for Computer Security Incident Response Teams (CSIRTs) - CERT/CC
This document provides guidance on forming and operating a computer
security incident response team (CSIRT). It details the functions
that make up the CSIRT, how to handle sensitive information and
the tools, procedures, and roles necessary to implement the program.
In addition, operational and technical issues are covered, such
as equipment, security, and staffing considerations.
Phases of Incident Handling - Texas A&M University
Computer security incident handling can be divided into six phases:
preparation, identification, containment, eradication, recovery,
and follow-up. Understanding these stages, and what can go wrong
in each, facilitates responding more methodically and avoids duplication
UNIX/LINUX Systems for Signs of Compromise - University College
One of the main aims of this document is to address the lack of
documentation concerning concrete actions to be taken when dealing
with a compromised *nix system. The document will try to be as
generic as possible, so you may find tools for specific platforms
are better suited. A secondary goal is an explanation of methods
of examining this information via tools.
Case Classification (Example for enterprise CSIRT) - FIRST
This document provides the guidelines needed for CSIRT Incident
Managers (IM) to classify the case category, criticality level,
and sensitivity level for each CSIRT case. This information will
be entered into the Incident Tracking System (ITS) when a case
is created. Consistent case classification is required for the
CSIRT to provide accurate reporting to management on a regular
basis. In addition, the classifications will provide CSIRT IMs
with proper case handling procedures and will form the basis of
SLAs between the CSIRT and other Company departments.