The federal government is looking for some help in figuring out how to respond to security incidents. As attacks continue to escalate against both government agencies and private enterprises, NIST is developing a set of standards for best practices in incident response and computer forensics.
The National Institute of Standards and Technology, which develops technical standards and guidelines for a number of fields, including computer security, is trying to expand its guidance on incident response, specifically for incidents that involve more than one organization or response team. While many attacks now are targeted at one specific organization, they may affect multiple divisions of a large company or government agency, each of which may have its own incident response team and process. NIST has put out a Request for Information from organizations with experience in these kinds of incidents.
“This RFI seeks information for a substantial expansion of NIST guidance in how multiple CSIRTs may work together to coordinate their handling of computer security incidents and how CSIRTs might work together with other organizations within a broader information sharing community,” the NIST RFI says.
“The goal of this planned document is to provide guidance for cross-organizational incident response, particularly focusing on improving the overall response during cross-cutting and widespread incidents, inspiring effective information sharing practices, and fostering interoperability between teams with varying capabilities.”
NIST already has an existing guide for incident response, but the proposed new one would be centered on sharing information among disparate organizations during the response process. The guide will be concerned with incidents that deal with four main issues:
- Two or more organizations are involved.
- There is an exchange of information between organizations pertaining to incidents or indicators of incidents.
- The organizations work together to achieve common goals (i.e., fast, effective incident response).
- The organizations limit exposures of sensitive information.
In the RFI, NIST is looking for help on a wide range of questions, including the challenges that can prevent information sharing, what standards organizations use for incident handling and information sharing and how organizations determine whether an incident has ended or is still ongoing. NIST also is looking for information on how organizations handle data related to incidents and examples of any time that sharing information may have had negative consequences for a company.
Image from Flickr photos of Lydia.