Security Incident Sharing Framework
It's encouraging to see commercial information security organisations sharing their experience, knowledge and data, such as in the OWASP Security Spending Benchmarks Project. Last week Verizon also published details of its Incident Sharing Framework.
The framework (beta, 1st March 2010) is used in Verizon's internal security metrics gathering processes and to produce its public data breach investigation reports. The framework provides details of how various security incidents should be classified and recorded, including what is done to remedy the situation and further actions taken, such as education. By publishing the framework, Verizon hope that other organisations might collect similar data and ultimately share it to improve common knowledge.
Some other related frameworks and initiatives are listed at:
- Security Content Automation Protocol (SCAP), NIST, specifications and emerging specifications
- Consensus Information Security Metrics, CIS (see previous post on Web Application Security Metrics
These frameworks may be too complex to consider for some organisations, but even so, they provide a good guide to the kind of things you should be considering in security and privacy incident management policies and procedures. They are also useful standalone references for classifying various types of attacks and accidents.
Posted on: 05 March 2010 at 08:52 hrs
Comments are filtered automatically and should appear shortly after they been checked.