- : Executing a Policy
- Security Incident Response
- Computer Security Incident Response Teams
- Preparing for Incident Response
- Management of Security by Teams
- Execution of an Incident Response
- Evaluation of a Security Incident
- Containing the Incident
- Eradicating the Incident
- Recovering From an Incident
- Article Series
- About the Author
- Ordering Sun Documents
- Accessing Sun Documentation Online
Execution of an Incident Response
From here on, we cover the execution of security incident response policies for customers. Discovery and reporting of the incident is briefly covered in the beginning of the evaluation phase. In this article series, we focus primarily on five phases of response execution when a security incident is reported at the customer site:
Evaluation, containment, eradication, and recovery are discussed in this article. Following up after the recovery will be discussed in the next article.
In Figure 2, the relationships and communication between security and other related teams is summarized for an organization to prepare a plan for incident response and make decisions to execute the five phases. As described in the first article, the organization's worldwide security team has a worldwide security manager and security officers within it, based on the geographic area. Primarily, the organization's worldwide security team communicates with all of the other security teams, legal, and PR organizations to resolve incidents by creating VCSIRTs, as needed on a per incident or more than one incident per site basis, as necessary, based on resources and urgency. The VCSIRTs have geographic jurisdiction assigned by the worldwide security team.
Also, in Figure 2, it is shown that worldwide security teams will need to work with national and international CSIRTs. For example, for Germany, DFN-CERT is the national CSIRT, and examples of international CSIRTs are AusCERT in Australia and CERT/CC in the U.S. In addition, it will be necessary, depending on the situation, to work with investigative agencies and security tracking organizations, such as SANS (http://www.sans.org) and securityfocus (http://www.securityfocus.com). The communications with these external agencies might not be direct; the corporate security team or the enterprise's internal CSIRT might be involved.
FIGURE 3 Communication Between the Organization's Security Teams, Enterprise's Teams, and External Security Teams and Agencies