NIST SP 800-61

Even though information security professionals plan to effectively manage risk, incidents still occur. NIST SP 800-61 is the National Institute of Standards and Technology (NIST) special publication that gives guidelines for organizations on how to handle security incidents. Read section 2.2 on page 6 to learn more about the need for, and the benefits of, an incident response capability. Also read section 3 on pages 21-44 to learn how to appropriately handle information security incidents. Before you move on, make sure you can explain the four stages of the incident response process: preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity.

The Need for Incident Response

Attacks frequently compromise personal and business data, and it is critical to respond quickly and effectively when security breaches occur. The concept of computer security incident response has become widely accepted and implemented. One of the benefits of having an incident response capability is that it supports responding to incidents systematically (i.e., following a consistent incident handling methodology) so that the appropriate actions are taken. Incident response helps personnel to minimize loss or theft of information and disruption of services caused by incidents. Another benefit of incident response is the ability to use information gained during incident handling to better prepare for handling future incidents and to provide stronger protection for systems and data. An incident response capability also helps with dealing properly with legal issues that may arise during incidents.

Besides the business reasons to establish an incident response capability, Federal departments and agencies must comply with law, regulations, and policy directing a coordinated, effective defense against information security threats. Chief among these are the following:

  • OMB's Circular No. A-130, Appendix III, released in 2000, which directs Federal agencies to "ensure that there is a capability to provide help to users when a security incident occurs in the system and to share information concerning common vulnerabilities and threats. This capability shall share information with other organizations … and should assist the agency in pursuing appropriate legal action, consistent with Department of Justice guidance".
  • FISMA (from 2002), which requires agencies to have "procedures for detecting, reporting, and responding to security incidents" and establishes a centralized Federal information security incident center, in part to:
– "Provide timely technical assistance to operators of agency information systems … including guidance on detecting and handling information security incidents …

– Compile and analyze information about incidents that threaten information security …

– Inform operators of agency information systems about current and potential information security threats, and vulnerabilities … ".

  • Federal Information Processing Standards (FIPS) 200, Minimum Security Requirements for Federal Information and Information Systems , March 2006, which specifies minimum security requirements for Federal information and information systems, including incident response. The specific requirements are defined in NIST Special Publication (SP) 800–53, Recommended Security Controls for Federal Information Systems and Organizations.
  • OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information , May 2007, which provides guidance on reporting security incidents that involve PII.

Source: National Institute of Standards and Technology,
Creative Commons 0 This work is published free of restrictions under the Creative Commons CC0 1.0 Universal Public Domain Dedication.