summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc2350.txt
blob: 43fdd958563c97fe0012be16419d23892c74ea42 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
Network Working Group                                       N. Brownlee
Request for Comments: 2350                   The University of Auckland
BCP: 21                                                      E. Guttman
Category: Best Current Practice                        Sun Microsystems
                                                              June 1998


          Expectations for Computer Security Incident Response

Status of this Memo

   This document specifies an Internet Best Current Practices for the
   Internet Community, and requests discussion and suggestions for
   improvements.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1998).  All Rights Reserved.

Abstract

   The purpose of this document is to express the general Internet
   community's expectations of Computer Security Incident Response Teams
   (CSIRTs). It is not possible to define a set of requirements that
   would be appropriate for all teams, but it is possible and helpful to
   list and describe the general set of topics and issues which are of
   concern and interest to constituent communities.

   CSIRT constituents have a legitimate need and right to fully
   understand the policies and procedures of 'their' Computer Security
   Incident Response Team.  One way to support this understanding is to
   supply detailed information which users may consider, in the form of
   a formal template completed by the CSIRT.  An outline of such a
   template and a filled in example are provided.

Table of Contents

   1 Introduction ....................................................2
   2 Scope............................................................4
     2.1 Publishing CSIRT Policies and Procedures ....................4
     2.2 Relationships between different CSIRTs ......................5
     2.3 Establishing Secure Communications ..........................6
   3 Information, Policies and Procedures.............................7
     3.1 Obtaining the Document.......................................8
     3.2 Contact Information .........................................9
     3.3 Charter ....................................................10
         3.3.1 Mission Statement.....................................10
         3.3.2 Constituency..........................................10



Brownlee & Guttman       Best Current Practice                  [Page 1]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


         3.3.3 Sponsoring Organization / Affiliation.................11
         3.3.4 Authority.............................................11
     3.4 Policies ...................................................11
         3.4.1 Types of Incidents and Level of Support...............11
         3.4.2 Co-operation, Interaction and Disclosure of
               Information...........................................12
         3.4.3 Communication and Authentication......................14
     3.5 Services ...................................................15
         3.5.1 Incident Response ....................................15
               3.5.1.1 Incident Triage ..............................15
               3.5.1.2 Incident Coordination ........................15
               3.5.1.3 Incident Resolution...........................16
         3.5.2 Proactive Activities .................................16
     3.6 Incident Reporting Forms ...................................16
     3.7 Disclaimers ................................................17
   Appendix A: Glossary of Terms ....................................18
   Appendix B: Related Material .....................................20
   Appendix C: Known Computer Security Incident Response Teams ......21
   Appendix D: Outline for CSIRT Template ...........................22
   Appendix E: Example - 'filled-in' Template for a CSIRT ...........23
   4 Acknowlegements ................................................36
   5 References .....................................................36
   6 Security Considerations ........................................36
   7 Authors' Addresses .............................................37
   8 Full Copyright Statement .......................................38

1 Introduction

   The GRIP Working Group was formed to create a document that describes
   the community's expectations of computer security incident response
   teams (CSIRTs).  Although the need for such a document originated in
   the general Internet community, the expectations expressed should
   also closely match those of more restricted communities.

   In the past there have been misunderstandings regarding what to
   expect from CSIRTs.  The goal of this document is to provide a
   framework for presenting the important subjects (related to incident
   response) that are of concern to the community.

   Before continuing, it is important to clearly understand what is
   meant by the term "Computer Security Incident Response Team."  For
   the purposes of this document, a CSIRT is a team that performs,
   coordinates, and supports the response to security incidents that
   involve sites within a defined constituency (see Appendix A for a
   more complete definition).  Any group calling itself a CSIRT for a
   specific constituency must therefore react to reported security
   incidents, and to threats to "their" constituency in ways which the
   specific community agrees to be in its general interest.



Brownlee & Guttman       Best Current Practice                  [Page 2]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


   Since it is vital that each member of a constituent community be able
   to understand what is reasonable to expect of their team, a CSIRT
   should make it clear who belongs to their constituency and define the
   services the team offers to the community. Additionally, each CSIRT
   should publish its policies and operating procedures. Similarly,
   these same constituents need to know what is expected of them in
   order for them to receive the services of their team.  This requires
   that the team also publish how and where to report incidents.

   This document details a template which will be used by CSIRTs to
   communicate this information to their constituents.  The constituents
   should certainly expect a CSIRT to provide the services they describe
   in the completed template.

   It must be emphasized that without active participation from users,
   the effectiveness of the CSIRT's services can be greatly diminished.
   This is particularly the case with reporting.  At a minimum, users
   need to know that they should report security incidents, and know how
   and to where they should report them.

   Many computer security incidents originate outside local community
   boundaries and affect inside sites, others originate inside the local
   community and affect hosts or users on the outside.  Often,
   therefore, the handling of security incidents will involve multiple
   sites and potentially multiple CSIRTs.  Resolving these incidents
   will require cooperation between individual sites and CSIRTs, and
   between CSIRTs.

   Constituent communities need to know exactly how their CSIRT will be
   working with other CSIRTs and organizations outside their
   constituency, and what information will be shared.

   The rest of this document describes the set of topics and issues that
   CSIRTs need to elaborate for their constituents. However, there is no
   attempt to specify the "correct" answer to any one topic area.
   Rather, each topic is discussed in terms of what that topic means.

   Chapter two provides an overview of three major areas:  the
   publishing of information by a response team, the definition of the
   response team's relationship to other response teams, and the need
   for secure communications.  Chapter three describes in detail all the
   types of information that the community needs to know about their
   response team.

   For ease of use by the community, these topics are condensed into an
   outline template found in Appendix D.  This template can be used by
   constituents to elicit information from their CSIRT.




Brownlee & Guttman       Best Current Practice                  [Page 3]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


   It is the working group's sincere hope that through clarification of
   the topics in this document, understanding between the community and
   its CSIRTs will be increased.

2 Scope

   The interactions between an incident response team and its
   constituent community response team require first that the community
   understand the policies and procedures of the response team. Second,
   since many response teams collaborate to handle incidents, the
   community must also understand the relationship between their
   response team and other teams.  Finally, many interactions will take
   advantage of existing public infrastructures, so the community needs
   to know how those communications will be protected. Each of these
   subjects will be described in more detail in the following three
   sections.

2.1 Publishing CSIRT Policies and Procedures

   Each user who has access to a Computer Security Incident Response
   Team should know as much as possible about the services of and
   interactions with this team long before he or she actually needs
   them.

   A clear statement of the policies and procedures of a CSIRT helps the
   constituent understand how best to report incidents and what support
   to expect afterwards.  Will the CSIRT assist in resolving the
   incident?   Will it provide help in avoiding incidents in the future?
   Clear expectations, particularly of the limitations of the services
   provided by a CSIRT, will make interaction with it more efficient and
   effective.

   There are different kinds of response teams: some have very broad
   constituencies (e.g., CERT Coordination Center and the Internet),
   others have more bounded constituencies (e.g., DFN-CERT, CIAC), and
   still others have very restricted constituencies (e.g., commercial
   response teams, corporate response teams).  Regardless of the type of
   response team, the constituency supported by it must be knowledgeable
   about the team's policies and procedures. Therefore, it is mandatory
   that response teams publish such information to their constituency.

   A CSIRT should communicate all necessary information about its
   policies and services in a form suitable to the needs of its
   constituency.  It is important to understand that not all policies
   and procedures need be publicly available.  For example, it is not
   necessary to understand the internal operation of a team in order to
   interact with it, as when reporting an incident or receiving guidance
   on how to analyze or secure one's systems.



Brownlee & Guttman       Best Current Practice                  [Page 4]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


   In the past, some teams supplied a kind of Operational Framework,
   others provided a Frequently Asked Questions list (FAQ), while still
   others wrote papers for distribution at user conferences or sent
   newsletters.

   We recommend that each CSIRT publish its guidelines and procedures on
   its own information server (e.g. a World Wide Web server).  This
   would allow constituents to easily access it, though the problem
   remains of how a constituent can find his or her team; people within
   the constituency have to discover that there is a CSIRT "at their
   disposal."

   It is foreseen that completed CSIRT templates will soon become
   searchable by modern search engines,  which will aid in distributing
   information about the existence of CSIRTs and basic information
   required to approach them.

   It would be very useful to have a central repository containing all
   the completed CSIRT templates.  No such repository exists at the time
   of writing, though this might change in the future.

   Regardless of the source from which the information is retrieved, the
   user of the template must check its authenticity.  It is highly
   recommended that such vital documents be protected by digital
   signatures.  These will allow the user to verify that the template
   was indeed published by the CSIRT and that it has not been tampered
   with. This document assumes the reader is familiar with the proper
   use of digital signatures to determine whether a document is
   authentic.

2.2 Relationships between different CSIRTs

   In some cases a CSIRT may be able to operate effectively on its own
   and in close cooperation with its constituency.  But with today's
   international networks it is much more likely that most of the
   incidents handled by a CSIRT will involve parties external to its
   constituency.  Therefore the team will need to interact with other
   CSIRTs and sites outside its constituency.

   The constituent community should understand the nature and extent of
   this collaboration, as very sensitive information about individual
   constituents may be disclosed in the process.

   Inter-CSIRT interactions could include asking other teams for advice,
   disseminating knowledge of problems, and working cooperatively to
   resolve a security incident affecting one or more of the CSIRTs'
   constituencies.




Brownlee & Guttman       Best Current Practice                  [Page 5]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


   In establishing relationships to support such interactions, CSIRTs
   must decide what kinds of agreements can exist between them so as to
   share yet safeguard information, whether this relationship can be
   disclosed, and if so to whom.

   Note that there is a difference between a peering agreement, where
   the CSIRTs involved agree to work together and share information, and
   simple co-operation, where a CSIRT (or any other organization) simply
   contacts another CSIRT and asks for help or advice.

   Although the establishment of such relationships is very important
   and affects the ability of a CSIRT to support its constituency, it is
   up to the teams involved to decide about the details.  It is beyond
   the scope of this document to make recommendations for this process.
   However, the same set of information used to set expectations for a
   user community regarding sharing of information will help other
   parties to understand the objectives and services of a specific
   CSIRT, supporting a first contact.

2.3 Establishing Secure Communications

   Once one party has decided to share information with another party,
   or two parties have agreed to share information or work together - as
   required for the coordination of computer security incident response
   - all parties involved need secure communications channels. (In this
   context, "secure" refers to the protected transmission of information
   shared between different parties, and not to the appropriate use of
   the information by the parties.)

   The goals of secure communication are:

      - Confidentiality:
        Can somebody else access the content of the communication?

      - Integrity:
        Can somebody else manipulate the content of the communication?

      - Authenticity:
        Am I communicating with the "right" person?

   It is very easy to send forged e-mail, and not hard to establish a
   (false) identity by telephone.    Cryptographic techniques, for
   example Pretty Good Privacy (PGP) or Privacy Enhanced Mail (PEM) can
   provide effective ways of securing e-mail.  With the correct
   equipment it is also possible to secure telephone communication. But
   before using such mechanisms, both parties need the "right"
   infrastructure, which is to say preparation in advance.  The most
   important preparation is ensuring the authenticity of the



Brownlee & Guttman       Best Current Practice                  [Page 6]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


   cryptographic keys used in secure communication:

   - Public keys (for techniques like PGP and PEM):
     Because they are accessible through the Internet, public keys must
     be authenticated before use.  While PGP relies on a "Web of Trust"
     (where users sign the keys of other users), PEM relies on a
     hierarchy (where certification authorities sign the keys of users).

   - Secret keys (for techniques like DES and PGP/conventional
     encryption):  Because these must be known to both sender and
     receiver, secret keys must be exchanged before the communication
     via a secure channel.

   Communication is critical to all aspects of incident response.  A
   team can best support the use of the above-mentioned techniques by
   gathering all relevant information, in a consistent way.  Specific
   requirements (such as calling a specific number to check the
   authenticity of keys) should be clear from the start.  CSIRT
   templates provide a standardized vehicle for delivering this
   information.

   It is beyond the scope of this document to address the technical and
   administrative problems of secure communications.  The point is that
   response teams must support and use a method to secure the
   communications between themselves and their constituents (or other
   response teams).  Whatever the mechanism is, the level of protection
   it provides must be acceptable to the constituent community.

3 Information, Policies and Procedures

   In chapter 2 it was mentioned that the policies and procedures of a
   response team need to be published to their constituent community.
   In this chapter we will list all the types of information that the
   community needs to receive from its response team.  How this
   information is communicated to a community will differ from team to
   team, as will the specific information content.  The intent here is
   to clearly describe the various kinds of information that a
   constituent community expects from its response team.

   To make it easier to understand the issues and topics relevant to the
   interaction of constituents with "their" CSIRT, we suggest that a
   CSIRT publish all information, policies, and procedures addressing
   its constituency as a document, following the template given in
   Appendix D.  The template structure arranges items, making it easy to
   supply specific information; in Appendix E we provide an example of a
   filled-out template for the fictitious XYZ University.  While no
   recommendations are made as to what a CSIRT should adopt for its
   policy or procedures, different possibilities are outlined to give



Brownlee & Guttman       Best Current Practice                  [Page 7]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


   some examples.  The most important thing is that a CSIRT have a
   policy and that those who interact with the CSIRT be able to obtain
   and understand it.

   As always, not every aspect for every environment and/or team can be
   covered.  This outline should be seen as a suggestion.  Each team
   should feel free to include whatever they think is necessary to
   support its constituency.

3.1 Obtaining the Document

   Details of a CSIRT change with time, so the completed template must
   indicate when it was last changed.  Additionally, information should
   be provided concerning how to find out about future updates. Without
   this, it is inevitable that misunderstandings and misconceptions will
   arise over time; outdated documents can do more harm than good.

   - Date of last update         This should be sufficient to allow
                                 anyone interested to evaluate the
                                 currency of the template.

   - Distribution list           Mailing lists are a convenient
                                 mechanism to distribute up-to-date
                                 information to a large number of
                                 users.  A team can decide to use its
                                 own or an already existing list to
                                 notify users whenever the document
                                 changes.  The list might normally be
                                 groups the CSIRT has frequent
                                 interactions with.

                                 Digital signatures should be used
                                 for update messages sent by a CSIRT.

   - Location of the document    The location where a current version
                                 of the document is accessible through
                                 a team's online information services.
                                 Constituents can then easily learn
                                 more about the team and check for
                                 recent updates.  This online version
                                 should also be accompanied by a
                                 digital signature.









Brownlee & Guttman       Best Current Practice                  [Page 8]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


3.2 Contact Information

   Full details of how to contact the CSIRT should be listed here,
   although this might be very different for different teams; for
   example, some might choose not to publicize the names of their team
   members. No further clarification is given when the meaning of the
   item can be assumed.

   - Name of the CSIRT

   - Mailing Address

   - Time zone                   This is useful for coordinating
                                 incidents which cross time zones.

   - Telephone number

   - Facsimile number

   - Other telecommunication     Some teams might provide secure
                                 voice communication (e.g. STU III).

   - Electronic mail address

   - Public keys and encryption  The use of specific techniques
                                 depends on the ability of the
                                 communication partners to have
                                 access to programs, keys and so on.
                                 Relevant information should be
                                 given to enable users to determine
                                 if and how they can make use of
                                 encrypted communication while
                                 interacting with the CSIRT.
   - Team members

   - Operating Hours             The operating hours and holiday
                                 schedule should be provided here.
                                 Is there a 24 hour hotline?

   - Additional Contact Info     Is there any specific customer
                                 contact info?

   More detailed contact information can be provided.  This might
   include different contacts for different services, or might be a list
   of online information services.  If specific procedures for access to
   some services exist (for example addresses for mailing list
   requests), these should be explained here.




Brownlee & Guttman       Best Current Practice                  [Page 9]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


3.3 Charter

   Every CSIRT must have a charter which specifies what it is to do, and
   the authority under which it will do it.  The charter should include
   at least the following items:

   - Mission statement
   - Constituency
   - Sponsorship / affiliation
   - Authority

3.3.1 Mission Statement

   The mission statement should focus on the team's core activities,
   already stated in the definition of a CSIRT.  In order to be
   considered a Computer Security Incident Response Team, the team must
   support the reporting of incidents and support its constituency by
   dealing with incidents.

   The goals and purposes of a team are especially important, and
   require clear, unambiguous definition.

3.3.2 Constituency

   A CSIRT's constituency can be determined in any of several ways. For
   example it could be a company's employees or its paid subscribers, or
   it could be defined in terms of a technological focus, such as the
   users of a particular operating system.

   The definition of the constituency should create a perimeter around
   the group to whom the team will provide service.  The policy section
   of the document (see below) should explain how requests from outside
   this perimeter will be handled.

   If a CSIRT decides not to disclose its constituency, it should
   explain the reasoning behind this decision. For example, for-fee
   CSIRTs will not list their clients but will declare that they provide
   a service to a large group of customers that are kept confidential
   because of the clients' contracts.

   Constituencies might overlap, as when an ISP provides a CSIRT which
   delivers services to customer sites that also have CSIRTs.  The
   Authority section of the CSIRT's description (see below) should make
   such relationships clear.







Brownlee & Guttman       Best Current Practice                 [Page 10]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


3.3.3 Sponsoring Organization / Affiliation

   The sponsoring organization, which authorizes the actions of the
   CSIRT, should be given next.   Knowing this will help the users to
   understand the background and set-up of the CSIRT, and it is vital
   information for building trust between a constituent and a CSIRT.

3.3.4 Authority

   This section will vary greatly from one CSIRT to another, based on
   the relationship between the team and its constituency.   While an
   organizational CSIRT will be given its authority by the management of
   the organization, a community CSIRT will be supported and chosen by
   the community, usually in a advisory role.

   A CSIRT may or may not have the authority to intervene in the
   operation of all of the systems within its perimeter.  It should
   identify the scope of its control as distinct from the perimeter of
   its constituency.  If other CSIRTs operate hierarchically within its
   perimeter, this should be mentioned here, and the related CSIRTs
   identified.

   Disclosure of a team's authority may expose it to claims of
   liability.  Every team should seek legal advice on these matters.
   (See section 3.7 for more on liability.)

3.4 Policies

   It is critical that Incident Response Teams define their policies.
   The following sections discuss communication of these policies to the
   constituent community.

3.4.1 Types of Incidents and Level of Support

   The types of incident which the team is able to address, and the
   level of support which the team will offer when responding to each
   type of incident, should be summarized here in list form.  The
   Services section (see below) provides the opportunity to give more
   detailed descriptions, and to address non-incident-related topics.

   The level of support may change depending on factors such as the
   team's workload and the completeness of the information available.
   Such factors should be outlined and their impact should be explained.
   As a list of known types of incidents will be incomplete with regard
   to possible or future incidents, a CSIRT should also give some
   background on the "default" support for incident types not otherwise
   mentioned.




Brownlee & Guttman       Best Current Practice                 [Page 11]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


   The team should state whether it will act on information it receives
   about vulnerabilities which create opportunities for future
   incidents.  A commitment to act on such information on behalf of its
   constituency is regarded as an optional proactive service policy
   rather than a core service requirement for a CSIRT.

3.4.2 Co-operation, Interaction and Disclosure of Information

   This section should make explicit which related groups the CSIRT
   routinely interacts with.  Such interactions are not necessarily
   related to the computer security incident response provided, but are
   used to facilitate better cooperation on technical topics or
   services.  By no means need details about cooperation agreements be
   given out; the main objective of this section is to give the
   constituency a basic understanding of what kind of interactions are
   established and what their purpose is.

   Cooperation between CSIRTs can be facilitated by the use of unique
   ticket number assignment combined with explicit handoff procedures.
   This reduces the chance of misunderstandings, duplications of effort,
   assists in incident tracking and prevents 'loops' in communication.

   The reporting and disclosure policy should make clear who will be the
   recipients of a CSIRT's report in each circumstance.  It should also
   note whether the team will expect to operate through another CSIRT or
   directly with a member of another constituency over matters
   specifically concerning that member.

   Related groups a CSIRT will interact with are listed below:

   Incident Response Teams:
      A CSIRT will often need to interact with other CSIRTs.  For
      example a CSIRT within a large company may need to report
      incidents to a national CSIRT, and a national CSIRT may need to
      report incidents to national CSIRTs in other countries to deal
      with all sites involved in a large-scale attack.

      Collaboration between CSIRTs may lead to disclosure of
      information.  The following are examples of such disclosure, but
      are not intended to be an exhaustive list:

       - Reporting incidents within the constituency to other teams.
         If this is done, site-related information may become public
         knowledge, accessible to everyone, in particular the press.

       - Handling incidents occurring within the constituency, but
         reported from outside it (which implies that some information
         has already been disclosed off-site).



Brownlee & Guttman       Best Current Practice                 [Page 12]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


       - Reporting observations from within the constituency indicating
         suspected or confirmed incidents outside it.

       - Acting on reports of incidents from outside the constituency.

       - Passing information about vulnerabilities to vendors, to
         partner CSIRTs or directly to affected sites lying within or
         outside the constituency.

       - Feedback to parties reporting incidents or vulnerabilities.

       - The provision of contact information relating to members of
         the constituency, members of other constituencies, other
         CSIRTs, or law-enforcement agencies.

   Vendors:
      Some vendors have their own CSIRTs, but some vendors may not.  In
      such cases a CSIRT will need to work directly with a vendor to
      suggest improvements or modifications, to analyze the technical
      problem or to test provided solutions.  Vendors play a special
      role in handling an incident if their products' vulnerabilities
      are involved in the incident.

   Law-enforcement agencies:
      These include the police and other investigative agencies.  CSIRTs
      and users of the template should be sensitive to local laws and
      regulations, which may vary considerably in different countries.
      A CSIRT might advise on technical details of attacks or seek
      advice on the legal implications of an incident. Local laws and
      regulations may include specific reporting and confidentiality
      requirements.

   Press:
      A CSIRT may be approached by the press for information and comment
      from time to time.

      An explicit policy concerning disclosure to the press can be
      helpful, particularly in clarifying the expectations of a CSIRT's
      constituency.  The press policy will have to clarify the same
      topics as above more specifically, as the constituency will
      usually be very sensitive to press contacts.

   Other:
      This might include research activities or the relation to the
      sponsoring organization.






Brownlee & Guttman       Best Current Practice                 [Page 13]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


   The default status of any and all security-related information which
   a team receives will usually be 'confidential,' but rigid adherence
   to this makes the team to appear to be an informational 'black hole,'
   which may reduce the likelihood of the team's obtaining cooperation
   from clients and from other organizations.  The CSIRT's template
   should define what information it will report or disclose, to whom,
   and when.

   Different teams are likely to be subject to different legal
   restraints requiring or limiting disclosure, especially if they work
   in different jurisdictions.  In addition, they may have reporting
   requirements imposed by their sponsoring organization.  Each team's
   template should specify any such constraints, both to clarify users'
   expectations and to inform other teams.

   Conflicts of interest, particularly in commercial matters, may also
   restrain disclosure by a team; this document does not recommend on
   how such conflicts should be addressed.

   A team will normally collect statistics.  If statistical information
   is distributed, the template's reporting and disclosure policy should
   say so, and should describe how to obtain such statistics.

3.4.3 Communication and Authentication

   You must have a policy which describes methods of secure and
   verifiable communication that you will use.  This is necessary for
   communication between CSIRTs and between a CSIRT and its
   constituents.  The template should include public keys or pointers to
   them, including key fingerprints, together with guidelines on how to
   use this information to check authenticity and how to deal with
   corrupted information (for example where to report this fact).

   At the moment it is recommended that as a minimum every CSIRT have
   (if possible), a PGP key available.  A team may also make other
   mechanisms available (for example PEM, MOSS, S/MIME), according to
   its needs and the needs of its constituents.   Note however, that
   CSIRTs and users should be sensitive to local laws and regulations.
   Some countries do not allow strong encryption, or enforce specific
   policies on the use of encryption technology.  In addition to
   encrypting sensitive information whenever possible, correspondence
   should include digital signatures.  (Please note that in most
   countries, the protection of authenticity by using digital signatures
   is not affected by existing encryption regulations.)

   For communication via telephone or facsimile a CSIRT may keep secret
   authentication data for parties with whom they may deal, such as an
   agreed password or phrase.  Obviously, such secret keys must not be



Brownlee & Guttman       Best Current Practice                 [Page 14]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


   published, though their existence may be.

3.5 Services

   Services provided by a CSIRT can be roughly divided into two
   categories: real-time activities directly related to the main task of
   incident response, and non-real-time proactive activities, supportive
   of the incident response task. The second category and part of the
   first category consist of services which are optional in the sense
   that not all CSIRTs will offer them.

3.5.1 Incident Response

   Incident response usually includes assessing incoming reports about
   incidents ("Incident Triage") and following up on these with other
   CSIRTs, ISPs and sites ("Incident Coordination"). A third range of
   services, helping a local site to recover from an incident ("Incident
   Resolution"), is comprised of typically optional services, which not
   all CSIRTs will offer.

3.5.1.1 Incident Triage

   Incident triage usually includes:

   - Report assessment           Interpretion of incoming incident
                                 reports, prioritizing them, and
                                 relating them to ongoing incidents
                                 and trends.

   - Verification                Help in determining whether an
                                 incident has really occurred, and
                                 its scope.

3.5.1.2 Incident Coordination

   Incident Coordination normally includes:

   - Information categorization  Categorization of the incident related
                                 information (logfiles, contact
                                 information, etc.) with respect to
                                 the information disclosure policy.

   - Coordination                Notification of other involved
                                 parties on a need-to-know basis, as
                                 per the information disclosure
                                 policy.





Brownlee & Guttman       Best Current Practice                 [Page 15]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


3.5.1.3 Incident Resolution

   Usually additional or optional, incident resolution services
   include:

   - Technical Assistance        This may include analysis of
                                 compromised systems.

   - Eradication                 Elimination of the cause of a
                                 security incident (the vulnerability
                                 exploited), and its effects (for
                                 example, continuing access to the
                                 system by an intruder).

   - Recovery                    Aid in restoring affected systems
                                 and services to their status before
                                 the security incident.

3.5.2. Proactive Activities

   Usually additional or optional, proactive services might include:

   - Information provision       This might include an archive of
                                 known vulnerabilities, patches or
                                 resolutions of past problems, or
                                 advisory mailing lists.

   - Security Tools              This may include tools for auditing
                                 a Site's security.

   - Education and training

   - Product evaluation

   - Site security auditing and consulting

3.6 Incident Reporting Forms

   The use of reporting forms makes it simpler for both users and teams
   to deal with incidents.  The constituent can prepare answers to
   various important questions before he or she actually contacts the
   team, and can therefore come well prepared.  The team gets all the
   necessary information at once with the first report and can proceed
   efficiently.

   Depending on the objectives and services of a particular CSIRT,
   multiple forms may be used, for example a reporting form for a new
   vulnerability may be very different from the form used for reporting



Brownlee & Guttman       Best Current Practice                 [Page 16]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


   incidents.

   It is most efficient to provide forms through the online information
   services of the team.  The exact pointers to them should be given in
   the CSIRT description document, together with statements about
   appropriate use, and guidelines for when and how to use the forms. If
   separate e-mail addresses are supported for form-based reporting,
   they should be listed here again.

   One example of such a form is the Incident Reporting Form provided by
   the CERT Coordination Center:

   - ftp://info.cert.org/incident_reporting_form

3.7 Disclaimers

   Although the CSIRT description document does not constitute a
   contract, liability may conceivably result from its descriptions of
   services and purposes.  The inclusion of a disclaimer at the end of
   the template is therefore recommended and should warn the user about
   possible limitations.

   In situations where the original version of a document must be
   translated into another language, the translation should carry a
   disclaimer and a pointer to the original.  For example:

      Although we tried to carefully translate the original document
      from German into English, we can not be certain that both
      documents express the same thoughts in the same level of detail
      and correctness.  In all cases, where there is a difference
      between both versions, the German version will prevail.

   The use of and protection by disclaimers is affected by local laws
   and regulations, of which each CSIRT should be aware. If in doubt the
   CSIRT should check the disclaimer with a lawyer.
















Brownlee & Guttman       Best Current Practice                 [Page 17]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


Appendix A: Glossary of Terms

   This glossary defines terms used in describing security incidents and
   Computer Security Incident Response Teams.  Only a limited list is
   included.  For more definitions please refer to other sources, for
   example to the Internet User's Glossary [RFC 1983].

   Constituency:
      Implicit in the purpose of a Computer Security Incident Response
      Team is the existence of a constituency.  This is the group of
      users, sites, networks or organizations served by the team.  The
      team must be recognized by its constituency in order to be
      effective.

   Security Incident:
      For the purpose of this document, this term is a synonym of
      Computer Security Incident: any adverse event which compromises
      some aspect of computer or network security.

      The definition of an incident may vary between organizations, but
      at least the following categories are generally applicable:

      - Loss of confidentiality of information.
      - Compromise of integrity of information.
      - Denial of service.
      - Misuse of service, systems or information.
      - Damage to systems.

      These are very general categories.  For instance the replacement
      of a system utility program by a Trojan Horse is an example of '
      compromise of integrity,' and a successful password attack is an
      example of 'loss of confidentiality.'  Attacks, even if they
      failed because of proper protection, can be regarded as Incidents.

      Within the definition of an incident the word 'compromised' is
      used.  Sometimes an administrator may only 'suspect' an incident.
      During the response it must be established whether or not an
      incident has really occurred.

   Computer Security Incident Response Team:
      Based on two of the definitions given above, a CSIRT is a team
      that coordinates and supports the response to security incidents
      that involve sites within a defined constituency.

      In order to be considered a CSIRT, a team must:

      - Provide a (secure) channel for receiving reports about
        suspected incidents.



Brownlee & Guttman       Best Current Practice                 [Page 18]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


      - Provide assistance to members of its constituency in
        handling these incidents.
      - Disseminate incident-related information to its
        constituency and to other involved parties.

      Note that we are not referring here to police or other law
      enforcement bodies which may investigate computer-related crime.
      CSIRT members, indeed, need not have any powers beyond those of
      ordinary citizens.

   Vendor:
      A 'vendor' is any entity that produces networking or computing
      technology, and is responsible for the technical content of that
      technology.  Examples of 'technology' include hardware (desktop
      computers, routers, switches, etc.), and software (operating
      systems, mail forwarding systems, etc.).

      Note that the supplier of a technology is not necessarily the '
      vendor' of that technology.  As an example, an Internet Service
      Provider (ISP) might supply routers to each of its customers, but
      the 'vendor' is the manufacturer, since the manufacturer, rather
      than the ISP, is the entity responsible for the technical content
      of the router.

   Vulnerability:
      A 'vulnerability' is a characteristic of a piece of technology
      which can be exploited to perpetrate a security incident.  For
      example, if a program unintentionally allowed ordinary users to
      execute arbitrary operating system commands in privileged mode,
      this "feature" would be a vulnerability.





















Brownlee & Guttman       Best Current Practice                 [Page 19]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


Appendix B: Related Material

   Important issues in responding to security incidents on a site level
   are contained in [RFC 2196], the Site Security Handbook, produced by
   the Site Security Handbook Working Group (SSH).  This document will
   be updated by the SSH working group and will give recommendations for
   local policies and procedures, mainly related to the avoidance of
   security incidents.

   Other documents of interest for the discussion of CSIRTs and their
   tasks are available by anonymous FTP. A collection can be found on:

   - ftp://ftp.cert.dfn.de/pub/docs/csir/
     Please refer to file 01-README for further information about
     the content of this directory.

   Some especially interesting documents in relation to this document
   are as follows:

   - ftp://ftp.nic.surfnet.nl/surfnet/net-security/cert-nl/docs/
     reports/R-92-01
     This report contains the Operational Framework of CERT-NL, the
     CSIRT of SURFnet (network provider in the Netherlands).

   - For readers interested in the operation of FIRST (Forum of
     Incident Response and Security Teams) more information is
     collected in Appendix C.

   - http://hightop.nrl.navy.mil/news/incident.html
     This document leads to the NRL Incident Response Manual.

   - http://www.cert.dfn.de/eng/team/kpk/certbib.html
     This document contains an annotated bibliography of available
     material, documents and files about the operation of CSIRTs
     with links to many of the referenced items.

   - ftp://info.cert.org/incident_reporting_form
     This Incident Reporting Form is provided by the CERT
     Coordination Center to gather incident information and to avoid
     additional delays caused by the need to request more detailed
     information from the reporting site.

   - http://www.cert.org/cert.faqintro.html
     A collection of frequently asked questions from the CERT
     Coordination Center.






Brownlee & Guttman       Best Current Practice                 [Page 20]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


Appendix C: Known Computer Security Incident Response Teams

   Today, there are many different CSIRTs but no single source lists
   every team. Most of the major and long established teams (the first
   CSIRT was founded in 1988) are nowadays members of FIRST, the
   worldwide Forum of Incident Response and Security Teams.  At the time
   of writing, more than 55 teams are members (1 in Australia, 13 in
   Europe, all others in North America).  Information about FIRST can be
   found:

   - http://www.first.org/

   The current list of members is available also, with the relevant
   contact information and some additional information provided by the
   particular teams:

   - http://www.first.org/team-info/

   For CSIRTs which want to become members of this forum (please note
   that a team needs a sponsor - a team which is already a full member
   of FIRST - to be introduced), the following files contain more
   information:

   - http://www.first.org/about/op_frame.html
     The Operational Framework of FIRST.

   - http://www.first.org/docs/newmem.html
     Guidelines for teams which want to become members of FIRST.

   Many of the European teams, regardless of whether they are members
   of FIRST or not, are listed by countries on a page maintained by
   the German CSIRT:

   - http://www.cert.dfn.de/eng/csir/europe/certs.html

   To learn about existing teams suitable to one's needs it is
   often helpful to ask either known teams or an Internet Service
   Provider for the "right" contact.













Brownlee & Guttman       Best Current Practice                 [Page 21]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


Appendix D: Outline for CSIRT Template

   This outline summarizes in point form the issues addressed in this
   document, and is the recommended template for a CSIRT description
   document.  Its structure is designed to facilitate the communication
   of a CSIRT's policies, procedures, and other relevant information to
   its constituency and to outside organizations such as other CSIRTs. A
   'filled-in' example of this template is given as Appendix E.

      1.   Document Information
      1.1  Date of Last Update
      1.2  Distribution List for Notifications
      1.3  Locations where this Document May Be Found

      2.   Contact Information
      2.1  Name of the Team
      2.2  Address
      2.3  Time Zone
      2.4  Telephone Number
      2.5  Facsimile Number
      2.6  Other Telecommunication
      2.7  Electronic Mail Address
      2.8  Public Keys and Encryption Information
      2.9  Team Members
      2.10 Other Information
      2.11 Points of Customer Contact

      3.   Charter
      3.1  Mission Statement
      3.2  Constituency
      3.3  Sponsorship and/or Affiliation
      3.4  Authority

      4.   Policies
      4.1  Types of Incidents and Level of Support
      4.2  Co-operation, Interaction and Disclosure of Information
      4.3  Communication and Authentication

      5.   Services
      5.1  Incident Response
           5.1.1. Incident Triage
           5.1.2. Incident Coordination
           5.1.3. Incident Resolution
      5.2  Proactive Activities

      6.   Incident Reporting Forms

      7.   Disclaimers



Brownlee & Guttman       Best Current Practice                 [Page 22]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


Appendix E: Example - 'filled-in' Template for a CSIRT

   Below is an example of a filled-in template for a fictitious CSIRT
   called XYZ-CSIRT.  This text is for example purposes only, and does
   not constitute endorsement by the working group or the IETF of any
   particular set of procedures or policies.  While CSIRTs are welcome
   to use any or all of this text if they wish, such use is of course
   not mandatory, or even appropriate in most cases.

CSIRT Description for XYZ-CERT
-----------------------------

   1. About this document

   1.1 Date of Last Update

        This is version 1.01, published 1997/03/31.

   1.2 Distribution List for Notifications

        Notifications of updates are submitted to our mailing list
        <xyz-cert-info@xyz-univ.ca>.  Subscription requests for this
        list should be sent to the Majordomo at
        <xyz-cert-info-request@xyz-univ.ca>; the body of the message
        should consist of the word "subscribe".  Send the word "help"
        instead if you don't know how to use a Majordomo list manager.
        This mailing list is moderated.

   1.3 Locations where this Document May Be Found

        The current version of this CSIRT description document is
        available from the XYZ-CERT WWW site; its URL is
          http://www.xyz-univ.ca/xyz-cert/english/CSIRT-descr.txt
        Une version francaise de ce document est igalement disponible:
          http://www.xyz-univ.ca/xyz-cert/francais/CSIRT-descr.txt
        Please make sure you are using the latest version.

   1.4 Authenticating this Document

        Both the English and French versions of this document have
        been signed with the XYZ-CERT's PGP key.  The signatures are
        also on our Web site, under:
          http://www.xyz-univ.ca/xyz-cert/english/CSIRT-descr.asc
          http://www.xyz-univ.ca/xyz-cert/francais/CSIRT-descr.asc







Brownlee & Guttman       Best Current Practice                 [Page 23]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


   2. Contact Information

   2.1 Name of the Team

        "XYZ-CERT": the XYZ University Computer Emergency Response
        Team.

   2.2 Address

        XYZ-CERT
        XYZ University, Computing Services Department
        12345 Rue Principale
        UniversityTown, Quebec
        Canada H0H 0H0

   2.3 Time Zone

        Canada/Eastern (GMT-0500, and GMT-0400 from April to October)

   2.4 Telephone Number

        +1 234 567 7890  (ask for the XYZ-CERT)

   2.5 Facsimile Number

        +1 234 567 7899  (this is *not* a secure fax)

   2.6 Other Telecommunication

        None available.

   2.7 Electronic Mail Address

        <xyz-cert@xyz-univ.ca>  This is a mail alias that relays mail
        to the human(s) on duty for the XYZ-CERT.

   2.8 Public Keys and Other Encryption Information

        The XYZ-CERT has a PGP key, whose KeyID is 12345678 and
        whose fingerprint is
          11 22 33 44 55 66 77 88  88 77 66 55 44 33 22 11.
        The key and its signatures can be found at the usual large
        public keyservers.

        Because PGP is still a relatively new technology at XYZ
        University, this key still has relatively few signatures;
        efforts are underway to increase the number of links to this
        key in the PGP "web of trust".  In the meantime, since most



Brownlee & Guttman       Best Current Practice                 [Page 24]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


        fellow universities in Quebec have at least one staff member
        who knows the XYZ-CERT coordinator Zoe Doe, Zoe Doe has
        signed the XYZ-CERT key, and will be happy to confirm its
        fingerprint and that of her own key to those people who know
        her, by telephone or in person.

   2.9 Team Members

        Zoe Doe of Computing Services is the XYZ-CERT coordinator.
        Backup coordinators and other team members, along with their
        areas of expertise and contact information, are listed in the
        XYZ-CERT web pages, at
          http://www.xyz-univ.ca/xyz-cert/teamlist.html

        Management, liaison and supervision are provided by Steve Tree,
        Assistant Director (Technical Services), Computing Services.

   2.10 Other Information

        General information about the XYZ-CERT, as well as links to
        various recommended security resources, can be found at
          http://www.xyz-univ.ca/xyz-cert/index.html

   2.11 Points of Customer Contact

        The preferred method for contacting the XYZ-CERT is via
        e-mail at <xyz-cert@xyz-univ.ca>; e-mail sent to this address
        will "biff" the responsible human, or be automatically
        forwarded to the appropriate backup person, immediately.  If
        you require urgent assistance, put "urgent" in your subject
        line.

        If it is not possible (or not advisable for security reasons)
        to use e-mail, the XYZ-CERT can be reached by telephone during
        regular office hours.  Telephone messages are checked less
        often than e-mail.

        The XYZ-CERT's hours of operation are generally restricted to
        regular business hours (09:00-17:00 Monday to Friday except
        holidays).

        If possible, when submitting your report, use the form
        mentioned in section 6.








Brownlee & Guttman       Best Current Practice                 [Page 25]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


   3. Charter

   3.1 Mission Statement

        The purpose of the XYZ-CERT is, first, to assist members of XYZ
        University community in implementing proactive measures to
        reduce the risks of computer security incidents, and second, to
        assist XYZ community in responding to such incidents when they
        occur.

   3.2 Constituency

        The XYZ-CERT's constituency is the XYZ University community,
        as defined in the context of the "XYZ University Policy on
        Computing Facilities".  This policy is available at
          http://www-compserv.xyz-univ.ca/policies/pcf.html

        However, please note that, notwithtanding the above, XYZ-CERT
        services will be provided for on-site systems only.

   3.3 Sponsorship and/or Affiliation

        The XYZ-CERT is sponsored by the ACME Canadian Research
        Network.  It maintains affiliations with various University
        CSIRTs throughout Canada and the USA on an as needed basis.

   3.4 Authority

        The XYZ-CERT operates under the auspices of, and with authority
        delegated by, the Department of Computing Services of XYZ
        University.  For further information on the mandate and
        authority of the Department of Computing Services, please
        refer to the XYZ University "Policy on Computing Facilities",
        available at
          http://www-compserv.xyz-univ.ca/policies/pcf.html

        The XYZ-CERT expects to work cooperatively with system
        administrators and users at XYZ University, and, insofar as
        possible, to avoid authoritarian relationships.  However,
        should circumstances warrant it, the XYZ-CERT will appeal to
        Computing Services to exert its authority, direct or indirect,
        as necessary.  All members of the XYZ-CERT are members of the
        CCSA (Committee of Computer Systems Administrators), and have
        all of the powers and responsibilities assigned to Systems
        Administrators by the Policy on Computing Facilities, or are
        members of University management.





Brownlee & Guttman       Best Current Practice                 [Page 26]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


        Members of the XYZ University community who wish to appeal the
        actions of the XYZ-CERT should contact the Assistant Director
        (Technical Services), Computing Services.  If this recourse is
        not satisfactory, the matter may be referred to the Director
        of Computing Services (in the case of perceived
        problems with existing policy), or to the XYZ University
        Office of Rights and Responsibilities (in the case of perceived
        errors in the application of existing policy).

   4. Policies

   4.1 Types of Incidents and Level of Support

        The XYZ-CERT is authorized to address all types of computer
        security incidents which occur, or threaten to occur, at
        XYZ University.

        The level of support given by XYZ-CERT will vary depending on
        the type and severity of the incident or issue, the type of
        constituent, the size of the user community affected, and the
        XYZ-CERT's resources at the time, though in all cases some
        response will be made within one working day.  Resources will
        be assigned according to the following priorities, listed in
        decreasing order:

          - Threats to the physical safety of human beings.
          - Root or system-level attacks on any Management Information
            System, or any part of the backbone network infrastructure.
          - Root or system-level attacks on any large public service
            machine, either multi-user or dedicated-purpose.
          - Compromise of restricted confidential service accounts or
            software installations, in particular those used for MIS
            applications containing confidential data, or those used
            for system administration.
          - Denial of service attacks on any of the above three items.
          - Any of the above at other sites, originating from XYZ
            University.
          - Large-scale attacks of any kind, e.g. sniffing attacks,
            IRC "social engineering" attacks, password cracking
            attacks.
          - Threats, harassment, and other criminal offenses
            involving individual user accounts.
          - Compromise of individual user accounts on multi-user
            systems.
          - Compromise of desktop systems.
          - Forgery and misrepresentation, and other security-related
            violations of local rules and regulations, e.g. netnews
            and e-mail forgery, unauthorized use of IRC bots.



Brownlee & Guttman       Best Current Practice                 [Page 27]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


          - Denial of service on individual user accounts, e.g.
            mailbombing.

        Types of incidents other than those mentioned above will be
        prioritized according to their apparent severity and extent.

        Note that no direct support will be given to end users; they
        are expected to contact their system administrator, network
        administrator, or department head for assistance.  The XYZ-CERT
        will support the latter people.

        While the XYZ-CERT understands that there exists great
        variation in the level of system administrator expertise at XYZ
        University, and while the XYZ-CERT will endeavor to present
        information and assistance at a level appropriate to each
        person, the XYZ-CERT cannot train system administrators on the
        fly, and it cannot perform system maintenance on their behalf.
        In most cases, the XYZ-CERT will provide pointers to the
        information needed to implement appropriate measures.

        The XYZ-CERT is committed to keeping the XYZ University system
        administration community informed of potential vulnerabilities,
        and where possible, will inform this community of such
        vulnerabilities before they are actively exploited.

   4.2 Co-operation, Interaction and Disclosure of Information

        While there are legal and ethical restrictions on the flow of
        information from XYZ-CERT, many of which are also outlined in
        the XYZ University Policy on Computing Facilities, and all of
        which will be respected, the XYZ-CERT acknowledges its
        indebtedness to, and declares its intention to contribute to,
        the spirit of cooperation that created the Internet.
        Therefore, while appropriate measures will be taken to protect
        the identity of members of our constituency and members of
        neighbouring sites where necessary, the XYZ-CERT will otherwise
        share information freely when this will assist others in
        resolving or preventing security incidents.

        In the paragraphs below, "affected parties" refers to the
        legitimate owners, operators, and users of the relevant
        computing facilities.  It does not refer to unauthorized
        users, including otherwise authorized users making
        unauthorized use of a facility; such intruders may have no
        expectation of confidentiality from the XYZ-CERT.  They may or
        may not have legal rights to confidentiality; such rights will
        of course be respected where they exist.




Brownlee & Guttman       Best Current Practice                 [Page 28]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


        Information being considered for release will be classified as
        follows:

          - Private user information is information about particular
            users, or in some cases, particular applications, which
            must be considered confidential for legal, contractual,
            and/or ethical reasons.

            Private user information will be not be released in
            identifiable form outside the XYZ-CERT, except as provided
            for below.  If the identity of the user is disguised, then
            the information can be released freely (for example to show
            a sample .cshrc file as modified by an intruder, or to
            demonstrate a particular social engineering attack).

          - Intruder information is similar to private user
            information, but concerns intruders.

            While intruder information, and in particular identifying
            information, will not be released to the public (unless it
            becomes a  matter of public record, for example because
            criminal charges have been laid), it will be exchanged
            freely with system administrators and CSIRTs tracking an
            incident.

          - Private site information is technical information about
            particular systems or sites.

            It will not be released without the permission of the site
            in question, except as provided for below.

          - Vulnerability information is technical information about
            vulnerabilities or attacks, including fixes and
            workarounds.

            Vulnerability information will be released freely, though
            every effort will be made to inform the relevant vendor
            before the general public is informed.

          - Embarrassing information includes the statement that an
            incident has occurred, and information about its extent or
            severity.  Embarrassing information may concern a site or
            a particular user or group of users.

            Embarrassing information will not be released without the
            permission of the site or users in question, except as
            provided for below.




Brownlee & Guttman       Best Current Practice                 [Page 29]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


          - Statistical information is embarrassing information with
            the identifying information stripped off.

            Statistical information will be released at the discretion
            of the Computing Services Department.

          - Contact information explains how to reach system
            administrators and CSIRTs.

            Contact information will be released freely, except where
            the contact person or entity has requested that this not
            be the case, or where XYZ-CERT has reason to believe that
            the dissemination of this information would not be
            appreciated.

        Potential recipients of information from the XYZ-CERT will be
        classified as follows:

        - Because of the nature of their responsibilities and
          consequent expectations of confidentiality, members of XYZ
          University management are entitled to receive whatever
          information is necessary to facilitate the handling of
          computer security incidents which occur in their
          jurisdictions.

        - Members of the Office of Rights and Responsibilities are
          entitled to receive whatever information they request
          concerning a computer security incident or related matter
          which has been referred to them for resolution.  The same is
          true for the XYZ Security Department, when its assistance in
          an investigation has been enlisted, or when the investigation
          has been instigated at its request.

        - System administrators at XYZ University who are members of
          the CCSA are also, by virtue of their responsibilities,
          trusted with confidential information.  However, unless such
          people are also members of XYZ-CERT, they will be given only
          that confidential information which they must have in order
          to assist with an investigation, or in order to secure their
          own systems.

        - Users at XYZ University are entitled to information which
          pertains to the security of their own computer accounts,
          even if this means revealing "intruder information", or
          "embarrassing information" about another user.  For
          example, if account aaaa is cracked and the intruder attacks
          account bbbb, user bbbb is entitled to know that aaaa was
          cracked, and how the attack on the bbbb account was



Brownlee & Guttman       Best Current Practice                 [Page 30]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


          executed.  User bbbb is also entitled, if she or he requests
          it, to information about account aaaa which might enable
          bbbb to investigate the attack.  For example, if bbbb was
          attacked by someone remotely connected to aaaa, bbbb should
          be told the provenance of the connections to aaaa, even
          though this information would ordinarily be considered
          private to aaaa.  Users at XYZ University are entitled to be
          notified if their account is believed to have been
          compromised.

        - The XYZ University community will receive no restricted
          information, except where the affected parties have given
          permission for the information to be disseminated.
          Statistical information may be made available to the general
          XYZ community.  There is no obligation on the part of the
          XYZ-CERT to report incidents to the community, though it may
          choose to do so; in particular, it is likely that the
          XYZ-CERT will inform all affected parties of the ways in
          which they were affected, or will encourage the affected site
          to do so.

        - The public at large will receive no restricted information.
          In fact, no particular effort will be made to communicate
          with the public at large, though the XYZ-CERT recognizes
          that, for all intents and purposes, information made
          available to the XYZ University community is in effect made
          available to the community at large, and will tailor the
          information in consequence.

        - The computer security community will be treated the same way
          the general public is treated.  While members of XYZ-CERT may
          participate in discussions within the computer security
          community, such as newsgroups, mailing lists (including the
          full-disclosure list "bugtraq"), and conferences, they will
          treat such forums as though they were the public at large.
          While technical issues (including vulnerabilities) may be
          discussed to any level of detail, any examples taken from
          XYZ-CERT experience will be disguised to avoid identifying
          the affected parties.

        - The press will also be considered as part of the general
          public.  The XYZ-CERT will not interact directly with the
          Press concerning computer security incidents, except to point
          them toward information already released to the general
          public.  If necessary, information will be provided to the
          XYZ University Public Relations Department, and to the
          Customer Relations group of the Computing Services
          Department.  All incident-related queries will be referred to



Brownlee & Guttman       Best Current Practice                 [Page 31]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


          these two bodies.  The above does not affect the ability of
          members of XYZ-CERT to grant interviews on general computer
          security topics; in fact, they are encouraged to do to, as a
          public service to the community.

        - Other sites and CSIRTs, when they are partners in the
          investigation of a computer security incident, will in some
          cases be trusted with confidential information.  This will
          happen only if the foreign site's bona fide can be verified,
          and the information transmitted will be limited to that which
          is likely to be helpful in resolving the incident.  Such
          information sharing is most likely to happen in the case of
          sites well known to XYZ-CERT (for example, several other
          Quebec universities have informal but well-established
          working relationships with XYZ University in such matters).

          For the purposes of resolving a security incident, otherwise
          semi-private but relatively harmless user information such as
          the provenance of connections to user accounts will not be
          considered highly sensitive, and can be transmitted to a
          foreign site without excessive precautions.  "Intruder
          information" will be transmitted freely to other system
          administrators and CSIRTs.  "Embarrassing information" can be
          transmitted when there is reasonable assurance that it will
          remain confidential, and when it is necessary to resolve an
          incident.

        - Vendors will be considered as foreign CSIRTs for most intents
          and purposes.  The XYZ-CERT wishes to encourage vendors of
          all kinds of networking and computer equipment, software, and
          services to improve the security of their products.  In aid
          of this, a vulnerability discovered in such a product will be
          reported to its vendor, along with all technical details
          needed to identify and fix the problem.  Identifying details
          will not be given to the vendor without the permission of the
          affected parties.

        - Law enforcement officers will receive full cooperation from
          the XYZ-CERT, including any information they require to
          pursue an investigation, in accordance with the Policy on
          Computing Facilities.

   4.3 Communication and Authentication

        In view of the types of information that the XYZ-CERT will
        likely be dealing with, telephones will be considered
        sufficiently secure to be used even unencrypted.  Unencrypted
        e-mail will not be considered particularly secure, but will be



Brownlee & Guttman       Best Current Practice                 [Page 32]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


        sufficient for the transmission of low-sensitivity data.  If
        it is necessary to send highly sensitive data by e-mail, PGP
        will be used.  Network file transfers will be considered to
        be similar to e-mail for these purposes: sensitive data should
        be encrypted for transmission.

        Where it is necessary to establish trust, for example before
        relying on information given to the XYZ-CERT, or before
        disclosing confidential information, the identity and bona
        fide of the other party will be ascertained to a reasonable
        degree of trust.  Within XYZ University, and with known
        neighbor sites, referrals from known trusted people will
        suffice to identify someone.  Otherwise, appropriate methods
        will be used, such as a search of FIRST members, the use of
        WHOIS and other Internet registration information, etc, along
        with telephone call-back or e-mail mail-back to ensure that
        the party is not an impostor.  Incoming e-mail whose data must
        be trusted will be checked with the originator personally, or
        by means of digital signatures (PGP in particular is
        supported).

   5. Services

   5.1 Incident Response

        XYZ-CERT will assist system administrators in handling the
        technical and organizational aspects of incidents.  In
        particular, it will provide assistance or advice with respect
        to the following aspects of incident management:

   5.1.1 Incident Triage

            - Investigating whether indeed an incident occured.
            - Determining the extent of the incident.

   5.1.2 Incident Coordination

            - Determining the initial cause of the incident
              (vulnerability exploited).
            - Facilitating contact with other sites which may be
              involved.
            - Facilitating contact with XYZ University Security and/or
              appropriate law enforcement officials, if necessary.
            - Making reports to other CSIRTs.
            - Composing announcements to users, if applicable.






Brownlee & Guttman       Best Current Practice                 [Page 33]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


   5.1.3 Incident Resolution

            - Removing the vulnerability.
            - Securing the system from the effects of the incident.
            - Evaluating whether certain actions are likely to reap
              results in proportion to their cost and risk, in
              particular those actions aimed at an eventual prosecution
              or disciplinary action: collection of evidence after the
              fact, observation of an incident in progress, setting
              traps for intruders, etc.
            - Collecting evidence where criminal prosecution, or
              University disciplinary action, is contemplated.

        In addition, XYZ-CERT will collect statistics concerning
        incidents which occur within or involve the XYZ University
        community, and will notify the community as necessary to
        assist it in protecting against known attacks.

        To make use of XYZ-CERT's incident response services, please
        send e-mail as per section 2.11 above.  Please remember that
        the amount of assistance available will vary according to
        the parameters described in section 4.1.

   5.2 Proactive Activities

        The XYZ-CERT coordinates and maintains the following
        services to the extent possible depending on its resources:
          - Information services
             - List of departmental security contacts, administrative
               and technical.  These lists will be available to the
               general public, via commonly-available channels such as
               the World Wide Web and/or the Domain Name Service.
             - Mailing lists to inform security contacts of new
               information relevant to their computing environments.
               These lists will be available only to XYZ University
               system administrators.
             - Repository of vendor-provided and other security-related
               patches for various operating systems.  This repository
               will be available to the general public wherever
               license restrictions allow it, and will be provided via
               commonly-available channels such as the World Wide Web
               and/or ftp.
             - Repository of security tools and documentation for
               use by sysadmins.  Where possible, precompiled
               ready-to-install versions will be supplied.  These will
               be supplied to the general public via www or ftp as
               above.




Brownlee & Guttman       Best Current Practice                 [Page 34]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


             - "Clipping" service for various existing resources, such
               as major mailing lists and newsgroups.  The resulting
               clippings will be made available either on the
               restricted mailing list or on the web site, depending
               on their sensitivity and urgency.
          - Training services
             - Members of the XYZ-CERT will give periodic seminars on
               computer security related topics; these seminars will
               be open to XYZ University system administrators.
          - Auditing services
             - Central file integrity checking service for Unix
               machines, and for any other platforms capable of
               running "tripwire".
             - Security level assignments; machines and subnetworks
               at XYZ University will be audited and assigned a
               security level.  This security level information will be
               available to the XYZ University community, to facilitate
               the setting of appropriate access privileges.  However,
               details of the security analyses will be confidential,
               and available only to the concerned parties.
          - Archiving services
             - Central logging service for machines capable of
               Unix-style remote logging.  Incoming log entries will
               be watched by an automated log analysis program, and
               events or trends indicative of a potential security
               problem will be reported to the affected system
               administrators.
             - Records of security incidents handled will be kept.
               While the records will remain confidential, periodic
               statistical reports will be made available to the XYZ
               University community.

        Detailed descriptions of the above services, along with
        instructions for joining mailing lists, downloading
        information, or participating in certain services such as the
        central logging and file integrity checking services, are
        available on the XYZ-CERT web site, as per section 2.10
        above.

   6. Incident Reporting Forms

        There are no local forms developed yet for reporting incidents
        to XYZ-CERT. If possible, please make use of the Incident
        Reporting Form of the CERT Coordination Center (Pittsburgh,
        PA).  The current version is available from:
           ftp://info.cert.org/incident_reporting_form





Brownlee & Guttman       Best Current Practice                 [Page 35]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


   7. Disclaimers

        While every precaution will be taken in the preparation of
        information, notifications and alerts, XYZ-CERT assumes no
        responsibility for errors or omissions, or for damages
        resulting from the use of the information contained within.

4 Acknowlegdements

   The editors gratefully acknowledge the contributed material and
   editorial scrutiny of Anne Bennett.   Thanks also to Don Stikvoort
   for assistance reworking the description of Incident Response Team
   services.

5 References

   [RFC 2196] Fraser, B., "Site Security Handbook", FYI 8, RFC 2196,
   September 1997.

   [RFC 1983] Malkin, G., "Internet Users' Glossary", FYI 18, RFC 1983,
   August 1996.

6 Security Considerations

   This document discusses the operation of Computer Security Incident
   Response Teams, and the teams' interactions with their constituencies
   and with other organizations.  It is, therefore, not directly
   concerned with the security of protocols, applications, or network
   systems themselves.  It is not even concerned with particular
   responses and reactions to security incidents, but only with the
   appropriate description of the responses provided by CSIRTs.

   Nonetheless, it is vital that the CSIRTs themselves operate securely,
   which means that they must establish secure communication channels
   with other teams, and with members of their constituency.  They must
   also secure their own systems and infrastructure, to protect the
   interests of their constituency and to maintain the confidentiality
   of the identity of victims and reporters of security incidents.













Brownlee & Guttman       Best Current Practice                 [Page 36]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


7 Authors' Addresses

   Nevil Brownlee
   ITSS Technology Development
   The University of Auckland

   Phone: +64 9 373 7599 x8941
   EMail: n.brownlee@auckland.ac.nz


   Erik Guttman
   Sun Microsystems, Inc.
   Bahnstr. 2
   74915 Waibstadt Germany

   Phone: +49 7263 911484
   EMail: Erik.Guttman@sun.com


































Brownlee & Guttman       Best Current Practice                 [Page 37]
^L
RFC 2350  Expectations for Computer Security Incident Response June 1998


8 Full Copyright Statement

   Copyright (C) The Internet Society (1998).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.






















Brownlee & Guttman       Best Current Practice                 [Page 38]
^L