The Template which this document proposes is expected to be used by a response team to describe what it does, and in the process create criteria against which its performance can be measured. The Template does not attempt to specify a "correct" way for the team to operate, but does recommend on specific policies and functions seen as necessary for such a team to play a consistent role in the overall security framework. It also comments on additional roles a team might include in the ambit of its operations.
The primary purposes of the Template are:
A Template might appear to provide a marketing tool for comparing different teams, but this kind of marketing use (or abuse) is strongly discouraged by the GRIP Working Group.
This 'Framework for Response Teams' document is the first produced by the GRIP Working Group. A second document will set out guide-lines for technology vendors to help them handle security incidents. The definition of terms given in the next section applies to both documents.
Another relevant IETF document is RFC 1244, the Site Security Handbook, produced by (and being updated by) the Site Security Handbook Working Group (SSH). Site requirements and recommendations are covered by the Handbook, while response team expectations and procedures are addressed by the GRIP documents.
Other documents of interest for the discussion of incident response teams and their tasks are available by anonymous FTP. A collection can be found on:
Some especially interesting documents are:
* CERT-NL Framework ftp://ftp.cert.dfn.de/pub/csir/docs/cert-nl.opframe.txt * FIRST potential members ftp://ftp.first.org/pub/first/newmemlt.txt ftp://ftp.first.org/pub/first/profile.txt ftp://ftp.first.org/pub/first/op`frame.txt * Bibliography http://www.cert.dfn.de/eng/team/kpk/certbib.html