January 2018 Information technology - Security techniques - Information security incident management - Part 2: Guidelines to plan and prepare for incident response (Adopted ISO/IEC 27035-2:2016, first edition, 2016-11-01)

The current 2018 fifth edition is available legitimately from ITTF as a free download (a single-user PDF) in English and French. This was a minor revision of the 2016 fourth edition with a section on abbreviations, and a rationalisation of the metrics-related definitions following the rewrite of ISO/IEC 27004.

Iso 27035 Pdf Download Free

As of this writing, the latest ISO report on management is "ISO/IEC 27035-1:2016 Information technology -- Security techniques -- Information security incident management -- Part 1: Principles of incident management." This international standard for incident response handling is current and includes cyber attacks. A revised edition is under development.

ISO/IEC 27035 is a multipart standard. Part 1, mentioned above, introduces incident management principles. Part 2 of the standard, ISO/IEC 27035-2, focuses on incident management preparation and planning.

NIST and ISO 27035-1 are similar in approach and overlap each other significantly. An important but subtle difference, however, is that the NIST "Computer Security Incident Handling Guide" focuses on incident handling, which deals with the prevention, detection and response to incidents. ISO 27035-1 focuses on incident management, which is integrated broadly into other business management and risk reduction functions outside of the incident response organization.

Perhaps you do business outside of the U.S. in Europe or the Middle East. In that case, you should look at ISO 27035-1 because the ISO 27000 family of security standards is almost universally adopted in these regions. Or you might choose to go with the ISO 27000 family of standards to integrate security more easily into other business functions.

• Participants will be provided with the training material containing over 200 pages of information and practical examples will be distributed.

• Training material containing over 200 pages of information and practical examples will be distributed.

• A participation certificate of 14 CPD (Continuing Professional Development) credits will be issued.

• In case of exam failure, you can retake the exam within 12 months free of charge.

ISO/IEC JTC 1/SC 27 N 11973ISO/IEC JTC 1/SC 27IT SecuritytechniquesSecretariat: DIN (Germany)Document type: Working DraftTextTitle: WG4N78_Text_f_2nd_WD_27035-3_20130121Status: As perresolution 30 (contained in SC 27 N11941) of the 13th SC 27/WG 4plenary meeting, heldin Rome, Italy, 26 October 2012, this documentis circulated for review and comment to WG 4experts, NationalBodies and liaison organizations of SC 27/WG 4.PLEASE submit yourcomments on the hereby attached document via the SC 27 e-ballotingwebsite at: due date 2013-03-20.Secretariat's note: This request forcomments is also concurrently being circulated as WG 4 document N78for testpurposes ONLY as part of the WG 4 Livelink trial via theWorking Group Consultation applicationaccessible at: For thetest purposes the National Bodies and liaison organizations of SC27/WG 4 are kindlyinvited to send their responses to the herebyattached document via the above-mentioned WG 4Working GroupConsultation application. Any responses received are greatlyappreciated and will be taken into account when assessingthe trialresults and preparing a report for consideration at the next SC 27Plenary in SophiaAntipolis, France, 29-30 April 2013.Date ofdocument: 2013-01-21Source: Project editorsExpected action:COMMAction due date: 2013-03-20No. of pages: 1 + 1 + 46Email ofsecretary: [email protected] URL: JTC1/SC 27/WG 4 N 78ISO/IEC JTC 1/SC 27/WG 4Security controls andservicesSecretariat: SABSDocument type: Request for commentsTitle:Text for ISO/IEC 2nd WD 27035-3, Information technology - Securitytechniques - Informationsecurity incident management - Part 3:Guidelines for incident response operationsStatus: As perresolution 30 (contained in SC 27 N11941) of the 13th SC 27/WG 4plenary meeting, held in Rome, Italy, 26 October 2012, thisdocument is circulated for review and comment to WG 4experts,National Bodies and liaison organizations of SC 27/WG 4.A Workinggroup consultation will be created for submissions to this request.Submissions shouldbe sent directly via the SC 27/WG 4 commentingwebsite at the action due date.A request for review and comment will beissued in parallel by SC 27 as SC 27 N11973.Date of document:2013-01-20Source: EditorsExpected action: COMMAction due date:2013-03-20No. of pages: 1 + 46Email of secretary:Committee URL: ISO/IEC2013 All rights reserved Document type: International StandardDocument subtype:Document stage: (20) Preparatory Documentlanguage: ED:\ISO\isomacroserver-prod\temp\DOCX2PDFISOTC\[email protected]_859\14945909_1.docSTDVersion2.1c2 ISO/IEC JTC 1/SC 27 N 11973 Date: 2013-01-18 ISO/IEC WD27035-3.2 ISO/IEC JTC 1/SC 27/WG 4 Secretariat: DIN Informationtechnology Security techniques Information security incidentmanagement Part 3: Guidelines for incident response operationslment introductif lment central Partie 3: Titre de la partieWarning This document is not an ISO International Standard. It isdistributed for review and comment. It is subject to change withoutnotice and may not be referred to as an International Standard.Recipients of this draft are invited to submit, with theircomments, notification of any relevant patent rights of which theyare aware and to provide supporting documentation. ISO/IEC WD27035-3.2 ii ISO/IEC 2013 All rights reserved Copyright noticeThisISOdocumentisaworkingdraftorcommitteedraftandiscopyright-protectedbyISO.Whilethereproduction of working drafts or committee drafts in any form foruse by participants in the ISO standards development process ispermitted without prior permission from ISO, neither this documentnor any extractfromitmaybereproduced,storedortransmittedinanyformforanyotherpurposewithoutpriorwrittenpermission from ISO.Requestsforpermissiontoreproducethisdocumentforthepurposeofsellingitshouldbeaddressedasshown below or to ISO's member body in the country of therequester: Secretariat of ISO/IEC JTC 1/SC 27 DIN German Institutefor Standardization DE-10772 Berlin Tel. + 49 30 2601 2652 Fax + 4930 2601 4 2652 E-mail [email protected] Web (public web site) (SC27 documents)Reproduction for sales purposes may be subject to royalty paymentsor a licensing agreement. Violators may be prosecuted. ISO/IEC WD27035-3.2 ISO/IEC 2013 All rights reservediii ContentsPage Foreword.............................................................................................................................................................v Introduction........................................................................................................................................................vi 1Scope......................................................................................................................................................1 2Normative references............................................................................................................................1 3Terms and definitions...........................................................................................................................1 4Overview.................................................................................................................................................3 4.1Objectives..............................................................................................................................................3 5Incident management phases..............................................................................................................3 5.1Detection and reporting........................................................................................................................3 5.1.1Event detection......................................................................................................................................3 5.1.2Event reporting......................................................................................................................................4 5.2Assessment and decision....................................................................................................................5 5.2.1Assessment and initial decision by the PoC......................................................................................5 5.2.2Assessment and incident confirmation by the IRT............................................................................7 5.3Responses.............................................................................................................................................8 5.3.1Immediate responses............................................................................................................................8 5.3.2Assessment of control over information security incidents.......................................................... 115.3.3Later responses...................................................................................................................................11 5.3.4Responses to crisis situations..........................................................................................................12 5.3.5Information security forensics analysis............................................................................................13 5.3.6Communications.................................................................................................................................14 5.3.7Escalation.............................................................................................................................................15 5.3.8Activity logging and change control.................................................................................................15 6Establishment of the Incident Response Teams (IRTs)..................................................................15 6.1Types of the IRTs.................................................................................................................................16 6.2Roles of IRTs........................................................................................................................................16 6.2.1Fundamental duties of IRT.................................................................................................................16 6.3IRT organization..................................................................................................................................17 6.3.1Staff skills and qualifications.............................................................................................................18 7Incident response operations............................................................................................................19 7.1Incident criteria....................................................................................................................................19 7.2Incident response processes.............................................................................................................20 7.3Monitoring and detection....................................................................................................................20 7.3.1Initial response....................................................................................................................................21 7.4Incident response................................................................................................................................21 7.4.1Pre-response........................................................................................................................................21 7.4.2Responses...........................................................................................................................................22 7.5Analysis................................................................................................................................................23 7.5.1Reporting and post-operation............................................................................................................24 8Incident handling.................................................................................................................................24 8.1Denial of Service (DoS) handling.......................................................................................................25 8.2Malicious code handling.....................................................................................................................25 8.3Information gathering.........................................................................................................................25 8.4Inappropriate usage............................................................................................................................25 8.5Unauthorized access...........................................................................................................................25 Annex A (informative)Example of the incident criteria based oncomputer security events and incidents...............................................................................................................................................26 ISO/IEC WD 27035-3.2 iv ISO/IEC 2013 All rights reservedA.1Computer security events and incidents.........................................................................................26 A.1.1Fundamental incident criteria............................................................................................................26 A.1.2Impacts according to each incidents types.....................................................................................26 A.1.3Damage scale of incidents.................................................................................................................27 A.1.4Importance of the Information/system.............................................................................................27 A.2Incident alarm level............................................................................................................................27 Annex B (informative)Example information security event,incident and vulnerability reports and forms....................................................................................................................................................28 B.1Introduction.........................................................................................................................................28 B.2Example items in records..................................................................................................................28 B.2.1Example items of the record for information security event......................................................... 28B.2.2Example items of the record for information security incident..................................................... 29B.2.3Example items of the record for information securityvulnerability .............................................. 30B.3How to use forms................................................................................................................................30 B.3.1Format of date and time.....................................................................................................................30 B.3.2Notes for completion..........................................................................................................................30 B.4Example forms....................................................................................................................................32 B.4.1Example form for information security event report.......................................................................32 B.4.2Example form for information security incident report..................................................................33 B.4.3Example form for information security vulnerability report........................................................... 39Bibliography.....................................................................................................................................................40 ISO/IEC WD 27035-3.2 ISO/IEC 2013 All rights reservedv ForewordISO(theInternationalOrganizationforStandardization)andIEC(theInternationalElectrotechnicalCommission) form the specialized system for worldwidestandardization. National bodies that are members ofISOorIECparticipateinthedevelopmentofInternationalStandardsthroughtechnicalcommitteesestablishedbytherespectiveorganizationtodealwithparticularfieldsoftechnicalactivity.ISOandIECtechnicalcommitteescollaborateinfieldsofmutualinterest.Otherinternationalorganizations,governmentalandnon-governmental,inliaisonwithISOandIEC,alsotakepartinthework.Inthefieldofinformationtechnology, ISO and IEC have established a joint technicalcommittee, ISO/IEC JTC 1. International Standards are drafted inaccordance with the rules given in the ISO/IEC Directives, Part 2.ThemaintaskofthejointtechnicalcommitteeistoprepareInternationalStandards.DraftInternationalStandards adopted by the joint technical committee are circulatedto national bodies for voting. Publication as an InternationalStandard requires approval by at least 75 % of the national bodiescasting a vote. Attention is drawn to the possibility that some ofthe elements of this document may be the subject of patent rights.ISO and IEC shall not be held responsible for identifying any orall such patent rights. ISO/IEC27035-3waspreparedbyJointTechnicalCommitteeISO/IEC JTC1,Informationtechnology, Subcommittee SC 27, Security techniques.This second/third/... edition cancels and replaces thefirst/second/... edition (ISO/CEI 27035:2011), [clause(s) /subclause(s) / table(s) / figure(s) / annex(es)] of which [has /have] been technically revised. ISO/IEC27035consistsofthefollowingparts,underthegeneraltitleInformationtechnologySecuritytechniques Information security incident management: Part 1:Principles of Incident Management Part 2: Guidelines to plan andprepare for incident response Part 3: Guidelines for IncidentResponse Operations [Editor's note: Items highlighted in blue weremoved over from 1st WD of 27035-1] ISO/IEC WD 27035-3.2 vi ISO/IEC2013 All rights reserved IntroductionTheorganizationalstructuresforinformationsecurityvarydependingonthesizeandbusinessfieldofenterprises and organizations. As various and numerous networkincidents (e.g. intrusion, hacking) occur and keep increasing everyyear higher concerns on information security have been raised byenterprises. However, it is not easy to manage the networks andsystems securely, and to handle various types of attacks (such asDoS, Worm and virus) with network security equipments such asFirewall, IDS and IPS.Accordingly,inordertoguaranteeprotectionofinformationandefficientlytohandleincidents,adedicatedorganization is required. However, it is not easy to efficientlyestablishIRTs, and operate tasks ofIRTs suchasmonitoring,detection,analysis,etc.Inaddition,itrequirestopropermonitoring,detection,analysis,andresponse activities with the collected data or security events.Therefore,thefollowinginternationalstandardsprovidetheguidanceoninformationsecurityincidentmanagementinClause5toClause7.Theclausesconsistofseveralsub-clauses,whichincludedetailedincident response operations. WORKING DRAFTISO/IEC WD 27035-3.2ISO/IEC 2013 All rights reserved1 Information technology Securitytechniques Information security incident management Part 3:Guidelines for incident response operations 1ScopeThisinternationalstandardprovidestheguidelinesforefficientincidentsmanagement,responseandIRToperation. It also includes the followings: a)Organization andformation of incident response teams (IRT) b)Roles andresponsibilities of the IRT staffs c)Practical IRT activitiesd)Incident handling This standard, along with ISO/IEC27035-1 andISO/IEC27035-2, provides guidance on practical operation andresponse guidelines to take practical actions against evolving.2Normative referencesThefollowingreferenceddocumentsareindispensablefortheapplicationofthisdocument.Fordatedreferences,onlytheeditioncitedapplies.Forundatedreferences,thelatesteditionofthereferenceddocument (including any amendments) applies. ISO/IEC 27000,Information technologySecurity techniques Information securitymanagement systems Overview and vocabulary ISO/IEC 27001,Information technologySecurity techniques Information securitymanagement systems RequirementsISO/IEC27002,InformationtechnologySecuritytechniquesCodeofpracticeforinformationsecuritymanagement ISO/IEC 27005, Information technology Securitytechniques Information security risk management ISO/IEC 27035-1,Information technology Security techniques Information securityincident management Part 1: Principles of incident managementISO/IEC 27035-2, Information technology Security techniquesInformation security incident management Part 2: Guidelines to Planand Prepare for Incident Response 3Terms and definitions For thepurposes of this document, the terms and definitions given inISO/IEC 27000 and the following apply. ISO/IEC WD 27035-3.2 2ISO/IEC 2013 All rights reserved 3.1 Incident response teams (IRT)ateamofappropriatelyskilledandtrustedmembersoftheorganizationthathandlesincidentsduringtheirlifecycle. NOTETheIRTasdescribed inthisInternationalStandardisanorganizationalfunctionthatcoversthe processforinformationsecurityincidentsandisfocusedmainlyonITrelatedincidents.Othercommonfunctions(withsimilarabbreviations) within the incident handling may have a slightlydifferent scope and purpose. The followingare commonly usedabbreviations, though not exactly the same:CERT:AComputerEmergencyResponseTeammainlyfocusesonInformationandCommunicationsTechnology(ICT) incidents. There may be other specific national definitionsfor CERT.CSIRT:AComputerSecurityIncidentResponseTeamisaserviceorganizationthatisresponsibleforreceiving,reviewing, and responding to computer security incident reports andactivity. These services are usually performed for a definedconstituency, which could be a parent entity such as a corporation,governmental organization, or educational organization; a region orcountry; a research network; or a paid client. 3.2 informationsecurity event identified occurrence of a system, service ornetwork state indicating a possible breach of information security,policy or failure of controls, or a previously unknown situationthat may be security relevant [ISO/IEC 27000:2009] 3.3 informationsecurity event identified occurrence of a system, service ornetwork state indicating a possible breach of information security,policy or failure of controls, or a previously unknown situationthat may be security relevant [ISO/IEC 27000:2009] 3.4 informationsecurity incident management processes for detecting, reporting,assessing, responding to, dealing with, and learning frominformation security incidents [ISO/IEC 27000:2009] 3.5 incidenthandling actions of detecting, reporting, assessing, responding to,dealing with, and learning from information security incidents 3.6incident response actions taken to protect and restore the normaloperational conditions of an information system and the informationstored in it when an information security incident occurs [Adaptedfrom ISO/IEC 3rd WD 27039] 3.7 Point of Contact (PoC)identificationof,andmeansofcommunicationwith,person(s)andorganizations(s)associatedwiththeresource(s) NOTEA POC (also single point of contact or SPOC) can bea person or a department serving as the coordinator orfocalpointofinformationconcerninganactivityorprogram.POC'sareusedinmanycaseswhereinformationistime-sensitiveand accuracy is important. 3.8 information security forensicsapplicationofinvestigationandanalysistechniquestocapture,recordandanalyseinformationsecurityincidents ISO/IEC WD 27035-3.2 ISO/IEC 2013 All rights reserved34OverviewAsthecomputerandcommunicationtechnologiescontinuouslyadvances,typeofcyberthreatsarealsoevolvingthatmakethecyberinformationmorevulnerablethanbefore.Today,manyITorganizationsarecreatingseparatesecuritydivisionsorteamstotacticallyaddresstheconcern.Themainroleofthoseorganizationsisfocusedoninformationsecurityandresponsestocyberattacksandthreats.Inadditiontothoseseparatedorganizations,teamssuchasIRTconsistingofincidentresponseexpertsarerequiredtomanagevariousincidentsefficiently.Thus,practicalguidelinesforIRTsonmanagement,operation,andresponse should be provided. This standard provides the role ofIRT,qualification and responsibilities ofIRT members, incidentsresponse procedures and operation, etc. 4.1ObjectivesThisstandardisintendedtoprovidetheguidelinesforefficientincidentmanagement,plan,preparingresponse and practical operation along with ISO/IEC 27035-1 andISO/IEC 27035-2. 5Incident management phases 5.1Detection andreporting 5.1.1Event detectionInformationsecurityeventscouldbedetecteddirectlybyapersonorpersonsnoticingsomethingthatgivescauseforconcern,whethertechnical,physicalorproceduralrelated.Detectioncouldbe,forexample,fromfire/smokedetectorsorintruder(burglar)alarms,withthealertsnotifyingatpre-designatedlocationsforhumanaction.Technicalinformationsecurityeventscouldbedetectedbyautomaticmeans,forexample,alertsmadebyaudittrailanalysisfacilities,firewalls,intrusiondetectionsystems,andanti-maliciouscode(including viruses) tools, in each case stimulated by pre-setparameters. Possible information security event detection sourcesinclude the following: a)users, b)line managers and securitymanagers, c)customers, d)IT department,including Network OperationsCenterand Security Operations Center(through 2ndlevel support),e)IT help desk (through 1st level support), f)managed serviceproviders (including ISPs, telecommunication service providers, andsuppliers) g)IRTs, h)other units and staff that may detectanomalies during their daily work, i)mass media (news paper,television, etc.), andj)websites(publicsecurityinformationwebsites,websitesbysecurityresearchers,defacementarchivewebsites, etc.); ISO/IEC WD 27035-3.2 4 ISO/IEC 2013 All rightsreserved 5.1.2Event reporting Whatever the source of the detectionof an information security event, the person notified by automaticmeans,ordirectlynoticingsomethingunusual,isresponsibleforinitiatingthedetectionandreportingprocess.Thiscould be any member of an organization's personnel, whetherpermanent or contracted personnel.Thepersonshouldfollowtheproceduresandusetheinformationsecurityeventreportingformspecifiedbythe information security incident management scheme, to bring theinformation security event to the attention of the PoC andmanagement. Accordingly, it is essential that all personnel arewell aware of, and have accessto,theguidelinesforreportingthedifferenttypesofpossibleinformationsecurityevents.Thisincludestheformat of the information security event reporting form and detailsof the personnel who should be notified oneachoccasion(allpersonnelshouldatleastbeawareoftheformatoftheinformationsecurityincidentreportingform,toaidtheirunderstandingofthescheme.)Itshouldbenotedthatfixedtelephone,cordlessphone and mobile telephone without safeguard for tapping areconsidered not safe. When dealing with highly confidential orsecret information, the additional safeguards should be taken. Thefollowing information can be used as the basis for an incidenttracking system form: time/date for detection, observations, andcontact information (optional). The completed form (eitherpaper-based or electronic) should be used by IRT personnel onlywhen registeringinformationsecurityevents(possiblyincidents)orvulnerabilitiesintheIncidentTrackingSystem.Itismorecrucial to obtain knowledge/reports of asuspected/experienced/detected information security event thanbeing complete with all information.Informationsecurityevent(possiblyincident)trackingshouldbesupported,wheneverpossible,byanautomated application. The use of an information system isessential to force personnel to follow established procedures andchecklists. It is also extremely helpful to keep track of who didwhat and when, details that could be missed by mistake during aninformation security event (possibly incident).Howaninformationsecurityeventishandledisdependentuponwhatitis,andtheimplicationsandrepercussions that may flow from it. For many people, this will beadecision beyond their competence. Thus,thepersonreportinganinformationsecurityeventshouldcompletetheinformationsecurityeventreportingform with as much narrative and other information as is readilyavailable at the time, liaising with his/her local manager ifnecessary. That form should be securely communicated to thedesignated PoC, with a copy to the responsible IRT. The PoC shouldpreferably provide a 24-hour service for 7 days per week.Annex Bshows an example template for the information security eventreporting form. The IRT should appoint one team member ordelegateper shift to be responsible for all incoming reports viae-mail, phone, fax, automated information sharing programs, formsand direct conversation. This responsibility may rotate betweenteam members on a weekly basis. The appointedteam member makes theassessment and takes proper actions to inform responsible andinvolved parties as well as resolve the information securityincident. It is emphasized that not only accuracy but alsotimeliness is important in the content filled in the informationsecurityeventreportingform.Itisnotgoodpracticetodelaythesubmissionofareportingforminordertoimprovetheaccuracyofitscontent.Ifthereportingpersonisnotconfidentofthedatainanyfieldonthereporting form, it should be submitted with appropriate notation,and revisions communicated later.Automatedinformationsharingdataformats(IETFRFC5070)andprotocols(IETFRFC6545,IETFRFC6546) provide a confidence ratingwith the data shared.Theconfidence ratingcombinedwith informationontheorganizationprovingthedatashouldbeconsideredtodeterminetheaccuracyandvaluationoftheinformation provided. ISO/IEC WD 27035-3.2 ISO/IEC 2013 All rightsreserved5Itshouldalsoberecognizedthatsomereportingmechanisms(e.g.e-mail,automatedinformationsharingprotocols) are themselves visible targets for attack. When problemsexist, or are considered to exist, with theelectronicreportingmechanisms(e.g.e-mail),alternativemeansofcommunicationshouldbeused.Thisincludeswhenitisthoughtpossiblethatthesystemisunderattackandunauthorizedpeoplecouldreadreporting electronic forms. Alternative means could includeinperson, by telephone ortext messaging. Suchalternativemeansshouldbeusedparticularlywhenitbecomesevidentearlyinaninvestigationthataninformationsecurityeventappearslikelytobeclassifiedasaninformationsecurityincident,particularlyonethat may be significant. Whilst in manycases an informationsecurity eventhasto be reported onwards foraction bythePoC, theremaybeoccasionswhereaninformationsecurityeventishandledlocally,possiblywiththehelpoflocalmanagement. It is advisable that local management be trained tomake the same assessment as the IRT and take similar/samecountermeasures as well as use the same incident tracking system,in order to successfully use locally resources. This will preventthe IRT from doing duplicate work .Aninformationsecurityeventmaybequicklydeterminedasafalsealarm,oritmayberesolvedtoasatisfactoryconclusion.Insuchcasesareportingformshouldbecompletedandforwardedtolocalmanagement,tothePoCandtotheIRTforrecordingpurposes,i.e.intotheinformationsecurityevent/incident/vulnerabilitydatabase.Insuchcircumstance,thepersonreportingclosureofaninformationsecurity event may be able to complete some of the informationrequired for the information security incidentreportingformifthisisthecasethentheinformationsecurityincidentreportingformshouldalsobecompleted and forwarded.The use of automatic tools canassistwithcompletion ofsome fields forexample time stamps. It canalso assist with the sharing\transfer of necessary information.5.2Assessment and decision 5.2.1Assessment and initial decision bythe PoCThereceivingpersoninthePoCshouldacknowledgereceiptofthecompletedinformationsecurityeventreporting form, enter it into the information securityevent/incident/vulnerability database, and review it. He/she shouldseek any clarification from the person reporting the informationsecurity event, and collect any furtherinformationrequiredandknowntobeavailable,whetherfromthereportingpersonorelsewhere.Then,thePoC should conduct an assessment to determine whether theinformation security event should beclassifiedasaninformationsecurityincidentorisinfactafalsealarm(includingthroughuseoftheorganization'sagreedincidentclassificationscale).Iftheinformationsecurityeventisdeterminedtobeafalsealarm,theinformationsecurityeventreportingformshouldbecompletedandcommunicatedtotheIRTforadditiontotheinformationsecurityevent/incident/vulnerabilitydatabaseandreview,andcopiedtothereportingpersonand his/her local manager. Information and other evidence collectedat this stage may need to be used at a future time for disciplinaryor legal proceedings. The person or people undertaking theinformation collection and assessment tasks should be trained inthe requirements for collection and preservation of evidence. Inaddition to recording the date(s) and time(s) of actions, it isnecessary to fully document the following: a)what was seen and done(including tools used) and why, b)the location of the potentialevidence, c)how evidence is archived (if applicable), d)howevidence verification was performed (if applicable), and e)detailsof storage/safe custody of material and subsequent access to it.Iftheinformationsecurityeventisdeterminedasalikelyinformationsecurityincident,andifthepersonatPoChastheappropriatelevelofcompetence,furtherassessmentmaybeconducted.Thismayrequireremedialactions,forexampleidentifyingadditionalemergencycontrolsbeingandreferralforactiontotheappropriateperson.ItmaybeevidentthataninformationsecurityeventisdeterminedtobeasignificantISO/IEC WD 27035-3.2 6 ISO/IEC 2013 All rights reservedinformationsecurityincident(usingtheorganization'spre-determinedseverityscale),inwhichcasetheIRTmanagershouldbeinformeddirectly.Itmaybeevidentthatacrisissituationshouldbedeclared,andforexample, the crisis management manager be notified for possibleactivation of a crisis management plan, andtheIRTmanagerandseniormanagementbeinformed.However,themostlikelysituationisthattheinformation security incident needs to be referred directly to theIRT for further assessment and action. Whatever the next step isdetermined to be, the PoC should complete as much as possible ofthe information security incident reporting form. The informationsecurity incident reporting form should contain narrative, and asfar as possible should confirm and describe the following: f)whatthe information security incident is, g)how it was caused and bywhat or whom, h)what it affects or could affect, i)the impact orpotential impact of the information security incident on thebusiness of the organization,j)anindicationastowhethertheinformationsecurityincidentisdeemedsignificantornot(usingtheorganization's pre-determined classification scale), and k)how ithas been dealt with so far. When considering the potential oractual adverse effects of an information security incident on thebusiness of an organization, the following are some examples:l)unauthorized disclosure of information, m)unauthorizedmodification of information, n)repudiation of information,o)unavailability of information and/or service, p)destruction ofinformation and/or service, and q)reduced performance of service.Thefirststepistoconsiderwhichofanumberofconsequencesisrelevant.Forthoseconsideredrelevant,therelatedcategoryguidelineshouldbeusedtoestablishthepotentialoractualimpactsforentryintotheinformation security incident report. Example guidelines are giveninPart 2 Annex A (Example approaches tothecategorizationandclassificationofinformationsecurityeventsandincidents)andAnnexB.Examplecategories are the following: r)financial loss/disruption tobusiness operations, s)commercial and economic interests,t)personal information, u)legal and regulatory obligations,v)management and business operations, w)loss of goodwill, x)injuryor loss of life, and y)societal disruption. ISO/IEC WD 27035-3.2ISO/IEC 2013 All rights reserved7 If an information securityincident has been resolved, the report should include details ofthe controls that havebeentakenandanylessonslearned(e.g.controlstobeadoptedtopreventre-occurrenceorsimilaroccurrences).Oncecompletedasfaraspossible,thereportingformshouldthenbereferredtotheIRTforentry into the information security event/incident/vulnerabilitydatabase and review.Ifaninvestigationislikelytobelongerthanatimeperioddefinedintheinformationsecurityincidentmanagement policy, an interim report should be produced within atime period specified by the policy.ItisemphasizedthatthePoCassessinganinformationsecurityincidentshouldbeaware,basedontheguidanceprovidedintheinformationsecurityincidentmanagementschemedocumentation.Itincludesthefollowing for example: z)when it is necessary to escalate mattersand to whom, and aa)change control procedures should be followed inall activities conducted by the PoC.Inasimilarmannertothatmentionedin5.1.1and5.1.2aboveregardingeventdetectionandreporting,alternative means of communication of updated reporting formsshould be used when problems exist, orare considered to exist, withelectronic reporting mechanisms (e.g. e-mail). 5.2.2Assessment andincident confirmation by the IRTTheassessment,andconfirmationofthedecisionastowhetheraninformationsecurityeventistobeclassified as an information security incident, should be theresponsibility of the IRT. The receiving person in the IRT shoulddo the following: a)Acknowledge receipt of the information securityincident reporting form, completed as far as possible by the PoC.b)Enter the form into the information securityevent/incident/vulnerability database if it was not done by the PoCand update the database if necessary. c)Seek clarification from thePoC, if necessary. d)Review the reporting form content.e)Collectanyfurtherinformationrequiredandknowntobeavailable,whetherfromthePoC,thepersonwho completed the information security event reporting form orelsewhere.Ifthereisstilladegreeofuncertaintyastotheauthenticityoftheinformationsecurityincidentorthecompletenessofthereportedinformation,theIRTmembershouldconductanassessmenttodeterminewhethertheinformationsecurityincidentisrealorinfactafalsealarm(throughuseoftheorganization'sagreed incident classification scale). If the information securityincident is determined to be a false alarm, theinformationsecurityeventreportshouldbecompleted,addedtotheinformationsecurityevent/incident/vulnerabilitydatabase and communicated to the IRTmanager.Copies of the report should be sent to the PoC, and thereporting person and his/her local manager.Aninformationsecurityincidentshouldbecorrelatedtoanyotherevent/incidentreportedtotheIRT.Thisimportant activity is to verify if the incident is connected to anyother event/incident or it is simply the effect ofanotherincident,i.e.inDenialofService(DoS)andDistributedDenialofService(DDoS)attacks.Thecorrelation of incidents is also important in prioritizing theefforts of the IRT.Iftheinformationsecurityincidentisdeterminedtobereal,theIRTmemberandcolleaguesasrequired,should conduct further assessment. The aim is to confirm thefollowing as soon as possible: f)What the information securityincident is, how it was caused and by what or whom, what it affectsor couldaffect,theimpactorpotentialimpactoftheinformationsecurityincidentonthebusinessoftheorganization,anindicationastowhethertheinformationsecurityincidentisdeemedsignificantornotISO/IEC WD 27035-3.2 8 ISO/IEC 2013 All rights reserved (using theorganization's pre-determined severity scale). If the incidentcauses severe negative impact on the business, crisis activitiesshould be initiated. (see 5.3.4).g)Thefollowingaspectsfordeliberatehumantechnicalattackonaninformationsystem,serviceand/ornetwork, for example:1)howdeeplythesystem,serviceand/ornetworkhasbeeninfiltrated,andwhatlevelofcontroltheattacker has, 2)what data has been accessed by the attacker,possibly copied, altered or destroyed, 3)what software has beencopied, altered or destroyed by the attacker, h)The direct andindirect effects (for example, is physical access open because of afire, is an information system vulnerable because of some softwareor communications line malfunction, or because of human error), andi)How the information security incident has been dealt with so farand by whom. When reviewing the potential or actual adverse effectsof an information security incident on the business of anorganization, from some information and/or services shownin5.2.1,it isnecessary to confirm which of a number of consequencesis relevant. Example categories are shown in 5.2.1 and Annex A of27035-2. A prioritizing process should be used to assign aninformation security incident to the most suitable person or groupof persons in the IRT to facilitate an adequate response to theinformation security incident. In particular,whenseveralinformationsecurityincidentsarebeingdealtwiththesametime,prioritieshavetobesettoorder the responses to be given to information security incidents.Prioritiesshouldbesetinaccordancewiththedeterminedadversebusinessimpactsassociatedwiththeinformation securityincident and the estimated effortneeded torespond to theinformation securityincident. For incidents with thesame priority, the required effort is one metric to determine theorder in which they needtoberesponded.Forexample,anincidentthatiseasilyresolvedmaybedealtwithbeforeanincidentrequiring a greater effort.Forthoseconsideredrelevant,therelatedcategoryguidelineshouldbeusedtoestablishthepotentialoractualimpactsforentryintotheinformationsecurityincidentreport.ExampleguidelinesaregiveninPart2Annex A and Annex B of this part. 5.3Responses 5.3.1Immediateresponses 5.3.1.1Overview In the majority of cases, the nextactivities for the IRT member are to identify the immediateresponse actions to deal with the information security incident,record details on the information security incident form and withintheinformationsecurityevent/incident/vulnerabilitydatabase,andnotifytherequiredactionstotheappropriate persons or groups. This may result in emergencycontrols (for example, cutting off/shutting downanaffectedinformationsystem,serviceand/ornetwork,withtheprioragreementoftherelevantITand/orbusinessmanagement),and/oradditionalpermanentcontrolsbeingidentified,andnotifiedforactiontotheappropriate person or group. If not already done so, thesignificance of the information security incident shouldbedetermined,usingtheorganization'spre-determinedclassificationscale,andifsufficientlysignificantappropriateseniormanagementshouldbenotifieddirectly.Ifitisevidentthatacrisissituationshouldbedeclared,forexamplethecrisismanagementmanagershouldbenotifiedforpossibleactivationofacrisismanagement plan, with the IRT manager and senior management alsoinformed. The overall objectives in responding to informationsecurity incidents are the following: ISO/IEC WD 27035-3.2 ISO/IEC2013 All rights reserved9 to confine the potential adverse impacts(of information security incidents), and to improve informationsecurity. The primary goal of the information security incidentmanagement scheme and associated activities should be theminimization of adverse businessimpacts, whereas identificationofthe attackershould be considered a secondary goal. 5.3.1.2ExampleactionsAsanexampleofrelevantimmediateresponseactionsinthecaseofdeliberateattackonaninformationsystem,serviceand/ornetwork,itcouldbeleftconnectedtotheinternet,orothernetwork.Thiswillallowbusinesscriticalapplicationstofunctioncorrectly,andcollectasmuchinformationaspossibleabouttheattacker, provided that the attacker does not know that he/she isunder surveillance.Itisvitallyimportanttofollowplannedprocessesandrecordaction.BewareofTrojans,rootkitsandkernelmodules that may cause serious damage to the system. Evidence canbe protected with cryptography, locks and records of access.a)While undertaking such a decision, it needs to be considered thatthe attacker may realize that he/she is being observed and mayundertake actions that cause further damage to the affectedinformation system,serviceand/ornetwork,andrelateddata,andtheattackercoulddestroytheinformationthatmaybeuseful to track him/her.b)Itisessentialthatitistechnicallypossibletoquicklyandreliablycut-offand/orshutdowntheattackedinformation system, service and/or network, once a decisionhad beentaken. This serves to contain the incident. A furtherconsiderationis that the preventionof re-occurrence is usuallyofhighpriority,and it mightwell beconcludedthattheattackerhasexposedavulnerabilitythatshouldberectified,andthegainsfromtrackinghim/her do not justify the effort in doing so. This is especiallyrelevant when the attacker is non-malicious and has caused littleor no damage.Withregardtoinformationsecurityincidentsthatarecausedbysomethingotherthandeliberateattack,thesource should be identified. It may be necessary to shut theinformation system, service and/or network down,orisolatetherelevantpartandshutitdown(withtheprioragreementoftherelevantITand/orbusinessmanagement), while controls are implemented. This may take longerif the vulnerability is fundamental to the information system,service and/or network design, or if it is a criticalvulnerability.Anotherresponseactivitymaybetoactivatesurveillancetechniques(forexample,honeypotsseeISO/IEC 18043). This should be on the basis of proceduresdocumented for the information security incident management scheme.Information that may be corrupted by the information securityincident should be checked by the IRT member against backup recordsfor modifications, deletions, or insertions of information. It maybe necessary to check the integrity of the logs, as a deliberateattacker may have manipulated these logs to cover his/her tracks.5.3.1.3Incident information update Whatever the next step isdetermined to be, the IRT member should update the informationsecurity incident report as much as possible, add it to theinformation security event/incident/vulnerability database, andnotify the IRT manager and others as necessary. The update maycover further information on the following: a)what the informationsecurity incident is, b)how it was caused and by what or whom,c)what it affects or could affect, ISO/IEC WD 27035-3.2 10 ISO/IEC2013 All rights reserved d)the impact or potential impact of theinformation security incident on the business of the organization,e)changestotheindicationastowhethertheinformationsecurityincidentisdeemedsignificantornot(using the organization's pre-determined severity scale), and f)howit has been dealt with so far. If an information security incidenthas been resolved, the report should include details of thecontrols that havebeentakenandanyotherlessonslearned(e.g.furthercontrolstobeadoptedtopreventre-occurrenceorsimilaroccurrences).Theupdatedreportshouldbeaddedtotheinformationsecurityevent/incident/vulnerability database, and notified to the IRTmanager and others as required. It is emphasized that the IRT isresponsible for ensuring the secure retention of all informationpertaining to aninformationsecurityincidentforfurtheranalysis,andpotentiallegalevidentialuse.Forexample,foranIToriented information security incident, the following actionsshould be taken.Aftertheinitialdiscoveryoftheincident,allvolatiledatashouldbecollectedbeforetheaffectedITsystem,service and/or network is shut down, for a complete informationsecurity forensics investigation. Information tobecollectedincludescontentsofmemory,cacheandregisters,anddetailofanyactivitiesrunning,andthefollowing. g)A fullinformation security forensics duplication oftheaffected system ora lowlevel backup of logs and important filesshould be undertaken depending on the nature of the informationsecurity incident. h)Logs from neighbouring systems, services andnetworks, for example including from routers and firewalls, shouldbe collected and reviewed. i)All information collected should bestored securely on read only media. j)Two or more persons should bepresent when information security forensics duplication isperformed, toassertandcertifythatallactivitieshavebeencarriedoutinaccordancewithrelevantlegislationandregulation.k)Specificationsanddescriptionsofthetoolsandcommandsusedtoperformtheinformationsecurityforensics duplication should be documented and stored together withthe original media. An IRT member is also responsible forfacilitating the return of the affected facility (whether IT orotherwise) to a secure operational state that is not susceptible toa compromise by the same attack, if possible at this stage.5.3.1.4Further activitiesIfanIRTmemberdeterminesthataninformationsecurityincidentisreal,thenotherimportantactivitiesshould be the following: a)activity to institute informationsecurity forensics analysis, andb)activitytoinformthoseresponsibleforinternalandexternalcommunicationsofthefactsandproposalsfor what should be communicated, in what form and to whom. Once aninformation security incident report has been completed as far aspossible, it should be entered into the information securityevent/incident/vulnerability database and communicated to the IRTmanager. If an investigation is likely to be longer than a timeperiod pre-agreed within the organization, an interim report shouldbe produced.TheIRTmemberrespondingtoaninformationsecurityincidentshouldbeaware,basedontheguidanceprovided in the information security incident management schemedocumentation, of the following: c)when it is necessary to escalatematters and to whom, and ISO/IEC WD 27035-3.2 ISO/IEC 2013 Allrights reserved11 d)change control procedures should be followed inall activities conducted by the IRT. When problems exist or areconsidered to exist, with electronic communications facilities(e.g. e-mail or web), including when it is thought possible thatthe system is under attack,the report to the relevant people shouldbe done by alternative means such as in person, by telephone ortext messaging. If it is concluded that an informationsecurityincidentis significantoracrisis situation has beendetermined, then the IRT manager, in liaison with theorganization's information security manager and the relevant boardmember/senior manager, should liaise with all related parties, bothinternal and external to the organization.Toensurethattheliaisonsareorganizedquicklyandareeffective,itisnecessarytoestablishasecuremethodofcommunicationinadvancethatdoesnotwhollyrelyonthesystem,serviceand/ornetworkthatmaybeaffectedbytheinformationsecurityincident.Thesearrangementsmayincludethenominationofbackup advisors or representatives in the case of absence.5.3.2Assessment of control over information security incidentsAftertheIRTmemberhasinstigatedtheimmediateresponsesandrelevantinformationsecurityforensicsanalysisandcommunicationsactivities,itneedstobequicklyascertainedwhethertheinformationsecurityincident is under control. If necessary, the IRT member may consultwith colleagues, the IRT manager and/or other persons or groups. Iftheinformation securityincidentis confirmed as beingundercontrol,the IRTmember shouldinstitute anyrequiredlaterresponses,andinformationsecurityforensicanalysisandcommunications,toendtheinformation security incident and restore the affected informationsystem to normal operations.Iftheinformationsecurityincidentisconfirmedasnotbeingundercontrol,thentheIRTmembershouldinstitute crisis activities. If the information security incidentis related to loss of availability, the metric to assess whether aninformation security incident is under control could be the timeelapsed before recovering to a normal situation further to theoccurrenceof aninformation securityincident. The organizationshould determine foreach asset, based upon the results of theinformation security risk assessment, its acceptable interruptionwindow that supports the recovery time objective before resumptionof the service or the access of the information. As soon as theresponse exceeds the acceptable interruption window of the targetedasset, the information security incidentmaynotbeundercontrolanymoreandthedecisiontoescalatetheinformationsecurityincidentshouldbetaken. Information security incidents related to loss ofconfidentiality, integrity etc. needs other types of judgements todetermineifthesituationisundercontrolandpossiblerelatedmetricsaccordingtoorganizationcrisismanagement plans. 5.3.3Later responses Having determined that aninformation security incident is under control, and not subject tocrisis activities, theIRTmembershouldidentifyifandwhatfurtherresponsesarerequiredtodealwiththeinformationsecurityincident. This could include restoring the affected informationsystem(s), service(s) and/or network(s) back to normal operation.He/she should then record details on the information securityincident reporting form and in the information securityevent/incident/vulnerability database, and notify those responsiblefor completing therelatedactions.Oncethoseactionshavebeensuccessfullycompleted,detailsshouldberecordedontheinformationsecurityincidentreportingformandintheinformationsecurityevent/incident/vulnerabilitydatabase, and then the information security incident should beclosed and appropriate personnel notified. Some responses aredirected at preventing information security incident re-occurrenceor similar occurrence. For example, if it is determined that thecause of an information security incident is an IT hardware orsoftware fault without an available patch, the supplier should becontacted immediately. If a known IT vulnerability was involved inan information security incident, it should be patched with therelevant information security update.AnyITconfigurationrelatedproblemshighlightedbytheinformationsecurityincidentshouldbedealtwithISO/IEC WD 27035-3.2 12 ISO/IEC 2013 All rights reservedthereafter.Othermeasurestodecreasethepossibilityofre-occurrenceorsimilaroccurrenceofanITinformation security incident may include changing system passwordsand disabling unused services. Another area of response activitymay involve monitoring the IT system, service and/or network.Following the assessment of an information security incident, itmay be appropriate to have additional monitoring controls inplacetoassistindetectingunusualandsuspiciouseventsthatwouldbesymptomaticoffurtherinformationsecurityincidents. Such monitoring may also reveala greaterdepth totheinformation security incident, and identify other IT systemsthat were compromised. It maywellbenecessary foractivationofspecific responses documentedinthe relevantcrisis managementplan.ThiscouldapplyforbothITandnon-ITrelatedinformationsecurityincidents.Suchresponsesshouldinclude those for all business aspects, not just directly ITrelated but also key business function maintenance and laterrestoration including, as relevant, of voice telecommunications,and personnel levels and physical facilities. The last area ofactivity is the restoration of the affected information system(s),service(s) and/or network(s) tonormaloperation.Therestorationofanaffectedsystem(s),service(s)and/ornetwork(s)toasecureoperational state may be achieved through the application ofpatches for known vulnerabilities or by disabling an element thatwas the subject of the compromise. If the entire extent of theinformation security incident isunknown,duetothedestructionofthelogsduringtheincident,thenacompletesystem,serviceand/ornetwork rebuild may be necessary.Itmaywellbenecessaryforactivationofpartsoftherelevantcrisismanagementplan.Ifaninformationsecurity incident is non-IT related, for example caused by a fire,flood or bomb, then the recovery activities to be followed arethose documented in the relevant crisis management plan.5.3.4Responses to crisis situations As discussed in 5.3.2, it maybe that the IRT determines an information security incident is notunder control and needs to be escalated to crisis situation, usinga pre-designated plan.Thebestoptionsfordealingwithallpossibletypesofinformationsecurityincidentsthatmightaffectavailabilityandtosomeextentintegrityofaninformationsystem,shouldhavebeenidentifiedintheorganization's crisis management plan. These options should bedirectly related to the organization's businessprioritiesandrelatedtimescalesforrecovery,andthusthemaximumacceptableoutagetimeperiodsforIT,voice, people and accommodation. The strategy should haveidentified the following: a)the required preventive, resilience andcrisis management measures, b)the required organizational structureand responsibilities for responding to crisis, and c)the requiredstructure and outline content for the crisis management plan orplans. Thecrisis managementplan(s) and the controlsputin place tosupportthe activation of those plan(s), once tested satisfactorily,form the basis for dealing with most escalated incidents once sodesignated. Depending on the type of incident and if it is notunder control, the escalation may lead to serious activities todeal with the incident and activate the crisis management plan ifsuch is in place. Such activities may include, but are not limitedto, the activation of: d)fire suppression facilities and evacuationprocedures, e)flood prevention facilities and evacuationprocedures, f)bomb handling and related evacuation procedures,g)specialist information system fraud investigators, andh)specialist technical attack investigators. ISO/IEC WD 27035-3.2ISO/IEC 2013 All rights reserved13 5.3.5Information securityforensics analysisWhereidentifiedbypriorassessmentasrequiredforevidentialpurposes,defactointhecontextofasignificant information security incident, information securityforensic analysis should be conducted by the IRT. It should involvethe use of IT based investigative techniques and tools, supportedby documented procedures, to review the designated informationsecurity incident(s) in more detail than has been the case hithertoin theinformationsecurityincidentmanagementprocess.Itshouldbeconductedinastructuredmanner,and,asrelevant, identify what may be used as evidence, whether forinternal disciplinary procedures or legal actions.Thefacilitiesneededforinformationsecurityforensicanalysisislikelytobecategorizedintotechnical(e.g.audittools,evidencerecoveryfacilities),procedural,personnelandsecureofficefacilities.Eachinformationsecurityforensicanalysisactivityshouldbefullydocumented,includingrelevantphotographs,auditloganalysis reports, and datarecovery logs. The proficiency oftheperson orpeople performing the informationsecurityforensicanalysisshouldbedocumentedalongwithrecordsofproficiencytesting.Anyotherinformationthatdemonstratestheobjectivityandlogicalnatureofanalysisshouldalsobedocumented.Allrecordsoftheinformationsecurityincidentsthemselves,theinformationsecurityforensicanalysisactivities,etc. and associated media, should be stored in a physically secureenvironment and controlled by procedurestopreventunauthorizedpeoplefromaccessing,alteringorrenderingitunavailable.InformationsecurityforensicanalysisITbasedtoolsshouldcomplywithstandardssuchthattheiraccuracycannotbelegallychallenged,andshouldbekeptup-to-dateinlinewithtechnologychanges.TheIRTphysicalenvironmentshould provide demonstrable conditions that ensure the evidence ishandled in such a way that it cannot be challenged. Enoughpersonnel should be available, if necessary on an on-call basis, tobe able to respond at any time.Overtime,newrequirementsmayarisetoreviewevidenceofavarietyofinformationsecurityincidents,including fraud, theft, and vandalism. Thus, to assist the IRTthere needs to be a number of IT based meansandsupportingproceduresavailableforuncoveringinformationhiddeninaninformationsystem,serviceornetwork,includinginformationthatonaninitialinspectionappearstohavebeendeleted,encrypted,ordamaged.Thesemeansshouldaddressallknownaspectsassociatedwithknowntypesofinformationsecurity incidents and be documented in the IRT procedures.Intoday'senvironment,informationsecurityforensicanalysisisfrequentlyneededtoencompasscomplexnetworked environments, where investigation needs to encompass anentire operating environment, including a multitude of servers(e.g. file, print, communications and e-mail), as well as remoteaccess facilities. There are many tools available, including textsearch tools, drive imaging software and information securityforensic suites. The main focus of information security forensicanalysis procedures is to ensure that evidence is kept intact andchecked to ensure that it stands up to any legal challenge.Itisemphasizedthatinformationsecurityforensicanalysisshouldbeperformedonanexactcopyoftheoriginaldata,topreventtheanalysisworkprejudicingtheoriginalmediaintegrity.Theoverallinformationsecurity forensic analysis process should encompass, as relevant,the following activities:a)Activitytoensurethatthetargetsystem,serviceand/ornetworkisprotectedduringtheinformationsecurity forensic analysis from being renderedunavailable, alteredorotherwisecompromised, includingbymaliciouscode(includingviruses)introduction,andthattherearenoorminimaleffectsonnormaloperations. b)Activity to prioritize the acquisition and collectionof evidence i.e. proceeding from the most volatile to the leastvolatile (this depends in large measure on the nature of theinformation security incident). c)Activity toidentify all relevantfiles on the subject system, service and/or network, includingnormal files, password or otherwise protected files, and encryptedfiles. d)Activity to recover as much as possible discovered deletedfiles, and other data. e)Activity to uncover IP addresses, hostnames, network routes and web site informationf)Activitytoextractthecontentsofhidden,temporaryandswapfilesusedbybothapplicationandoperating system software. ISO/IEC WD 27035-3.2 14 ISO/IEC 2013 Allrights reserved g)Activity to access the contents of protected orencrypted files (unless prevented by law).h)Activitytoanalyzeallpossiblyrelevantdatafoundinspecial(andtypicallyinaccessible)discstorageareas. i)Activity to analyze file access, modification and creationtimes. j)Activity to analyze system/service/network and applicationlogs. k)Activity to determine the activity of users and/orapplications on a system/service/network. l)Activity to analyzee-mails for source information and content. m)Activity to performfile integrity checks to detect Trojan horse files and files notoriginally on the system.n)Activitytoanalyze,ifapplicable,physicalevidence,forexamplefingerprints,propertydamage,videosurveillance, alarm system logs, pass card access logs, andinterview witnesses. o)Activity to ensure that extracted potentialevidence is handled and stored in such a way that it cannot bedamaged or rendered unusable, and that sensitive material cannot beseen by those not authorized. It is emphasized that evidencegathering should always be in accordance with the rules of thecourt or hearing in which the evidence may be presented. p)Activityto conclude on the reasons for the information security incident,the actions required and in what timeframe, with evidence includinglists of relevant files included in an attachment to the mainreport. q)Activity to provide expert support to any disciplinary orlegal action as required. The method(s) to be followed should bedocumented in the IRT procedures.TheIRTshouldaccommodatesufficientcombinationsofskillstoprovidewidecoverageoftechnicalknowledge(includingofthetoolsandtechniqueslikelytobeusedbydeliberateattackers),analysis/investigativeexperience(includingregardingthepreservationofusableevidence),knowledgeofrelevant legislation and regulation implications, and ongoingknowledge of incident trends. The following should be recognized:r)someorganizationsmaynothavealltheseresourcesavailableandthatitmayneedtoout-sourceinformation security forensic analysis work to specialists,s)collecting information security forensic material may only be aresort (i.e. the effort and expense justified) where serious losshas occurred and/or criminal proceedings are likely, and t)notusing specialist resources to capture information security forensicmaterial may render the findings as being inadmissible if courtaction is required. 5.3.6Communications In many cases when aninformation security incident has been confirmed by the IRT asreal, thereis a need for certain people to be informed bothinternally (outside of normal IRT/management lines ofcommunication)andexternally,includingthepress.Thismayneedtooccuratanumberofstages,forexamplewhenaninformation security incident is confirmed as real, when it isconfirmed as under control, when it is designatedforcrisisactivities,whenitisclosedandwhenpostincidentreviewhasbeencompletedandconclusionsreached.Whencommunicationisneeded,duecareshouldbetakentoensurewhoneedstoknowwhatandwhen.Stakeholders that are affected should be determined and preferablydivided into groups such as: a)direct internal stakeholders (crisesmanagement, management staff etc.), ISO/IEC WD 27035-3.2 ISO/IEC2013 All rights reserved15 b)direct external stakeholders (owners,customers, partners, suppliers etc.), andc)other external contactssuch as press and/or other media.Eachgroupmayneedspecialinformationthatshouldcomethroughtheappropriatechannelsoftheorganization.Oneofthemostimportanttaskforcommunicationafteraninformationsecurityincidentistoensurethatdirectexternalanddirectinternalstakeholderswillhavetheinformationpriortothatitcomesthrough other external contacts such as press. To aid this activitywhen the need arises, it is sensible practice to prepare certaininformation in advance such that it is quickly adjusted to thecircumstances of a particular information security incident andissued toeachrelevantgroupandinparticularthepressand/orothermedia.Ifanyinformationpertainingtoinformationsecurityincidentsistobereleasedtothepressitshouldbedoneinaccordancewithorganization'sinformation dissemination policy. Information to be released shouldbe reviewed by the relevant parties, which may include seniormanagement, public relations co-ordinators and information securitypersonnel.NOTEThecommunicationsofinformationsecurityincidentmaywarydependingontheincidentanditsimpactincombination with the organization relations and type of business.The type of business may also set specific rules for howcommunication should be done, for example if the organization islisted on a public stock market. 5.3.7Escalation In extremecircumstances, matters may have to be escalated to accommodateincidents that are out of control and a potential danger forunacceptable business impact. These incidents need to be escalatedto activate thebusinesscontinuityplanifinplacebyreportingtoeitherseniormanagement,anothergroupwithintheorganizationorpersonsorgroupsoutsideoftheorganization.Thismaybeforadecisiontobemadeonrecommendedactionstodealwithaninformationsecurityincidentorforfurtherassessmenttodeterminewhatactionsarerequired.Thiscouldbefollowingtheassessmentactivitiesdescribedabovein5.2.1and5.2.2, orduring those activities if some majorissue becomesevidentearly. Guidance shouldbe availablein the informationsecurity incident management scheme documentation for those who arelikely at some point to need to escalate matters, i.e. PoC and IRTmembers. 5.3.8Activity logging and change control It is emphasizedthat all involved in the reporting and management of an informationsecurity incident shouldproperlylogallactivitiesforlateranalysis.Thisshouldbeincludedwiththeinformationsecurityincidentreporting form and in the information securityevent/incident/vulnerability database, continually kept up-to-datethroughoutthecycleofaninformationsecurityincidentfromfirstreportingtocompletionofpost-incidentreview.Thisinformationshouldberetainedprovablysecureandwithanadequateback-upregime.Further,allchanges made in the context of tracking an information securityincident and updating the information securityincidentreportingformandtheinformationsecurityevent/incident/vulnerabilitydatabaseshouldbeunderaformally accepted change control scheme. 6Establishment of theIncident Response Teams (IRTs)IRTsareteamsofappropriatelyskilledandtrustedmembersoftheorganizationthatprovideproperresponses, analysis, and preventions of various incidents thatoccurs on computer networks. In order to establish IRT, the size ofthe dedicated organization, monitoring targets, and coverage haveto be defined. The effectiveness ofIRTis critical, thus the rolesand responsibilities of members should be clearly defined. Theprompt response and right decision by theIRT members is criticalsuch that spread of damage caused by incidents are quicklycontained and addressed. ISO/IEC WD 27035-3.2 16 ISO/IEC 2013 Allrights reserved 6.1Types of the IRTsGenerally,IRTscanbeclassifiedintothreedifferenttypesasshowninFigure1:single,hierarchical,andremote types based on the desired goalof the organizations. Toestablish aproper incident response team, the size of organization,the importance of information, and interoperability with otherorganizations should be considered. Figure 1 Types of the IRTsSingle(SingletypeofIRT):Themonitoringscopeisasingleorganization,orasingleIRTperformingmonitoring of multiple organizations or targets 24 hours, 7 daysand 365 days. This type is generally used for the incidentmanagement, response and operation activities. Hierarchical(Hierarchical type of IRT): One or more IRTs overlap monitoringscopes. It can increase the reliability for incident responseactivities.Remote(RemotetypeofIRT):Bycollectingthesecurityeventsfromremotelocations,thistypeisgenerallyusedforout-sourcingenterprise(specializedinformationsecurityenterprise)tomonitorthetargets.6.2Roles of IRTs In order to provide prompt response tovarious threats, IRTs require a response policy, (see ISO/IEC27035-1), response procedures and operation activities. The mainroles of IRTs are as follows: a)Managing Integrated securitysystems 1)Monitoring and information security event management ofagents installed on heterogeneous systems (e.g. intrusion detectionsystem, intrusion prevention system, firewall, network resource,etc.)b)Implementing a consistent policy 1)Minimizing risks for thesecurity system by a consistent policy c)Responding promptly1)Reinforcingpreventionactivitiesagainstincidents(e.g.monitoring,pre-responses,securitypolicy,etc.) d)Operating the optimized security structure 1)Providingeffective security plan for information properties 6.2.1Fundamentalduties of IRT Fundamental duties of IRT are summarized as follows:ISO/IEC WD 27035-3.2 ISO/IEC 2013 All rights reserved17 Integratedmanagement and monitoring: 24 x 365 hours monitoring of targets,proactive monitoring and responses against incidents, logsmanagement Reports management : Periodic security reporting,security patches management, incidents report Administrativemanagement : Policy management for various system environmentsincluding task control and IRT operations Technical management :Network, system, application, contents, and service securitymanagementSystemoperationandmanagement:Systemcapacity,performance,securityconfiguration,andenvironment configuration management 6.3IRT organization Promptprevention and response policies should be established with theconsideration of physical, technical,andadministrativepointsofview.IRTshouldquicklyandaccuratelyregister,handle,andpreventincidentswith proper activities. IRT should respond if it detects maliciouscodes flowing into the monitoring area, and performs proper actionsfor minimizing and removing vulnerabilities. Furthermore, thosedetected securityevents should be notified to a system and/ornetwork manager for effective responses. To establish a IRT, therole of each member should be defined as follows: a)IRT manager: Asa leader, the person is responsible for managing the staffs,defining the job scope, and reporting the status to higher-levelorganizations. b)Planning team: It is responsible for operatingIRT. It establishes or plans various security policies, reportsthemtohigher-levelauthorities,cooperatewiththirdparties,andregisterandapprovevulnerabilityreports. c)Monitoring team: It is responsible for real-timemonitoring and actual operation activities such as security eventmonitoring/detection/identification, incident registration, andprevention.d)Responseteam:Ittakesoverthecasefromthemonitoringagentsforincidentsrelatedtointrusion,performssecondaryfurtheranalysisandactionsincludinginvestigationefforts,recoveryactionsandestablishes adequate strategy. e)Analysis team: In cooperation withthe response team, it performs in-depth analysis includingcorrelation analysis for theincidents.Forestablishingtheincidentresponsestrategy,refertoISO/IEC27035-1thatcoversmanagementpoliciesand activities against information security incidents. Table 1Roles of MembersMembersRole Description IRT ManagerAsaleader,thepersonisresponsibleformanagingthestaffs,definingthejobscope,and reporting the status to higher-level organizations. ISO/IEC WD27035-3.2 18 ISO/IEC 2013 All rights reserved MembersRoleDescription Planning Team It is responsible for operating theorganization. Its roles are: a) Establishing and planning securitypolicies b) Implementing security processes c) Adjusting the riskpriorities d) Communicating with higher-level organizations andother third-parties organizations e) Supporting administration f)Discussing/registering/approving vulnerability reports on thetarget organizations g) Performing other activities directed by theIRT manager Monitoring Team It performs the real-time securitymonitoring activities and the followings: a) 24 x 365 hoursmonitoring and operation b) Intrusion trial detection, registeringincidents, and pre-responses c) Performing the security patches andupgrades d) Implementation of the security policy and backupmanagement e) Help desk f) Facility management g) Performing otheractivities directed by the IRT manager Response TeamItprovidestheservicessuchasreal-timeresponses,technicalsupports,andthefollowings: a) Propagating and reporting incidentsb) Correlationanalysis between monitoring systems c) Incident investigation andrecovery supports d) Vulnerability analysis on the targetorganization and IRT e) Performing other activities directed by theIRT manager Analysis Team It performs analysis on incidents and thefollowings: a) Planning vulnerability analysis for the targetorganization and IRT b) Improving the security analysis tools andchecklist c) Improving the monitoring rules d) Publication ofnewsletter e) Performing other activities directed by the IRTmanager 6.3.1Staff skills and qualificationsIRTscanbestructureddifferentlydependingontheorganizationsize,itsstaffs,andindustrytype.Theincident responses are usually dependent on the capability andreliability of the staffs inIRT.IRTstaffandtheircapabilitiesbecomeespeciallymoreimportantbecausetheactivitiesofIRTsincludeestablishing the security policy for preventing incidents,auditing, coordinating with other departments as well as technicalactivities. The skills required for the members are as follows:Personal skills: communication, problem solving, team interactions,time managementTechnicalskills:securityprinciples,risksanalysis,vulnerability,networkprotocol,security/virusissue,applicationIncidentresponseskills:teampolicy/procedure,communication,incidentanalysis,recording,trackinginformation Specialized skills: presentation, leadership, experttechnology, programming skillInaddition,thestaffsarerequiredtooperateandresponsetovariousincidents.Therefore,themembersinIRT should understand the following skills: ISO/IEC WD 27035-3.2ISO/IEC 2013 All rights reserved19 General data communicationtechnique (Telephone, ISDN, X.25, PBX, ATM, Frame relay etc.)Network protocols (IP, ICMP, TCP, UDP etc.) Network applicationprogram, protocol (SMTP, HTTP, FTP, TELNET etc) Network-basedsystem in organization (firewall, IDS, router, DNS, mail serveretc.)Computer/Network threat and riskType of attack andVulnerability (IP sniffing, sniffer and computer virusetc.)Cryptography, hash algorithm, digital signature, etc Systemsecurity patches and backup, etc. Security rule of organizationNetwork security issues 7Incident response operations 7.1IncidentcriteriaForefficientresponseandoperationagainstincidents,thecriteriatodeterminethehandlingofincidentsshouldbedefined.Moreover,thereferenceguidelinesshouldbesetforsecurityincidentsaccordingtothepriority of information andinformation system, impact of eachintrusion types, damage scale, intrusion alarm level, and itsseverity. To define the criteria, see Annex A.Incidentsaregenerallyclassifiedintothefollowingsbasedontheworkproperties,organizationsize,anditsinformation importance:a)General incidents 1)Incidents caused bymalicious software (Worms, viruses, backdoor, Trojan horse etc.)2)Unauthorized intrusions to network and/or system 3)Generalproperty theft, loss, and destruction 4)Abnormal system operationcaused by security vulnerabilities 5)Unauthorized access and/orinformation access allowed to unapproved personnel 6)accessattempted by unauthorized personnel 7)Abnormal services caused bymodification and/or damage due to unauthorized access b)Majorincidents1)Stop services by unauthorized access to the system,which causes modification and/or destruction 2)Exposure toconfidential resource and/or Serious damage toreputation/brand3)Serious damage to the organizational operationcaused by intentional and/or mistakes ISO/IEC WD 27035-3.2 20ISO/IEC 2013 All rights reserved4)Modificationand/ordestructiontothesecurityequipment(entrancesecurity,intrusiondetectionsystem, locking devices, surveillance camera, etc.) 7.2Incidentresponse processes As shown in Figure 2, the real-time incidentsresponse processes are performed in the order of detect/register,response, analysis, and reporting. Figure 2 Incident responseprocesses 7.3Monitoring and detection As the first step, itmonitorsthe security events, detects incidents, and/or receives thereport of the incidents from the monitoring site (or domain) of theorganization. It performs the following tasks: a)Monitoring1)Monitoring security events from the target organization for 24 x365 hours 2)Monitoring by the console (e.g. security devices doesnot support inter-operation) 3)Verify incident occurrences (e.g.Internet and/or TV) ISO/IEC WD 27035-3.2 ISO/IEC 2013 All rightsreserved21 4)Reinforce and/or alter rules set of the monitoringsystem while any intrusion is in progress b)Detection 1)Verifyincidents (positives and/or negatives) by collecting and analysingsecurity events2)Verifyincidentsoccurrencesandoperationstatusofmonitoringequipmentwithstaffintargetorganization 3)In case of incidents, register the case. Otherwisealter the detection rules and record the case c)Registration1)Register and verify the incidents occurrences 2)Report theincidents occurrences.NOTEVerify incident reporter information(organization, name, contact, etc.), damaged system (host name, IPetc.), detailed description of the incidents, incident detecteddate/time, postresponse, attack types and etc. 7.3.1InitialresponseFortheincidentregisteredthroughdetectionand/orreport,themonitoringteamverifieswhetherthecaseisreal incident through pre-analysis. It performs the followingtasks: a)After verifying security events and status, the monitoringteam makes a decision on incident occurrence,anditsinitialseveritysuchasincidenttype,theimportanceofdamagedsystem,alarmlevel,etc.(SeeAnnex A) b)In case that the alarm level is identified as Serious orAlert, 1)Report the case to the IRT manager, and register it. 2)TheIRT manager verify the case and if it is considered Serious orAlert, Using emergency contacts, call the related staffs andorganizations. c)In case that the alarm level is identified asCautious,1)ReportthecasetotheIRTmanagerandrequesttheactionstoresponseteamsaccordingtothedirection from themanager.d)IncasethatthealarmlevelisidentifiedasConcerned,reportthecasetotheIRTmanagerandmonitoring teams and/or staffs directly take proper responses.7.4Incident responseTominimizethedamagecausedbyincidents,incidentresponseistheactivitiesincludingpre-response,establishingtheresponsepolicybyanalysis,andplanningthesecuritystrategiesincooperationwithmonitoring teams, response teams, and analysis teams.7.4.1Pre-response After detecting incidents, monitoring team shouldtake over the pre-response as follows: a)The incident type is wormand/or virus (Expandable attacks): 1)Isolate and/or disconnectsystem from the infected network ISO/IEC WD 27035-3.2 22 ISO/IEC2013 All rights reserved 2)Block access and/or control the accesspermission through the firewall or router b)The incident type ishacking (Unauthorized attacks): 1)Separate the infected system toprevent additional damage 2)In case the system is not able todisconnected: Backup the infected systemRemove the vulnerabilitiessuch as a backdoor, etc.3)In case the concerning evidences damage:Request to the staff in charge for preservation of evidence andbackupMonitoringteamsperformpre-response(andregisterincidents)andtransfertoresponseteamstheinformation as follows: Incidents occurrence and registrationdate/time, description of the incidents, damaged content,etc.System and network information, damage type and severity,etc.7.4.2Responses After taking over the incident information frommonitoring teams, response teams report it to the IRT manager.Theteamsinformtheorganizationssecuritystaffofthecase,andperformthefurtheranalysis.Afteridentifying the incident type, the teams conduct the assessment ofthe damage with the following references:Importance of exposedinformation and infected system Exposed incident relatedinformation to public and/or other organizations Attack skills orlevel Service operation status (e.g. halt time) Economical damagecostIfthealarmlevelisoverCautious,thecauseandothereffectsshouldbepreciselyanalyzed.Ifaccurateanalysisisnotpossiblebyinternalstaffs,responseteamsrequestexternalexpertsorsupportsfromotherorganizations. Through the analysis report, the teams double-checkthe severity of the incidents, and establish a response plan withthe consideration of the severity, attack types, damage coverage,priority, analysis data, etc. Table 2 Example of the responsetactic by Incident types Incident typeExample of the response DoSTominimize the flooding effect, adjust access policy the routerand/or firewall Unauthorized usePreserve evidence and interviewwith the incident suspect Exposed Information Preserve evidence andverify scope of the exposed information Unauthorized accessMonitoring the attacker activities, blocking unauthorized accessand reconfiguring / recovering victimsystem Response team mustguess the expected results and establish an effective counter planas shown in Table 2. All incident response activities must benotified and approved by the IRT manager.ISO/IEC WD 27035-3.2ISO/IEC 2013 All rights reserved23ResponseTeammustreporttheresultofactionstakenfortheintrusioncase(intrusiondate,type,seriousness, root cause, symptom, required compensating items,etc.) and keep the records forregistration, detection, action, andresult. (See ISO/IEC 27035-1 Annex D) 7.5AnalysisBy analyzing theroot cause after collecting the data for attack type and evidences,the spread of damage can be blocked, a prevention policy isestablished, and quick and effective recovery of the system isfollowed.Intheanalysisstep,becarefulnottoletpubliclyknowninformationrelatedtotheincidenttohindertheinvestigation. Analysis teams should investigate the following datathrough remote or field investigation. a)Data collection1)Host-based data collection Perform the system backup Analyze andremove the vulnerabilities such as a backdoorFirst off, collectvolatile data that can be easily damaged by system shutdown orreboot Collect the data in use (such as logs, records, data, etc.)Verify using program and/or data backup, and collect the integritydataPreserve the evidences, and back up the incidents forreferencingEXAMPLESystem date/time, running applications and openports, network status, network interface status, memory status,open files, backdoor, hacking programs, etc. 2)Network-based datacollection Network monitoring records (of therelated staffs) logsof the router, firewall, IDS, authentication server, etc. b)Dataanalysis1)Afterinvestigatingthecollecteddata(logfiles,systemconfigurations,historydata,emailsandattachedfiles,installedapplications,etc.)fromthedamagedsystemandnetwork,analysisteamsanalyze the cause and trace of incidents. (See Table 3) 2)Performthe data analysis activities such as software vulnerabilityanalysis, time/date stamps analysis, etc. 3)If necessary, performthe low levelinvestigation.NOTETheInternationalStandard(ISO/IEC27037-1)providesmoredetailedinformationontheidentification,collection, acquisition and preservation of digital evidence.Table3 Examples of Analysis information The incident evidences should bepreserved safely for the future reference, and the collected data(such as alogfile,processinformation,networkconnectionstatus,filesystem,worm/virus,database,etc.)shouldbebacked up with image data (such as a DB dump, history file, screenshot, disk image, picture, etc.). ISO/IEC WD 27035-3.2 24 ISO/IEC2013 All rights reserved c)Incident report 1)Through theinvestigated result, the causes, attack route, and intruders shouldbe identified or traced to check the damages coverage and impact(see Annex table - A.1.2). 2)Report the result to the staff incharge and the IRT manager.3)Ifadditionalincidentsareexpected,orsuspectedofdamage,properactionsand/orextrasupportsshouldbeprovidedtothestaffofthedamagedorganizationsinordertopreventthespreadofdamage. 7.5.1Reporting and post-operation Allincidentresponseandanalysis results should bereported totheIRTmanagerandarchived in the resultreports(SeeISO/IEC27035-1AnnexD).Accordingtothealarmlevel(SeeAnnexA.2),theresponseproceduresandactionsshouldbeincludedinthereports.IncaseofCautiousandConcerned,thecaseshould be reported to theIRT manager.In caseof Serious and Alert,theIRTmanagershould reporttheintegratedresulttothehigher-levelorganizationsand/orrelatedorganizations,andestablishacooperativeresponsestrategy.Ifadditionalincidentsarenotfoundthroughtheanalysisresult,reportorinformittotheorganization,andclose the case. a)Post operations1)Iftherearesuspectedofadditionalincidentsbysimilarvulnerabilities,performthevulnerabilityanalysis 2)Perform the response-related training for the prevention3)After closing the incident, the collected data and informationshould be disposed 8Incident handlingIncidentscontainvarioustypesofattacksincludingunauthorizedsystemand/orfileaccess,unauthorizednetworkinformationgathering,unauthorizeduseofservicesusingnetworkvulnerabilities,serviceinterferences,abnormalservices,maliciouscodes,viruses,etc.Intelligentandautomaticattacksareincreasing, and their features are as follows: Large scale (attacksmultiple systems at the same time) Distribution (attacks the targetsystem from multiple servers) Popularization (easy acquisition ofhacking-related information) Criminal tendency (financial gain,industrial information pillage, political intention)Theabovementionedattacksareenabledbyusingvariouscomplicatedtechnologies.Accordingly,promptand efficient incident responses and operations are required.According to 6.2 Incident response processes, IRTs should take acooperative response with the network andsystemadministratorofthedamagedorganizationsreferringtoincidents(seeAnnexA).Alsorefertotheincidents shown in ISO/IEC 27035-1 Annex B.ISO/IEC WD 27035-3.2ISO/IEC 2013 All rights reserved25 8.1Denial of Service (DoS)handling ByDoSattack, hugeamounts of traffic are transmitted to thetarget system to interfere and/or stop services (such as a webapplication). In order to handle DoS, the following responses arerequired. a)Trace and block source IP address b)Block additionalflow of traffic in cooperation with ISP c)Prompt responses (such asbuild up a DNS sinkhole, routing traffic to a null, move the systemto safety zones and/or load balanced firewalls etc.)d)Register thesource (attackers) IP address(es) in the security devices (such asfirewall, IDS, IPS, etc.) 8.2Malicious code handling Followingresponses are required to address malicious code includes worms,viruses, backdoor, Trojan horse, etc.a)Respond promptly (see6.4.1)b)Trace and block source IP addressc)Incaseofinternalattack,analyzethevulnerabilityincooperationwiththeanti-virusproviderandapplythe security patches/update to the up-to-date version of anti-virusprogram8.3Information gatheringInformationiscollectedonthetargetsystembyusingvulnerabilityanalyzingtoolsorsystemcommands.Following responses are required. a)Respond promptly (see 6.4)b)Trace and block source IP address through the firewall8.4Inappropriate usageSoftwarevulnerability(bufferoverflow,CGIvulnerability,configurationvulnerability,vulnerabilitypassword)and/or protocols vulnerability (TCP, IP, ARP, DNS, RIP, OSPF, DHCP,SNMP) are exposed in an attack, the following responses should berequired. a)Respond promptly (see 6.4) b)Trace and block source IPaddress through the firewall 8.5Unauthorized access a)Respondpromptly (see 6.4) b)Trace and block source IP address through thefirewall ISO/IEC WD 27035-3.2 26 ISO/IEC 2013 All rights reservedAnnex A (informative) Example of the incident criteria based oncomputer security events and incidents A.1Computer security eventsand incidentsForalltheincidentsthatcancausedamageandinterferencestorunningservices,theincidentcriteriaaredetermined based on the type, impact, system priority, damagescale, etc. Incident criteria should be established that are properto organizations as shown in Table A.1, A.2, A.3, A.4, and A.5.A.1.1Fundamental incident criteria Table A.1 Example of fundamentalincident criteria CategoryDescriptionReference Importance ofInformationModerate, Important, Very ImportantTable A.4 Impact ofthe incident typeModerate or beyondTable A.2 Intrusion damagescaleModerate or beyondTable A.3 User DefinitionSecurityeventisdetectedbyUser-defined rule set Other thanintegrated analysis, ESM, and TMS, etc. A.1.2Impacts according toeach incidents types Table A.2 Example of impacts according to eachIncident Incident types Impact LowModerateImportant Very ImportantInformation gatheringV Simple intrusion

2ff7e9595c