7 Steps to Improve Breach Incident Handling
New NIST Guidance Targets Computer Incident ResponseNIST Wednesday announced it's seeking public comment on draft Special Publication 800-61 Revision 2, Computer Security Incident Handling Guide, which updates an earlier revision released in 2008.
See Also: Federal Agencies Tech Brief: Security Investigation, Detection and Rapid Response
The rapidly changing threat environment requires new approaches to IT security, and NIST says the revised guidance does that:
"Unlike most threats several years ago, which tended to be short-lived and easy to notice, many of today's threats are more stealthy, specifically designed to quietly, slowly spread to other hosts, gathering information over extended periods of time and eventually leading to exfiltration of sensitive data and other negative impacts. Identifying these threats in their early stages is key to preventing subsequent compromises, and sharing information among organizations regarding the signs of these threats is an increasingly effective way to identify them."
The draft guidance offers seven key actions organizations should execute to handle effectively computer incidents:
- Create, provision and operate a formal incident response capability. For federal agencies, this is required by the Federal Information Security Management Act. Agencies must also report incidents to the United States Computer Emergency Readiness Team.
- Reduce the frequency of incidents by effectively securing networks, systems and applications.
- Document their guidelines for interactions with other organizations regarding incidents.
- Prepare to handle any type of incident and more specifically to handle common incident types.
- Emphasize the importance of incident detection and analysis throughout the organization.
- Create written guidelines to prioritize incidents.
- Use the lessons-learned process to gain value from incidents.
NIST requests comments on the draft guidance be submitted by March 16 to 800-61rev2-comments@nist.gov with "Comments SP 800-61" in the subject line.