Page 1186 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1186

Managing Incident Response


               One of the primary goals of any security program is to prevent security
               incidents. However, despite best efforts of information technology (IT)
               and security professionals, incidents do occur. When they happen, an

               organization must be able to respond to limit or contain the incident.
               The primary goal of incident response is to minimize the impact on the
               organization.


               Defining an Incident


               Before digging into incident response, it’s important to understand the
               definition of an incident. Although that may seem simple, you’ll find
               that there are different definitions depending on the context.

               An incident is any event that has a negative effect on the
               confidentiality, integrity, or availability of an organization’s assets.
               Information Technology Infrastructure Library version 3 (ITILv3)
               defines an incident as “an unplanned interruption to an IT Service or a

               reduction in the quality of an IT Service.” Notice that these definitions
               encompass events as diverse as direct attacks, natural occurrences
               such as a hurricane or earthquake, and even accidents, such as
               someone accidentally cutting cables for a live network.

               In contrast, a computer security incident (sometimes called just
               security incident) commonly refers to an incident that is the result of
               an attack, or the result of malicious or intentional actions on the part

               of users. For example, request for comments (RFC) 2350,
               “Expectations for Computer Security Incident Response,” defines both
               a security incident and a computer security incident as “any adverse
               event which compromises some aspect of computer or network
               security.” National Institute of Standards and Technology (NIST)
               special publication (SP) 800-61 “Computer Security Incident Handling

               Guide” defines a computer security incident as “a violation or
               imminent threat of violation of computer security policies, acceptable
               use policies, or standard security practices.” (NIST documents,
               including SP 800-61, can be accessed from the NIST publications
   1181   1182   1183   1184   1185   1186   1187   1188   1189   1190   1191