|
|
|
From the desk
of: Sam C. Chan
|
First published: March 9,
2009
Last update: May 1, 2018
|
Security Incident Response (SIR)
Levels
Threat Level |
Remarks |
0 |
baseline |
Mild threat. Case is summarily closed per Bravo
Policies* |
1 |
log event |
Potentially note-worthy in the long run. |
2 |
monitor |
Just crossed "beneath radar" threshold...
observing... |
3 |
investigate |
Proactive Low-key SIR
procedure. Report to follow. |
4 |
elevated |
Management is alerted. Immediate SIR steps. |
5 |
breach |
Activate triage →deep investigation →clean
→debrief |
* Within my IT jurisdiction**, BTC default
policies*** in effect—unless your firm-specific policies/guidelines
exist, communicated to me, and we explicitly agreed on scope &
extend of superseding clauses.
** "IT jurisdiction" is de facto and unilaterally
declared
by BTC: applicable to BOTH retainer sites and T&M sites. Should
you
object (in name, or in practice), feel free to speak up, and we will
amend accordingly. This is related to the "modes" which I allude to
often.
*** default policy is already comprehensive and tiered
(not 1 size fits all), according to firm's business nature and
implied/committed IT attentiveness level, per my 2006 memo
to you, along with 2007
memo on preparedness quotient, referring back to my 2000 memo
on DIFA.
SIR
Levels: only a tiny aspect of overall Bravo
SIR Doctrine—originally based
on NIST governance-focused incident response process. It has
since gone through numerous generational transformation, and deviates
very significantly,
as it stands today. Notable, a few pertinent elements from
US-CERT have been incorporated. It is now said to be "inspired
by"
800-61 & its predecessor 800-3, but mostly an
original creation.
|
|
|
|
|
|
|