Table 15: T: Triage Events Workflow Description
Mission/Objectives Triggers
• To sort event information and assign it to appropriate personnel
− within defined time constraints
− while handling information within the appropriate security context
− while documenting information in an appropriate manner
• When event information arrives
Inputs
Input Description Form
Event information This includes all information that is passed to T: Triage Events from D: Detect Events. It can include reported information and general indicators, general requests and reports, any preliminary analysis performed on the information, and the decision rationale for forward-ing the information to T: Triage Events.
Verbal, electronic, or physical
CMU/SEI-2004-TR-015 119 Completion Criteria Policies and Rules General Requirements
• When events have been categorized, prioritized, assigned, closed, or reassigned
• CSIRT/IT policies
• Security-related regulations, laws, guidelines, standards, and metrics
• Organizational security policies
• Organizational policies that affect CSIRT operations
• Reporting requirements (critical infrastructure protection, government, financial, academic, military)
• When an event is part of an incident that has previously been closed, designated personnel can reopen the closed incident if appropriate.
• Designated personnel use appropriate procedures, technology, and office space when secure handling of event information is required.
• Designated personnel document and track results in accordance with CSIRT and organizational policies.
• Designated personnel receive appropriate training in procedures and technologies related to the tasks they are required to perform.
• Periodic quality assurance checks are performed on automated tools.
• Designated personnel use appropriate procedures and security measures when configuring and maintaining automated tools.
Outputs
Decision Output Description Form
Event is assigned to a technical or manage-ment response
Assigned events This includes all information that is passed to R: Respond for a given event. It can include event information received by T:
Triage Events, the event’s category and priority, and assigned responsibility for incident handling.
Some events may be identified as incidents during T: Triage Events, while other events are passed to R: Respond for further evaluation.
Verbal, electronic, or physical
Event is reassigned outside of the incident management process
Reassigned events This includes all information related to an event that has been reassigned outside of the incident handling process. It can in-clude event information received by T:
Triage Events, as well as the decision ra-tionale for reassigning the information.
Verbal, electronic, or physical
Event is closed Closed events This includes all information related to an event that has been closed. It can include event information received by T: Triage Events, as well as the rationale for closing the event.
Verbal, electronic, or physical
120 CMU/SEI-2004-TR-015
Subprocess Subprocess Requirements Written Procedures
T1: Categorize and Correlate Events
• Designated personnel review event information against predefined categorization criteria and decide what to do with it (i.e., forward to T2: Prioritize Events, reassign to other groups, or close).
• Designated personnel review event information to determine whether it is a new or ongoing event and whether it correlates with other reported information.
• If an event’s category cannot be determined using predefined criteria, designated personnel review information related to the event and determine its category, consulting with others as needed.
• Automated tools use predefined criteria to categorize events.
Inputs Outputs
• Event Information* • Categorized Events
• Reassigned Events*
• Closed Events*
• Designated personnel follow triage procedures for categorizing and correlating events.
• Designated personnel use predefined categorization criteria when categorizing events.
• Designated personnel follow appropriate procedures for reassigning and closing events.
• Automated tools are designed to follow triage procedures for categorizing events.
• Automated tools use predefined criteria when categorizing events.
T2: Prioritize Events • Designated personnel review categorized events against predefined prioritization criteria and determine the priority of each event.
• If an event’s priority cannot be determined using predefined criteria, designated personnel review information related to the event and determine its priority, consulting with others as needed.
• Automated tools use predefined criteria to prioritize events.
Inputs Outputs
• Categorized Events • Prioritized Events
• Designated personnel follow triage procedures for prioritizing events.
• Designated personnel use predefined prioritization criteria when prioritizing events.
• Automated tools are designed to follow triage procedures for prioritizing events.
• Automated tools use predefined criteria when prioritizing events.
T3: Assign Events • Designated personnel review prioritized events against assignment guidelines and decide what to do with them (i.e., forward to R: Respond, reassign to other groups, or close).
• If assignment guidelines do not indicate where to assign an event, designated personnel review information related to the event and assign it to the appropriate parties, consulting with others as needed.
• Automated tools use predefined criteria to assign events.
Inputs Outputs
• Prioritized Events • Assigned Events*
• Reassigned Events*
• Closed Events*
• Designated personnel follow triage procedures for assigning events.
• Designated personnel follow assignment guidelines when assigning events (e.g., work schedule rotations, functional expertise, load balancing).
• Designated personnel follow appropriate procedures for reassigning and closing events.
• Automated tools are designed to follow triage procedures for assigning events.
• Automated tools use predefined criteria when assigning and closing events.
Note: An asterisk (*) after an input to or an output of a subprocess indicates that it is also an input to or an output of the overall process. When an input to or an output of a subprocess is not followed by an asterisk, it indicates that the input or output is internal to the process.
CMU/SEI-2004-TR-015 121
Key People Technology Other/Miscellaneous
• Designated personnel for categorizing and correlating events can include
− CSIRT triage staff
− CSIRT hotline staff
− CSIRT manager
− help desk staff
− incident handling staff
− IT staff
− information security officer
− coordination center
• Designated personnel can use the following technology when categorizing and
correlating events:
− incident handling database/tracking system
− trouble ticket system
− decision support tools (e.g., checklists, automated systems, other databases)
− communication channels, encrypted when appropriate (email,
videoconferencing, groupware, web)
• Automated triage tools can be used to automatically categorize events.
•
---• Designated personnel for prioritizing events can include
− CSIRT triage staff
− CSIRT hotline staff
− CSIRT manager
− help desk staff
− incident handling staff
− IT staff
− information security officer
− coordination center
• Designated personnel can use the following technology when prioritizing events:
− incident handling database/tracking system
− trouble ticket system
− decision support tools (e.g., checklists, automated systems, other databases)
− communication channels, encrypted when appropriate (email,
videoconferencing, groupware, web)
• Automated triage tools can be used to automatically prioritize events.
• ---
• Designated personnel for assigning events can include
− CSIRT triage staff
− CSIRT hotline staff
− CSIRT manager
− help desk staff
− incident handling staff
− IT staff
− information security officer
− coordination center
• Designated personnel can use the following technology when assigning events:
− incident handling database/tracking system
− trouble ticket system
− decision support tools (e.g., checklists, automated systems, other databases)
− communication channels, encrypted when appropriate (email,
videoconferencing, groupware, web)
• Automated triage tools can be used to automatically assign and close events.
• ---
122 CMU/SEI-2004-TR-015