Submitted-by: n...@usenix.org (Nicholas M. Stoughton)
Nicholas M. Stoughton <n...@usenix.org>, Report Editor
IETF GRIP: Expectations for Security Incident Response
Nevil Brownlee <n.brown...@auckland.ac.nz> reports on the
March 4-8, 1996 IETF meeting in Los Angeles, Ca.:
The Guidelines and Recommendations for Security Incident
Processing (GRIP) working group was formed at the end of
1994 to produce a set of procedures to facilitate the
consistent handling of security incidents int the Internet
community. Although it is focussed on the Internet, many of
the concepts discussed in the proposed draft currently
available are also useful for other forms of local and wide
are network.
The document currently in production is now entitled
``Expectations for Security Incident Response'', and is
available for anyone to read via FTP from your favorite
internet drafts repository (there are several), or
ftp://ds.internic.net/internet-drafts/draft-ietf-grip-framework-irt-0...
This document is intended to facilitate the setting of
expectations regarding the operation of Security Incident
Response Teams (SIRTs). It describes the various important
topics in the form of a ``template,'' through which every
SIRT should describe itself and its functions.
SIRT clients have a legitimate need and right to fully
understand the policies and procedures of their Security
Incident Response Team. A SIRT's template supplies details
for the various important topics which clients must consider
when selecting a SIRT.
An example of a SIRT is the Computer Emergency Response
Team, CERT, based in Pittsburgh. As the scale of the problem
of security attacks increases, so does the number of bodies
and organizations offering help. Since many security
incidents involve crossing boundaries, whether they are
intra-company, inter-company, commercial, national or
whatever boundaries, the handling of such incidents may well
involve more than one agency.
In the past, there have been misunderstandings regarding the
expectations of these teams. The GRIP guide intends to
provide a framework for these expectations, and allows the
community to express areas and topics that need to be
addressed by any SIRT, whatever its specialization.
- 2 -
``Consistent handling'' implies that any group calling
itself a SIRT must react to security incidents or to threats
of them in ways which the Internet community agrees to be in
its general interest. Every SIRT needs to clearly define
the services they offer and the level at which they are
offered to the client. Such definitions will be
particularly important in contracts and/or agreements which
SIRTs make with their clients.
SIRT clients have a legitimate need and right to fully
understand the policies and procedures of their Security
Incident Response Team. A SIRT's template supplies details
for the various important topics which clients must consider
when selecting a SIRT.
This document is now behind our original schedule, but is
beginning to look closer and closer to being a done deal.
Probably the next meeting in Montreal at the end of June
will see the final review before we submit it to the
Internet Engineering Steering Group (IESG) for review.
If this is the sort of area you are interested in
collaborating on, please feel free to mail our Working Group
chair, Barbara Fraser <b...@cert.org> for more details.
