Expectations for Computer Security Incident Response
RFC 2350

Document Type RFC - Best Current Practice (June 1998; Errata)
Also known as BCP 21
Last updated 2013-03-02
Stream IETF
Formats plain text pdf htmlized with errata bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 2350 (Best Current Practice)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                       N. Brownlee
Request for Comments: 2350                   The University of Auckland
BCP: 21                                                      E. Guttman
Category: Best Current Practice                        Sun Microsystems
                                                              June 1998

          Expectations for Computer Security Incident Response

Status of this Memo

   This document specifies an Internet Best Current Practices for the
   Internet Community, and requests discussion and suggestions for
   improvements.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1998).  All Rights Reserved.

Abstract

   The purpose of this document is to express the general Internet
   community's expectations of Computer Security Incident Response Teams
   (CSIRTs). It is not possible to define a set of requirements that
   would be appropriate for all teams, but it is possible and helpful to
   list and describe the general set of topics and issues which are of
   concern and interest to constituent communities.

   CSIRT constituents have a legitimate need and right to fully
   understand the policies and procedures of 'their' Computer Security
   Incident Response Team.  One way to support this understanding is to
   supply detailed information which users may consider, in the form of
   a formal template completed by the CSIRT.  An outline of such a
   template and a filled in example are provided.

Table of Contents

   1 Introduction ....................................................2
   2 Scope............................................................4
     2.1 Publishing CSIRT Policies and Procedures ....................4
     2.2 Relationships between different CSIRTs ......................5
     2.3 Establishing Secure Communications ..........................6
   3 Information, Policies and Procedures.............................7
     3.1 Obtaining the Document.......................................8
     3.2 Contact Information .........................................9
     3.3 Charter ....................................................10
         3.3.1 Mission Statement.....................................10
         3.3.2 Constituency..........................................10

Brownlee & Guttman       Best Current Practice                  [Page 1]
RFC 2350  Expectations for Computer Security Incident Response June 1998

         3.3.3 Sponsoring Organization / Affiliation.................11
         3.3.4 Authority.............................................11
     3.4 Policies ...................................................11
         3.4.1 Types of Incidents and Level of Support...............11
         3.4.2 Co-operation, Interaction and Disclosure of
               Information...........................................12
         3.4.3 Communication and Authentication......................14
     3.5 Services ...................................................15
         3.5.1 Incident Response ....................................15
               3.5.1.1 Incident Triage ..............................15
               3.5.1.2 Incident Coordination ........................15
               3.5.1.3 Incident Resolution...........................16
         3.5.2 Proactive Activities .................................16
     3.6 Incident Reporting Forms ...................................16
     3.7 Disclaimers ................................................17
   Appendix A: Glossary of Terms ....................................18
   Appendix B: Related Material .....................................20
   Appendix C: Known Computer Security Incident Response Teams ......21
   Appendix D: Outline for CSIRT Template ...........................22
   Appendix E: Example - 'filled-in' Template for a CSIRT ...........23
   4 Acknowlegements ................................................36
   5 References .....................................................36
   6 Security Considerations ........................................36
   7 Authors' Addresses .............................................37
   8 Full Copyright Statement .......................................38

1 Introduction

   The GRIP Working Group was formed to create a document that describes
   the community's expectations of computer security incident response
   teams (CSIRTs).  Although the need for such a document originated in
   the general Internet community, the expectations expressed should
   also closely match those of more restricted communities.

   In the past there have been misunderstandings regarding what to
   expect from CSIRTs.  The goal of this document is to provide a
   framework for presenting the important subjects (related to incident
   response) that are of concern to the community.

   Before continuing, it is important to clearly understand what is
   meant by the term "Computer Security Incident Response Team."  For
Show full document text