Government agencies and other organizations have begun to augment their computer security efforts because of increased threats to computer security. Incidents involving these threats, including computer viruses, malicious user activity, and vulnerabilities associated with high technology, require a skilled and rapid response before they can cause significant damage. These increased computer security efforts, described here as Computer Security Incident Response Capabilities (CSIRCs), have as a primary focus the goal of reacting quickly and efficiently to computer security incidents. CSIRC efforts provide agencies with a centralized and cost-effective approach to handling computer security incidents so that future problems can be efficiently resolved and prevented. This publication provides guidance for those interested in establishing a CSIRC. It describes why traditional computer security efforts may not be sufficient in light of more recent threats. This guide discusses some of the considerations in establishing a CSIRC as well as the organizational, technical, and legal issues connected with a CSIRC operation. Chapter one of this guide serves as an introduction. Chapter two presents an overview of a CSIRC, including reasons for CSIRC activity, the CSIRC concept, its goals, components, and interaction with existing agency computer security efforts. Chapter three deals with issues and factors associated with establishing an agency CSIRC. Chapter four describes some of the issues associated with operating and maintaining a CSIRC. The appendices contain an annotated bibliography for further reading on computer security and incident handling and information on FIRST, the Forum of Incident Response and Security Teams.
NIST Special Publication 800-3