The National Institute of Standards and Technology has issued a revision of its guidance to help organizations establish programs to manage computer security incidents.

NIST, in Special Publication 800-61 Revision 2: Computer Security Incident Handling Guide, spells out what incident-response capabilities are necessary to rapidly detect incidents, minimize loss and destruction, mitigate weaknesses that were exploited and restore IT services.

Revision 2 updates the original guidance to reflect changes in attacks and incidents. “Understanding threats and identifying modern attacks in their early stages is key to preventing subsequent compromises, and proactively sharing information among organizations regarding the signs of these attacks is an increasingly effective way to identify them,” NIST says in the introduction to the guide.

NIST says its revised guide provides step-by-step instructions for new, or well-established, incident response teams to create a proper policy and plan. NIST recommends that each plan should have a mission statement, strategies and goals, an organizational approach to incident response, metrics for measuring the response capability and a built-in process for updating the plan as needed. The guide recommends reviewing each incident afterward to prepare for future attacks and to provide stronger protections of systems and data.

“This revised version encourages incident teams to think of the attack in three ways,” says guide co-author Tim Grance. “One is by method – what’s happening and what needs to be fixed. Another is to consider an attack’s impact by measuring how long the system was down, what type of information was stolen and what resources are required to recover from the incident. Finally, share information and coordination methods to help your team and others handle major incidents.”

The Recommendations

The guide advises organizations to:

  1. Reduce the frequency of incidents by effectively securing networks, systems and applications.
  2. Document their guidelines for interactions with other organizations regarding incidents. Because these communications often need to occur quickly, organizations should predetermine communication guidelines so that only the appropriate information is shared with the right parties.
  3. Be generally prepared to handle any incident but should focus on being prepared to handle incidents that use the most common attack vectors. Incidents can occur in countless ways, so it’s not feasible to develop step-by-step instructions for handling every incident.
  4. Emphasize the importance of incident detection and analysis throughout the organization. Millions of possible signs of incidents may occur each day so automation is needed to perform an initial analysis of the data and select events of interest for review.
  5. Create written guidelines for prioritizing incidents. Incidents should be prioritized based on relevant factors, such as the functional impact of the incident (e.g., current and likely future negative impact to business functions), the information impact of the incident (e.g., effect on the confidentiality, integrity and availability of the organization’s information) and the recoverability from the incident (e.g., the time and types of resources that must be spent on recovering from the incident).
  6. Use the lessons learned process to gain value from incidents. After a major incident has been handled, the organization should hold a lessons-learned meeting to review the effectiveness of the incident handling process and identify necessary improvements to existing security controls and practices.

NIST says the guidelines can be followed independently of particular hardware platforms, operating systems, protocols or applications organizations use.