Revising Way to Handle Computer Incidents

NIST's Computer Security Incident Handling Guide Gets Rewrite
Revising Way to Handle Computer Incidents
Threats change, and how organizations respond to computer security incidents changes, too.

In March 2008, when the National Institute of Standards and Technology issued Special Publication 800-61: Computer Security Incident Handling Guide, threats tended to be short-lived, fast-paced and comparatively easier to detect. Today's threats are more stealthy, specifically designed to quietly, slowly spread to other hosts, gathering information over extended periods of time and eventually leading to loss of sensitive data.

See Also: Hide & Sneak: Defeat Threat Actors Lurking within Your SSL Traffic

NIST is working on a revision of the guide, and seeks from industry, government agencies and academia best practices that could be included in the updated guidance.

The revised guide is designed to help incident response teams in and out of government to create an incident response policy and plan. The plan should have a mission, strategies and goals; an organizational approach to incident response; metrics for measuring the response capability; and a built-in process for updating the plan as needed.

NIST encourages organizations to review an incident immediately after it happens because that practice will help them to prepare for future incidents and provide stronger protection for systems and data.

SP 800-61 lead author Paul Cichonski says the revised guidance encouarges incident teams to think of the attack in two ways. "One is by method: what's happening and what needs to be fixed," he says. "The other is to consider an attack's impact by measuring how long the system was down, what type of information was stolen and what resources are required to recover from the incident."

Recommendations to the guidance must be submitted by March 16 to 800-61rev2-comments@nist.gov with "Comments SP 800-61" in the subject line.


About the Author

Eric Chabrow

Eric Chabrow

Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow, who oversees ISMG's GovInfoSecurity and InfoRiskToday, is a veteran multimedia journalist who has covered information technology, government and business. He's the former top editor at the award-winning business journal CIO Insight and a long-time editor and writer at InformationWeek.




Around the Network