Download - 12 Incident Management Mapping
-
8/6/2019 12 Incident Management Mapping
1/12
-
8/6/2019 12 Incident Management Mapping
2/12
2
Incident Management Best Practice Model
-
8/6/2019 12 Incident Management Mapping
3/12
3
Prepare, sustain,and improveCSIRTprocess
If a CSIRT capability is initially being established
If the current CSIRT capability is not modified or improved
If the current CSIRT capability is modified or improved
If improvements to the infrastructure are required
If internal and external stakeholders need to be notified
If archival of lessons learned is required
Initial CSIRT capability
Current CSIRT capability
Modified CSIRT capability
Infrastructure protection improvements
Lessons learned
Lessons learned
To PI ProtectInfrastructure
To stakeholders
Archive
From R: Respondto Incidents
CSIRT process needs
Current CSIRT capability
CSIRT process changes
CSIRT process changesResponse informationResponse actions and decisions
From PC: Prepare,sustain, and improveCSIRT process
From any activity withinthe CSIRT process or from activities outsideof the CSIRT process
Current infrastructure
Infrastructure protection improvements
Infrastructure protection improvements
Protectinfrastructure
If a potential incident is identified during an infrastructure evaluation
Event reports
If the current infrastructure is not improved
If the current infrastructure is improved
Current infrastructure
Hardened infrastructure
To D: DetectEvents
PI
PCFrom any activity withinthe CSIRT process or fromactivities outside of theCSIRT process
If event is reassigned outside of incident management process
Archive
General indicators
From PI:ProtectInfrastructure Event reports
Detectevents
If event requires further incident management action
If event is closed
Triageevents
Archive Archive
To other organizationalprocess
Respondto incident
If event is reassigned outside of Incident management process
Reassigned event
If event requires further Incident management action
If event is closed
Assigned event
Closed eventsClosed events
Event information
Reassigned event
To other organizationalprocess
If a postmortem review is required
If event is reassigned outside of incident management process
If internal and external stakeholders need to be notified
If response is complete
Reassigned events
Proposed CSIRT process changesResponse informationResponse actions and decisions
Response documentation
Formal notification of closure
To other organizationalprocess
To stakeholders
To PC9: Co nductPostmortemReview
From any activitywithin the CSIRT processor from activities outsideof the CSIRT process
D T R
To other organizationalprocess
To participants
If response is complete
Response informationResponse actions and decisions
If response is reassigned outside of incident management process
Response informationResponse actions and decisions
Generalrequests/reports
Incident Management
-
8/6/2019 12 Incident Management Mapping
4/12
4
Trigger 1W hen a CSIRT capability isinitially being established,Processes PC1 through PC7are completed.
Trigger 2W hen changes or improvementsto an existing CSIRT capabilityhave been identified throughmeans other than an evaluation,Processes PC 10 and PC11 arecompleted. PC 9 is optional. It iscompleted only when apostmortem review is needed toidentify CSIRT processimprovements.
Trigger 3W hen an existing CSIRTcapability is evaluated, thenPC8 is conducted. PC10 andPC11 may also be completed,depending on the results of theevaluation.
CSIRT processneeds
Coordinate planning and design
Identify CSIRTrequirements
PC1 PC2 EstablishCSIRTvision
PC 4 DevelopCSIRTImplementation plan
PC 3 Obtainsponsorship andfunding for CSIRT
CSIRT sponsorship and funding
CSIRTrequirements
and vision
CSIRTrequirements
Note: Planning and design require a coordination effort.
Coordinate implementation
PC5
PC6
PC7
Develop CSIRTpolicies, procedures,and plans
Establish CSIRTincident handlingcriteria
Deploy definedCSIRT resources
CSIRT policies,
procedures,and plans
CSIRT incidenthandling criteria
CSIRT resources
Note: Implementation requires a coordination effort.
If the current CSIRT capability is not modified or improved
If the current CSIRT capability is modified or improved
PC10 DetermineCSIRTprocessmodifications
Current CSIRT capability
CSIRT process modification requirements
ImplementCSIRTprocessmodifications
PC11
Modified CSIRTcapability
To PI2: DetermineInfrastructureProtection Requirements
To stakeholders
Archive
If improvements to the infrastructure are required
Infrastructure protection improvements
Lessons learned
If internal and external stakeholders need to be notified
If archival of lessons learned is required
Lessons learned
CSIRT process improvements
If improvements to the CSIRT process are required
PC9 Conductpostmortemreview
PC8 EvaluateCSIRTcapability
Proposed CSIRTprocess changesResponseinformationResponse actionsand decisions
Proposed CSIRT process changes
R1: Respond toTechnical IssuesR2: Respond to
ManagementIssuesR3: Respond toLegal Issues
From
From any activitywithin the CSIRTprocess or fromactivities outsideof the CSIRT
process
If the current CSIRT capability is not modified or improved
Current CSIRT capability
Actions to sustain or improve aCSIRT process
Current CSIRT capability
If actions to modify, sustain, or improvethe current CSIRT capability are identified
Current CSIRT capability
CSIRTimplementation plan
PC: Prepare, Sustain, and Improve CSIRT Process
-
8/6/2019 12 Incident Management Mapping
5/12
5
Current infrastructure
From PC9: ConductPostmortemReview
If the current Infrastructure will not be improved
Current infrastructure
Current infrastructure
Evaluateinfrastructure
Harden andSecureinfrastructure
To D2:ReceiveInformation
If a potential incident isidentified during aninfrastructure evaluation
If requirements to harden the current infrastructure are identified
Current infrastructure
Determineinfrastructureprotectionrequirements
Infrastructure protectionrequirements
If improvements to the current infrastructureare identified
From any activitywithin the CSIRTprocess or fromactivities outside of the CSIRT process
Infrastructure protectionimprovements
Event reports
Trigger 1W hen the currentinfrastructureis evaluated, then PI1 isconducted.PI2 and PI3 may also becompleted, depending on theresults of the evaluation.
Trigger 2W hen improvements tothe current infrastructurehave been identified throughmeans other than an evaluation,Processes PI2 and PI3are completed
If the current infrastructure will not be improved
HardenedinfrastructureInfrastructure protection improvements
P12PI1
PC1 3
PI Protect infrastructure
-
8/6/2019 12 Incident Management Mapping
6/12
6
From PI1:EvaluateInfrastructure
General indicators
Notice events(Reactive)
If event is reassigned outside of incident management process
Reassigned events
If event requires further incident management action
If event is reassigned outside of incident management process
To T1:CategorizeEvents
Event indicators
Monitor indicators(Proactive)
Receiveinformation
Analyzeindicators
Event information
If event is closed
If event is closed
If event requires further incident management action
Closed events
To other organizationalprocesses
General indicators
Archive
Reassigned eventsTo other organizational processes
Event reports
D1 D2
Event information
Event information
D4D3
From any activityinside or outsideof theorganization
Event reports
Generalrequests/reports
D: Detect Events
-
8/6/2019 12 Incident Management Mapping
7/12
7
From D2:ReceiveInformation
Eventinformation
CategorizeandCorrelateevents
Reassigned events
If event is reassigned outside of incident management process
Assigned events
If event is assigned to amanagement response
If event is reassigned outside of incident management process
To R2: Respond toManagement Issues
To other organizationalprocess
Closed events Archive
If event is closed
From D4: AnalyzeIndicators
Prioritizeevents
Assignevents
Assigned events
Reassigned events
If event is assigned toa technical response
If event is closed
To R1: Respond toTechnical Issues
If event requires prioritization
Categorizedevents
To other organizationalprocesses
T1T2 T 3
Prioritizedevents
T: Triage Events
-
8/6/2019 12 Incident Management Mapping
8/12
8
From T3: AssignEvents
Coordinate technical, management, andlegal responses
Assignedevents
Respond tomanagementissues
Respond totechnicalissues Technical response information
Technical response actions and decisionsTechnical response documentationReassigned events
External communicationwith others
Reassigned events
If internal and external stakeholdersneed to be notified
If response is complete
If a postmortem review i s required
Response informationResponse actions and decisions
Response documentation
To other organizationalprocess
To PC9: ConductPostmortem Review
To stakeholders
Formal notification of closure
Management response informationManagement response actions and decisionsManagement response documentationReassigned events
If response includes legal
Note: Multiple responses require a coordination effort.
Archive
Assignedevents
From T3: AssignEvents
Respondto legalissues
Assignedevents
If response is complete
Legal response informationLegal response actions and decisionsLegal response documentationReassigned events
R2
R1
R3
Proposed CSIRT processchangesResponse informationResponse actions and decisions
If event is reassigned outside of incident
management process
To other organizationalprocess
If response is reassigned outside of incident management process
Response informationResponse actions and decisions
To participants
R: Respond
-
8/6/2019 12 Incident Management Mapping
9/12
9
Technical informationTechnical response actions and decisions
From T3: AssignEvents
If event is reassigned outsideof incident management
process
If event is closed
Reassigned events
Assignedevents
Planresponsestrategy(technical)
Analyzeevent(technical)
Coordinateand respondto incident(technical)
TechnicalincidentinformationTechnical responsestrategy
External communicationwith others If technical response i s ineffective
and additional analysis is required
If incident is reassigned outside of incident management process
If a postmortem review is required
If internal and external stakeholders need to be notified
Technical response informationTechnical response actions and decisions
Proposed CSIRT process changesTechnical response informationTechnical response actions and decisions
Technical response informationTechnical response actions and decisions
To PC9: ConductPostmortem Review
To other organizational process
To stakeholders
Closetechnicalresponse
Technical responsedocumentationTechnical response information
Technical response actions anddecisionsTechnical response closingrationale
Technical response informationClosing rationale
If technical responseis complete
Note: If management or legal responses are part of an overall coordinated response,the coordination of all responses is embedded in R1.2, R1.3, and R1.4.
Archive
R1.1 R1.2
R1. 4
R1. 3
To other organizationalprocess
If incident requiresa technical response
Technical incidentinformation
Formalnotificationof closure
Toparticipants
R1: Respond to Technical Issues
-
8/6/2019 12 Incident Management Mapping
10/12
10
Management informationManagement response actions and decisions
From T3: AssignEvents
If a management response isrequired
If event is closed
Managementinformation
Assignedevents
PlanresponseStrategymanagement
AnalyzeEvent(Manage-ment)
Coordinateand respondto incident(management)
ManagementinformationManagementresponsestrategy
Externalcommunicationwith others
If management response is ineffectiveand additional analysis is required
If management response is reassigned outside of incident management process
If a postmortem review is required
If internal and external stakeholders need to be notified
Management response informationManagement response actions anddecisions
To PC9: ConductPostmortemReview
To other organizationalprocess
To stakeholders
Closemanagementresponse
Managementresponsedocumentation
Management response informationManagement r esponse actions and decisionsManagement r esponse closing rationale
Management response informationClosing rationale
If management response i scomplete
Note: If technical or legal responses are p art of an overall coordinated response, thecoordination of all responses is embedded in R2.2, R2.3, and R2.4.
Archive
Proposed CSIRT process changesManagement response informationManagement response actions anddecisions
Management response informationManagement response actions anddecisions
R2.1 R2.2
If event is reassigned outside of incident management process
Reassigned events
R2. 4
R2. 3
To other organizationalprocesses
To participantsFormal notificationof closure
R2: Respond to Management Issues
-
8/6/2019 12 Incident Management Mapping
11/12
11
From R2:Respond toManagement Issues
Assignedevents
Respond tolegal issues
External communicationwith others
If a postmortem review is required
If event is reassigned outside of incident management process
If internal and external stakeholders need to benotified
Proposed CSIRT process changesLegal response informationLegal response actions and decisions
Reassigned events
Legal response informationLegal response actions and decisions
To PC: Prepare,
Sustain, and ImproveCSIRT Process
To other organizational
process
To stakeholders
Legal response documentation Archive
If legal response is complete
R3
If legal response is reassigned outside of incident management process
Legal response informationLegal response actions anddecisions
To other organizationalprocess
If legal response is complete
Formal notification of closureTo participants
R3: Respond to Legal Issues
-
8/6/2019 12 Incident Management Mapping
12/12
12
Incident Response Starts Before an IncidentOccurs