NIST releases incident response guidelines
- By William Jackson
- Jan 21, 2004
The National Institute of Standards and Technology has published guidelines for responding to security breaches in government computer systems.
Prevention is better than response, the authors say. But 'not all incidents can be prevented. An incident response capability is therefore necessary.'
It not only is necessary, it is required under the Federal Information Security Act.
NIST is responsible under FISMA for developing standards and guidelines for agency information security. The recommendations in NIST Special Publication 800-61, Computer Security Incident Handling Guide, emphasize planning and communication. They propose a cyclical approach, in which lessons learned are incorporated into planning for future incidents.
The guidelines cover response to denial-of-service attacks; malicious code, including viruses, worms and Trojan horses; unauthorized access; inappropriate use by authorized users, and incidents incorporating various types of security breaches.
NIST recommends that incident response begin well before the incident, with organizing and providing resources for a team. Lines of communication within the team and with other organizations should be specified. Systems should be secured to prevent as many incidents as possible and monitored to detect security breaches as they occur.
During a breach, teams need documented guidelines for prioritizing incidents and must maintain broad situational awareness while dealing with it.
After each incident, action reports should document lessons learned, and these lessons should be incorporated in future plans, NIST said.
The entire 148-page report is available online (148-page PDF)
William Jackson is a Maryland-based freelance writer.