2. Process One – Fundamental Approach
Process One was specifically developed to assist security incident responders in
handling the myriad of investigative, remedial, and reporting tasks involved in
resolving security incidents.
The first phase of every Process One implementation is the creation of a
customized Computer Security Incident Response Team process guide. This
process guide becomes the governing document for the responders, and is
electronically manifested in the Process One software.
An understanding of the approach used during the construction of this process
guide will facilitate a deeper understanding of the system.
June 17, 2011 2
3. The Extended CSIRT Model
Core CSIRT Team: Core CSIRT team External
members act as incident coordinators who
are ultimately responsible for the final HR
Physical
resolution of all computer security related
incidents. Extended
Extended CSIRT Team: Extended CSIRT
team members are individuals within various
operational departments possessing specific Core
Finance Legal
skills to assist in case actions and/or having CSIRT
intimate departmental and institutional
knowledge.
Individual CSIRT Contributors: Individual CSIRT
CSIRT contributors are assigned specific
OPS
actions to complete based on their Risk
knowledge, skill sets, and responsibilities.
Individual Contributor
June 17, 2011 3
4. Consistent Prioritization
An incident’s priority can be
determined by establishing
the highest level of impact
on the organization using an
established matrix.
In this example, the incident
reflects a “High” priority even
though most impacts are
considered “Low”.
June 17, 2011 4
5. Proper Notification
Now a CSIRT process can
effectively utilize a Reporting
Escalation Matrix to
ascertain which departments
should receive immediate
alerts about an incident.
Process One then
automatically notifies
appropriate personnel when
incidents are created or
escalated.
June 17, 2011 5
6. Establishing Incident Categories
Email Usage
Personnel
Internet Usage
Workstation Usage
Application Misuse
Network Probing
The desired granularity of
incident categories must be Email Spamming
External
Internet
determined, and then those Network Probing
categories must be defined. Denial of Service
This is important for both Logical Attach
establishing work flows and for
Legal Hold
Support
reporting purposes.
Legal
Forensic Request
Outside Legal Support
Equipment
Computing Equipment Loss
Loss of
Electronic Media Loss
Paper Media Loss
June 17, 2011 6
7. Determining Available Response Actions
Once an incident has
been properly
categorized, utilizing a
response matrix
ensures that incidents
are handled in a
standard and
repeatable fashion.
June 17, 2011 7