User:CyberKravMaga/Computer security incident management

This is the sandbox page where you will draft your initial Wikipedia contribution. If you're starting a new article, you can develop it here until it's ready to go live. If you're working on improvements to an existing article, copy only one section at a time of the article to this sandbox to work on, and be sure to use an edit summary linking to the article you copied from. Do not copy over the entire article. You can find additional instructions here. Remember to save your work regularly using the "Publish page" button. (It just means 'save'; it will still be in the sandbox.) You can add bold formatting to your additions to differentiate them from existing content. Bibliography sandbox

In the fields of computer security and information technology, computer security incident management (AKA cybersecurity incident management) involves all phases of the cybersecurity program related to preparing for, responding to, recovering from, reporting on, or implementing changes resulting from cybersecurity incidents. It may pertain to a single incident, be related to multiple incidents, or involve planning and preparation activity caused by the potential threat of security threats.^[1] Computer security incident management is a specialized form of incident management, the primary purpose of which is the development of a well understood, predictable, and robust response to damaging events and computer intrusions that will withstand subsequent legal and regulatory processes and prevent future incidents.

Incident management requires a process and a response team which follows this process. In the United States, This definition of computer security incident management follows the standards and definitions described in the National Incident Management System (NIMS). The incident commander manages the response to an security incident and leads the members of the incident response team(s) through the process,^[2] as defined by the Incident Command System (ICS).^[3]

Various Computer security incident management standards and frameworks are available, which provide guidance into key considerations and workflows for responding during cybersecurity incidents or the full end-to-end lifecycle related to it. These standards and frameworks are as follows:

• FEMA National Incident Management System (NIMS)
• NIST 800-61
• Cybersecurity Masters Guides Incident Management Framework (IMF)

The Federal Emergency Management Agency (FEMA) National Incident Management System (NIMS) defines a standardized approach whereby government agencies, nongovernmental organizations (NGOs), and the private sector collaborate to "prevent, protect against, mitigate, respond to, and recover from incidents" based on a shared vocabulary, common framework, and procedures aligned with the National Preparedness System and its respective components.  The NIMS guidance consists of three main components.^[4]

• Resource Management guidance seeks to promote the efficient sharing of people, infrastructure, and supplies that can be brought to bear before or during incident.
• Command and Coordination identifies key roles, hierarchies, and procedures  to facilitate incident management according to operational structures and support models.
• Communications and Information Management describes the resources and procedures used by the incident management team and other stakeholders to perform notifications and share information.

The National Institute of Standards and Technology (NIST) is a U.S. government agency that provides frameworks and guidelines for other government entities. NIST documents are also commonly referenced by entities in the private sector. The NIST 800-61 framework is used for planning and performing incident response and incident management functions, including the policy, planning, communications, and team structure that NIST advises should exist to support it. The technical workflows and descriptions, per NIST 800-61, include the following phases. The overall workflow depicts circular processes representing analysis, learning, and adaptation at all phases and continuous improvement wherein Post-Incident Activity informs Preparation Activity.^[5]

• Preparation – The Preparation phase involves ensuring the readiness for incident response functions on networks, systems, and applications by having the requisite visibility via security controls, personnel, and response support. It also focuses on preventing incidents by implementing security controls to block threats.
• Detection & Analysis – The Detection & Analysis phase enumerates samples of threat activity use cases and recommendations. These can guide users in considering capabilities to detect threats against those resources, selecting controls to prevent or detect threats, and categorizing incidents based on impact.
• Containment, Eradication, and Recovery – The Containment, Eradication, and Recovery phase combines a large group of incident response/management actions. These include the named steps in the phase (Containment, Eradication, and Recovery), performing threat intelligence workflows, identifying attacker TTPS (tools, tactics, and procedures), evidence gathering/handling, and restoring affected objects to a known-good state.
• Post-Incident Activity – The Post-Incident phase includes the identified gaps and lessons learned from incidents, with either individually or collectively feed back into the Preparation phase to better secure resources against compromise and bolster detection and response controls, functions, and operations.

The Cybersecurity Masters Guides (CSMG) Incident Management Framework (IMF) consists of 13 domains that are applied across all phases of incident management, including the preparation, active response, and follow-up phases related to cybersecurity incidents. This framework is a granular approach to breaking out and discussing key concepts related to business operations, information technology resources, security capabilities, and legal/regulatory considerations. It is used both for assessments of existing programs or the development of new programs.^[6] The 13 IMF domains include following.^[7]

• Identification - The Identification Domain Identifies the key resources, infrastructure, personnel, and security capabilities within the customer environment and the risks that could impact them.
• Communication - The Communication Domain focuses on the effectiveness of an entity and its personnel to be able to notify, communicate, and share information with internal or external parties related to security or compliance matters.
• Immediate Response - The Immediate Response Domain focuses on the capabilities that the entity has to rapidly respond to urgent threats across all technical layers and control areas.
• Containment - The Containment Doman focuses on the entities abilities to halt unauthorized activities across all technical layers and control areas.
• Evidence Collection - The Evidence Collection Domain focuses on the entity's capabilities to collect evidence from all relevant resource types, data sources, and objects.
• Analysis - The Analysis Domain focuses on the entity's capabilities to analyze the datasets collected and determine the scope, impact, and root cause(s) of security incidents.
• Mitigation - The Mitigation Domain focuses on the entity's ability to resolve the vulnerabilities or otherwise eliminate the attack vector that led to the compromise.
• Legal and Compliance - The Legal and Compliance Domain focuses on the entity's ability and maturity in engaging internal or external legal counsel for cybersecurity matters.
• Eradication - The Eradication Domain focuses on the entity's abilities to completely remove artifacts of compromise and return the environment, resources, and data to a known-good state.
• Reporting and Lessons Learned - The Reporting and Lessons Learned Domain focuses on the entity's maturity in performing after-action functions, documenting findings, and recommendations.
• Remediation and Continuous Improvement - The Remediation and Continuous Improvement Domain focuses on the entity's maturity in applying the lessons learned from incidents or other sources into a formal improvement process to prevent the exploitation of vulnerabilities elsewhere in the environment.
• Documentation - The Documentation Domain focuses on the entity's formal policies, standards, plans, procedures, playbooks, and other document types that provide guidance for cybersecurity, information technology, regulatory compliance, and related concepts.
• Training and Testing - The Training and Testing Domain focuses on the entity's maturity for proactive of follow-up training for personnel, per their respective needs by role.

FEMA. (2017). National Incident Management System. https://www.fema.gov/sites/default/files/2020-07/fema_nims_doctrine-2017.pdf

FEMA. (2024). Incident Commander Responsibilities. https://emilms.fema.gov/is_0015b/groups/134.html.

FEMA. (2018). ICS Organizational Structure and Elements" (PDF). https://training.fema.gov/emiweb/is/icsresource/assets/ics%20organizational%20structure%20and%20elements.pdf

Cichonski, Paul; Millar, Thomas; Grance, Tim; Scarfone, Karen (2012-08-06). Computer Security Incident Handling Guide (Report). National Institute of Standards and Technology.

Clark, C. A. (2024). CYBERSECURITY INCIDENT MANAGEMENT MASTERS GUIDE: Volume 1 - Preparation, Threat Response, & Post-Incident Activity (2nd ed., Vol. 1)

CSMG. (2024). Incident Management Framework. https://cybersecuritymastersguides.com/imf-13-domains.html