Computer Security Incident Response
Computer security incident response is the process and action an organization takes in response to a computer security incident. Any enterprise or organization that does business using computers, computer-based equipment, and/or data communications network should have a security incident response program to protect itself and its customers and partners before a security incident occurs.
Every security incident response program will contain unique elements that exist and make sense only for its organization. This article discusses only a common set of elements that can be followed. However, these elements must be treated only as a starting point for a more detailed analysis for a policy document.
In this article, we describe the essentials of establishing a security incident response policy for an organization within an enterprise. The organization could span all geographic zones, or it could be based in a specific geographic area. All organizations that ship computer-based equipment and/or software to their customers need to define what a computer security incident is in relation to their own and/or customers' sites. General definitions for a computer security incident are:
Any real, or suspected, adverse event in relation to the security of computer systems or networks
Any act of violating an explicit or implied security policy
Examples of incidents include the following activities:
Attempts (either failed or successful) to gain unauthorized access to a system or its data
Unwanted disruption or denial of service
Unauthorized use of a system for the processing or storage of data changes to system hardware, firmware, or software characteristics, without the owner's knowledge, instruction, or consent
Computer security incident activity can be defined as host or network activity that potentially threatens the security of computer or computer-based systems, networks, or sites with computing equipment. When a security incident is reported at an organization's customer site, the organization must process the incident responsibly.