12 incident management mapping

8/6/2019 12 Incident Management Mapping

1/12


2/12

2

Incident Management Best Practice Model


3/12

3

Prepare, sustain,and improveCSIRTprocess

If a CSIRT capability is initially being established

If the current CSIRT capability is not modified or improved

If the current CSIRT capability is modified or improved

If improvements to the infrastructure are required

If internal and external stakeholders need to be notified

If archival of lessons learned is required

Initial CSIRT capability

Current CSIRT capability

Modified CSIRT capability

Infrastructure protection improvements

Lessons learned

Lessons learned

To PI ProtectInfrastructure

To stakeholders

Archive

From R: Respondto Incidents

CSIRT process needs


CSIRT process changes

CSIRT process changesResponse informationResponse actions and decisions

From PC: Prepare,sustain, and improveCSIRT process

From any activity withinthe CSIRT process or from activities outsideof the CSIRT process

Current infrastructure



Protectinfrastructure

If a potential incident is identified during an infrastructure evaluation

Event reports

If the current infrastructure is not improved

If the current infrastructure is improved


Hardened infrastructure

To D: DetectEvents

PI

PCFrom any activity withinthe CSIRT process or fromactivities outside of theCSIRT process

If event is reassigned outside of incident management process

Archive

General indicators

From PI:ProtectInfrastructure Event reports

Detectevents

If event requires further incident management action

If event is closed

Triageevents

Archive Archive

To other organizationalprocess

Respondto incident

If event is reassigned outside of Incident management process

Reassigned event

If event requires further Incident management action

If event is closed

Assigned event

Closed eventsClosed events

Event information

Reassigned event


If a postmortem review is required



If response is complete

Reassigned events

Proposed CSIRT process changesResponse informationResponse actions and decisions

Response documentation

Formal notification of closure


To stakeholders

To PC9: Co nductPostmortemReview

From any activitywithin the CSIRT processor from activities outsideof the CSIRT process

D T R


To participants


Response informationResponse actions and decisions

If response is reassigned outside of incident management process


Generalrequests/reports

Incident Management


4/12

4

Trigger 1W hen a CSIRT capability isinitially being established,Processes PC1 through PC7are completed.

Trigger 2W hen changes or improvementsto an existing CSIRT capabilityhave been identified throughmeans other than an evaluation,Processes PC 10 and PC11 arecompleted. PC 9 is optional. It iscompleted only when apostmortem review is needed toidentify CSIRT processimprovements.

Trigger 3W hen an existing CSIRTcapability is evaluated, thenPC8 is conducted. PC10 andPC11 may also be completed,depending on the results of theevaluation.

CSIRT processneeds

Coordinate planning and design

Identify CSIRTrequirements

PC1 PC2 EstablishCSIRTvision

PC 4 DevelopCSIRTImplementation plan

PC 3 Obtainsponsorship andfunding for CSIRT

CSIRT sponsorship and funding

CSIRTrequirements

and vision

CSIRTrequirements

Note: Planning and design require a coordination effort.

Coordinate implementation

PC5

PC6

PC7

Develop CSIRTpolicies, procedures,and plans

Establish CSIRTincident handlingcriteria

Deploy definedCSIRT resources

CSIRT policies,

procedures,and plans

CSIRT incidenthandling criteria

CSIRT resources

Note: Implementation requires a coordination effort.


If the current CSIRT capability is modified or improved

PC10 DetermineCSIRTprocessmodifications


CSIRT process modification requirements

ImplementCSIRTprocessmodifications

PC11

Modified CSIRTcapability

To PI2: DetermineInfrastructureProtection Requirements

To stakeholders

Archive

If improvements to the infrastructure are required


Lessons learned


If archival of lessons learned is required

Lessons learned

CSIRT process improvements

If improvements to the CSIRT process are required

PC9 Conductpostmortemreview

PC8 EvaluateCSIRTcapability

Proposed CSIRTprocess changesResponseinformationResponse actionsand decisions

Proposed CSIRT process changes

R1: Respond toTechnical IssuesR2: Respond to

ManagementIssuesR3: Respond toLegal Issues

From

From any activitywithin the CSIRTprocess or fromactivities outsideof the CSIRT

process



Actions to sustain or improve aCSIRT process


If actions to modify, sustain, or improvethe current CSIRT capability are identified


CSIRTimplementation plan

PC: Prepare, Sustain, and Improve CSIRT Process


5/12

5


From PC9: ConductPostmortemReview

If the current Infrastructure will not be improved



Evaluateinfrastructure

Harden andSecureinfrastructure

To D2:ReceiveInformation

If a potential incident isidentified during aninfrastructure evaluation

If requirements to harden the current infrastructure are identified


Determineinfrastructureprotectionrequirements

Infrastructure protectionrequirements

If improvements to the current infrastructureare identified

From any activitywithin the CSIRTprocess or fromactivities outside of the CSIRT process

Infrastructure protectionimprovements

Event reports

Trigger 1W hen the currentinfrastructureis evaluated, then PI1 isconducted.PI2 and PI3 may also becompleted, depending on theresults of the evaluation.

Trigger 2W hen improvements tothe current infrastructurehave been identified throughmeans other than an evaluation,Processes PI2 and PI3are completed

If the current infrastructure will not be improved

HardenedinfrastructureInfrastructure protection improvements

P12PI1

PC1 3

PI Protect infrastructure


6/12

6

From PI1:EvaluateInfrastructure

General indicators

Notice events(Reactive)


Reassigned events



To T1:CategorizeEvents

Event indicators

Monitor indicators(Proactive)

Receiveinformation

Analyzeindicators

Event information

If event is closed

If event is closed


Closed events

To other organizationalprocesses

General indicators

Archive

Reassigned eventsTo other organizational processes

Event reports

D1 D2

Event information

Event information

D4D3

From any activityinside or outsideof theorganization

Event reports

Generalrequests/reports

D: Detect Events


7/12

7

From D2:ReceiveInformation

Eventinformation

CategorizeandCorrelateevents

Reassigned events


Assigned events

If event is assigned to amanagement response


To R2: Respond toManagement Issues


Closed events Archive

If event is closed

From D4: AnalyzeIndicators

Prioritizeevents

Assignevents

Assigned events

Reassigned events

If event is assigned toa technical response

If event is closed

To R1: Respond toTechnical Issues

If event requires prioritization

Categorizedevents


T1T2 T 3

Prioritizedevents

T: Triage Events


8/12

8

From T3: AssignEvents

Coordinate technical, management, andlegal responses

Assignedevents

Respond tomanagementissues

Respond totechnicalissues Technical response information

Technical response actions and decisionsTechnical response documentationReassigned events

External communicationwith others

Reassigned events

If internal and external stakeholdersneed to be notified


If a postmortem review i s required


Response documentation


To PC9: ConductPostmortem Review

To stakeholders

Formal notification of closure

Management response informationManagement response actions and decisionsManagement response documentationReassigned events

If response includes legal

Note: Multiple responses require a coordination effort.

Archive

Assignedevents


Respondto legalissues

Assignedevents


Legal response informationLegal response actions and decisionsLegal response documentationReassigned events

R2

R1

R3

Proposed CSIRT processchangesResponse informationResponse actions and decisions

If event is reassigned outside of incident

management process


If response is reassigned outside of incident management process


To participants

R: Respond


9/12

9

Technical informationTechnical response actions and decisions


If event is reassigned outsideof incident management

process

If event is closed

Reassigned events

Assignedevents

Planresponsestrategy(technical)

Analyzeevent(technical)

Coordinateand respondto incident(technical)

TechnicalincidentinformationTechnical responsestrategy

External communicationwith others If technical response i s ineffective

and additional analysis is required

If incident is reassigned outside of incident management process



Technical response informationTechnical response actions and decisions

Proposed CSIRT process changesTechnical response informationTechnical response actions and decisions

Technical response informationTechnical response actions and decisions

To PC9: ConductPostmortem Review

To other organizational process

To stakeholders

Closetechnicalresponse

Technical responsedocumentationTechnical response information

Technical response actions anddecisionsTechnical response closingrationale

Technical response informationClosing rationale

If technical responseis complete

Note: If management or legal responses are part of an overall coordinated response,the coordination of all responses is embedded in R1.2, R1.3, and R1.4.

Archive

R1.1 R1.2

R1. 4

R1. 3


If incident requiresa technical response

Technical incidentinformation

Formalnotificationof closure

Toparticipants

R1: Respond to Technical Issues


10/12

10

Management informationManagement response actions and decisions


If a management response isrequired

If event is closed

Managementinformation

Assignedevents

PlanresponseStrategymanagement

AnalyzeEvent(Manage-ment)

Coordinateand respondto incident(management)

ManagementinformationManagementresponsestrategy

Externalcommunicationwith others

If management response is ineffectiveand additional analysis is required

If management response is reassigned outside of incident management process



Management response informationManagement response actions anddecisions

To PC9: ConductPostmortemReview


To stakeholders

Closemanagementresponse

Managementresponsedocumentation

Management response informationManagement r esponse actions and decisionsManagement r esponse closing rationale

Management response informationClosing rationale

If management response i scomplete

Note: If technical or legal responses are p art of an overall coordinated response, thecoordination of all responses is embedded in R2.2, R2.3, and R2.4.

Archive

Proposed CSIRT process changesManagement response informationManagement response actions anddecisions

Management response informationManagement response actions anddecisions

R2.1 R2.2


Reassigned events

R2. 4

R2. 3


To participantsFormal notificationof closure

R2: Respond to Management Issues


11/12

11

From R2:Respond toManagement Issues

Assignedevents

Respond tolegal issues

External communicationwith others



If internal and external stakeholders need to benotified

Proposed CSIRT process changesLegal response informationLegal response actions and decisions

Reassigned events

Legal response informationLegal response actions and decisions

To PC: Prepare,

Sustain, and ImproveCSIRT Process

To other organizational

process

To stakeholders

Legal response documentation Archive

If legal response is complete

R3

If legal response is reassigned outside of incident management process

Legal response informationLegal response actions anddecisions


If legal response is complete

Formal notification of closureTo participants

R3: Respond to Legal Issues


12/12

12

Incident Response Starts Before an IncidentOccurs

12 incident management mapping

Documents