Hi all, I've recently co-authored a paper for the current state of the art in Incident Response, called "On Incident Handling and Response: A state-of-the-art approach. It provides guidelines for the formation of an Incident Handling Team, the points of contact,methodology and procedures.
It's under property of Elsevier Computers & Security 25(5):351-370,2006, but I'm pretty sure that it can be found somewhere online. Hope this helps. Dimitrios Patsos Ph.D.(Cand.),M.S.c,CCDA,CCSE,CME,CHFA -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, September 17, 2007 08:02 To: [email protected] Subject: Re: IDS Incident Escalation Procedure Hi Jim, Usually, an Incident Escalation procedure for an IDS stems from 1. The structure of the core Incident Response Team 2. Adherence to any higher level policy, if required (in line with escalation matrices defined in the business continuity plans) 3. SLAs signed with clients - internal and external One suggested team structure is 1. Computer Incident Response Team (CIRT) leader 2. Incident Handler 3. Database Administrators 4. Legal Counsel Now depending on the nature and category of alerts coming from the IDS, an incident can be escalated from the incident handler to CIRT leader to database admin to Legal Counsel. Also, the escalation may vary depending on the severity of alerts. As Vijay rightly pointed, you can refer to the NIST SP 800-61 publication, the Incident Notification section. This provides a sample list of parties which are usually notified. HTH, Khushbu Jithra Information Security Consultant NII Consulting Web: http://www.niiconsulting.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in tro_sfw to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
