents and progress to the executive leadership.
  • Determine the proper CSIRT organizational model and the required functioning hours for the team.
  • Create security plans, policies and procedures for a variety of potential threats and incidents.
  • Provide CSIRT members with routine cybersecurity education and awareness training.
  • Conduct systemwide risk assessments.
  • Identify critical incident response assets, including data, business processes, technology and people.
  • Have a well-documented asset management plan.
  • Implement a configuration managementprogram to ensure all software is patched and any updates are tested and applied in a timely manner.
  • Execute a defensive network architecture using routers, firewalls, intrusion detection and preventionsystems (IDSes/IPSes), network monitors and security operations.

CSIRT member roles

An effectively functioning CSIRT requires an array of members with various skills and responsibilities. There is no one-size-fits all approach, however. Organizations must staff and train employees to meet their specific security incident response needs.

Several factors affect the organization of CSIRT roles, including the organization's risk profile and CSIRT structure. In general, CSIRT members include the following:

  • CSIRT team lead. This executive role, typically occupied by the chief information security officer (CISO), communicates incidents with C-suite executives and coordinates the CSIRT budget.
  • Incident manager. This role coordinates CSIRT meetings, ensures accountability from CSIRT members across the organization and determines whether incident findings should be escalated to executives.
  • Supporting CSIRT staff. These technical roles, such as the security analyst, incident handler, shift lead or forensics investigator, are responsible for incident detection, response and reporting activities.
  • Cross-functional CSIRT roles. To carry out its mission, a CSIRT often incorporates legal, human resources (HR) and public relations (PR) professionals into the team. For example, a member of the legal team advises on potential lawsuits from shareholders or employees, as well as the incident disclosure process. An HR role in the CSIRT manages personnel issues and communicates incidents to employees. PR staff handle press releases; employee, partner, customer and stakeholder communications; and media inquiries regarding security incidents.

CSIRT members' skills and responsibilities

CSIRT staff play a critical role in upholding the CSIRT mission and service. An effective CSIRT requires staff members to maintain a diverse range of technical and nontechnical skills.

Technical skills

CSIRT staff need a baseline of technical skills and security knowledge to perform daily tasks. A general understanding of security principles, vulnerabilities, programming and network protocols constitute this baseline. In addition, CSIRT staff should be trained in the following technical skills for incident handling:

  • identifying intruder tactics and techniques;
  • securing CSIRT communications through encryption;
  • analyzing incidents to determine how to respond effectively; and
  • maintaining incident records and reports.

Nontechnical skills

CSIRT work is service-based. Thus, all CSIRT staff must demonstrate diplomacy and communicate competency in interactions with constituents.

  • Willingness to follow instructions. Staff should be familiar with defined CSIRT procedures and policies and the importance of upholding them.
  • Communication. Staff should demonstrate effective written and interpersonal communication skills necessary to fulfill duties such as documenting incident reports or presenting technical briefings.
  • Collaboration. Due to the cooperative nature of the CSIRT structure, members must be committed team players to ensure collective morale, productivity and agility.
  • Time management. Staff should understand how to use provided criteria to prioritize various CSIRT activities and determine when to ask for help from management.
  • Analytical reasoning. CSIRT staff need to think out of the box to anticipate attacker techniques and problem-solve in potentially volatile situations.
  • Stress management. The demanding nature of incident response and risk of security staff burnout warrant special attention to managing stress, as well as work-life balance.
  • Continuous learning. Incident response is a constantly changing area of expertise. Thus, CSIRT members must be inquisitive people and embrace opportunities to further their skills through training, certification or mentorship.

CSIRT management

It is important to have a dispersed and well-managed CSIRT. Most CSIRTs are structured to maintain 24/7 monitoring. This is done by dividing operating hours into three shifts, each with a designated shift lead. During their shifts, shift leads should communicate their work and findings with other shift leads. This information should then be relayed to the CSIRT team lead or executive staff member to maintain transparency with the rest of the organization.

Larger companies should not only separate employees by time, but also geographic location. Smaller companies may find it more cost-effective to outsource CSIRT processes for after hours.

SOC vs. CSIRT vs. CERT

Organizations may employ one or more of the three main types of incident response teams: CSIRTs, SOCs and CERTs. Sometimes, these terms are used synonymously, though differences do exist, depending on the organization's use of the term(s).

The most unique of the three is the SOC. This dedicated facility monitors and defends technology and hardware and acts as a command-and-control center for an organization, region or country. It protects networks, servers, applications and endpoints. A SOC's responsibilities, however, extend beyond that of just incident response.

Which of the following is not a phase in the nist infosec performance measures development process?
While a CSIRT, CERT and SOC are considered separate types of incident response teams, they do have overlapping goals and responsibilities.

CSIRT, CERT and the less-often-used computer incident response team (CIRT) are often used interchangeably. In general, CSIRTs, CERTs and CIRTs all handle incident response, though their specific tasks may vary by organization. The terminology used by an organization should be adequately defined, along with the goals, structure and use of resources necessary to properly respond to incidents.

It is important to note that CERT is a registered trademark of Carnegie Mellon University (CMU). Organizations may use the CERT mark after achieving authorization. However, some organizations -- likely unaware it is trademarked -- still use it to define their incident response teams.

This was last updated in March 2021

Continue Reading About computer security incident response team (CSIRT)

  • To improve incident response capability, start with the right CSIRT
  • NIST incident response plan: 4 steps to better incident handling
  • Free cybersecurity incident response plan template
  • How attackers counter incident response after a data breach
  • FIRST CSIRT services framework

Which of the following is the first phase in the NIST process for performance measures implementation?

The first phase in the NIST performance measures methodology is to collect data and analyze results; collect, aggregate, and consolidate metric data collection and compare measurements with targets.

What is the final stage of the business impact analysis when using the NIST SP 800 34?

What is the final stage of the business impact analysis when using the NIST SP 800-34 approach? Identify recovery priorities for system resources.

What term below is used to describe security efforts that are considered among the best in an industry?

best security practices (BSPs): Security efforts that are considered among the best in the industry.

What is the information security principle that requires significant tasks to be split up so that more than one individual is required to complete them?

Separation of duties is the principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties.

phase nist infosec performance measures development process

zusammenhängende Posts

In which phase of the development of an InfoSec policy Must a plan to distribute the policies be developed?
In which phase of the development of an InfoSec policy Must a plan to distribute the policies be developed?

During what phase of the nursing process would the nurse be required to consider the efficacy of nursing interventions related to drug therapy?
During what phase of the nursing process would the nurse be required to consider the efficacy of nursing interventions related to drug therapy?

During which phase of the nursing process does data get collected and validated with the patient and or family members by the nurse?
During which phase of the nursing process does data get collected and validated with the patient and or family members by the nurse?

During which phase of the patient interview would the nurse ask the patient about allergies and medications?
During which phase of the patient interview would the nurse ask the patient about allergies and medications?

In which phase would the nurse observe blowing and whooshing sounds during blood pressure BP measurement?
In which phase would the nurse observe blowing and whooshing sounds during blood pressure BP measurement?

On which task should a nurse place priority during the working phase of relationship development?
On which task should a nurse place priority during the working phase of relationship development?

What actions should the nurse take during the orientation phase of developing a therapeutic relationship with a client?
What actions should the nurse take during the orientation phase of developing a therapeutic relationship with a client?

Which phase of the helping relationship is the nurse exhibiting when reviewing the patients medical and nursing histories quizlet?
Which phase of the helping relationship is the nurse exhibiting when reviewing the patients medical and nursing histories quizlet?

Which action performed by the nurse indicates the working phase of the helping relationship quizlet?
Which action performed by the nurse indicates the working phase of the helping relationship quizlet?

Werbung

NEUESTEN NACHRICHTEN

Which list below contains only information systems development project risk factors?
1 Jahrs vor . durch MaleAllocation
Controlling measures the of actual performance from the standard performance
1 Jahrs vor . durch BrokenDeficiency
Welche Elemente kommen im menschlichen Körper vor?
1 Jahrs vor . durch LeveragedAvarice
Mit anzusehen wenn der mann anbaut
1 Jahrs vor . durch GubernatorialFreestyle
Second Hand Kinder in der Nähe
1 Jahrs vor . durch Tax-freeChemotherapy
Which of the following statements is true regarding surface-level diversity?
1 Jahrs vor . durch CracklingLordship
Wie wird man im Solarium am besten braun?
1 Jahrs vor . durch FlushedDemeanor
When giving a speech of presentation you should usually explain why the recipient is being given his or her award?
1 Jahrs vor . durch DentalSnail
Wie lange ist 3 tage fieber ansteckend
1 Jahrs vor . durch ObsessiveRedemption
Was sagt man wenn jemand in rente geht
1 Jahrs vor . durch SubjectiveCriminality

Werbung

Populer

Werbung

Um

Legal

Hilfe

Sozial

homeendefrjakoptzhhi
Urheberrechte © © 2024 decemle Inc.