Hi Jim,
Usually, an Incident Escalation procedure for an IDS stems from 1. The structure of the core Incident Response Team 2. Adherence to any higher level policy, if required (in line with escalation matrices defined in the business continuity plans) 3. SLAs signed with clients - internal and external One suggested team structure is 1. Computer Incident Response Team (CIRT) leader 2. Incident Handler 3. Database Administrators 4. Legal Counsel Now depending on the nature and category of alerts coming from the IDS, an incident can be escalated from the incident handler to CIRT leader to database admin to Legal Counsel. Also, the escalation may vary depending on the severity of alerts. As Vijay rightly pointed, you can refer to the NIST SP 800-61 publication, the Incident Notification section. This provides a sample list of parties which are usually notified. HTH, Khushbu Jithra Information Security Consultant NII Consulting Web: http://www.niiconsulting.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
