From the desk of: Sam C. Chan

First published: March 9, 2009
Last update: May 1, 2018
Security Incident Response (SIR) Levels

Threat Level Remarks
0 baseline Mild threat. Case is summarily closed per Bravo Policies*
1 log event Potentially note-worthy in the long run.
2 monitor Just crossed "beneath radar" threshold... observing...
3 investigate Proactive Low-key SIR procedure. Report to follow.
4 elevated Management is alerted. Immediate SIR steps.
5 breach Activate triage →deep investigation →clean →debrief

* Within my IT jurisdiction**, BTC default policies*** in effect—unless your firm-specific policies/guidelines exist, communicated to me, and we explicitly agreed on scope & extend of superseding clauses.

** "IT jurisdiction" is de facto and unilaterally declared by BTC: applicable to BOTH retainer sites and T&M sites. Should you object (in name, or in practice), feel free to speak up, and we will amend accordingly. This is related to the "modes" which I allude to often.

*** default policy is already comprehensive and tiered (not 1 size fits all), according to firm's business nature and implied/committed IT attentiveness level, per my 2006 memo to you, along with 2007 memo on preparedness quotient, referring back to my 2000 memo on DIFA.

SIR Levels: only a tiny aspect of overall Bravo SIR Doctrine—originally based on NIST governance-focused incident response process. It has since gone through numerous generational transformation, and deviates very significantly, as it stands today. Notable, a few pertinent elements from US-CERT have been incorporated. It is now said to be "inspired by" 800-61 & its predecessor 800-3, but mostly an original creation.

CSRC.gov NIST SP 800-61 r2 2012r1 2008ori 2004SP 800-3 1991
DHSCISA cyber+infraCyberSec divNCCIC →US-CERT | SECIR | FNR | NSD 

2005-2018   Bravo Technology Center      Bravo:GO  * Memos * Info Contact