Revising Way to Handle Computer IncidentsNIST's Computer Security Incident Handling Guide Gets Rewrite
In March 2008, when the National Institute of Standards and Technology issued Special Publication 800-61: Computer Security Incident Handling Guide, threats tended to be short-lived, fast-paced and comparatively easier to detect. Today's threats are more stealthy, specifically designed to quietly, slowly spread to other hosts, gathering information over extended periods of time and eventually leading to loss of sensitive data.
NIST is working on a revision of the guide, and seeks from industry, government agencies and academia best practices that could be included in the updated guidance.
The revised guide is designed to help incident response teams in and out of government to create an incident response policy and plan. The plan should have a mission, strategies and goals; an organizational approach to incident response; metrics for measuring the response capability; and a built-in process for updating the plan as needed.
NIST encourages organizations to review an incident immediately after it happens because that practice will help them to prepare for future incidents and provide stronger protection for systems and data.
SP 800-61 lead author Paul Cichonski says the revised guidance encouarges incident teams to think of the attack in two ways. "One is by method: what's happening and what needs to be fixed," he says. "The other is to consider an attack's impact by measuring how long the system was down, what type of information was stolen and what resources are required to recover from the incident."
Recommendations to the guidance must be submitted by March 16 to firstname.lastname@example.org with "Comments SP 800-61" in the subject line.