Standards Highlights for Incident Response Teams

An interesting presentation by Michael Brophy of Certification Europe at TERENA's CSIRT Task Force meeting last week drew attention to three standards likely to be relevant to Incident Response Teams: ISO20000, ISO27001 and BS25999. Unfortunately getting copies of these standards involves payment, but the highlighted content suggested this may be worthwhile. Indeed some universities and colleges may already have licenses or library copies of documents published by BSI, which should cover all three.

ISO20000 is the international standard for IT Service Management, based on the ITIL approach. Although it has a section on "Incident Management", this is narrowly defined as covering only the immediate actions required to restore a service to operation. Identifying and dealing with the impact of an incident and its root causes, which many Incident Response teams will be involved in, are covered under "Problem Management" and the standard's guidance on this may well be useful. The standard also covers "Capacity Management", not just of technical systems but of other resources, people, skill sets and competencies: all familiar issues for Incident Response teams. Finally the guidance on "Change Management" includes the kinds of emergency changes that are often required to deal with the immediate consequences of an incident, but which should be reviewed after the event to determine whether they, or a different approach, are still appropriate.

ISO27001 & 27002 cover Information Security Management and have a specific section on "Information Security Incident Management" that is obviously relevant to Incident Response teams. However Michael suggested that they should also look at the sections on "Personnel Security", "Physical Security" and "Compliance". The first two cover issues that are important both to the team and to those around it and where expectations may not match (a long time ago I had an interesting discussion with a civil servant who assumed that all university incident responders would have Government security clearance). Reviewing the applicable law, contracts and policies as part of a compliance check should also pick up potential problems where an activity that the organisation regards as an incident turns out not to be a breach of any of these rules. [NB both of these standards date from 2005 and are currently due for revision]

Finally BS25999 on Business Continuity Management also covers managing and responding to incidents, with the aim being to maintain the operation of the business at an acceptable level. Sections particularly relevant to Incident Response teams include maintaining key personnel skills and competencies, ensuring continued availability of the Incident Response team itself (having all team members working 24 hours is unlikely to be a good idea), and dealing with communications relating to the incident.