This section defines terms used in describing security incidents and response teams. For the purpose of the GRIP documents only a limited list is really needed. This should help maintain focus on the purpose of the documents, and prevent a duplication of other definitions or - even worse - a proliferation of competing definitions.
Implicit in the purpose of a Security Incident Response Team is the existence of a constituency. This is the group of users, sites, networks or organizations served by the team.
Implicit in the purpose of the Template proposed here is the existence of Partner Teams which are its primary audience, and which share in the responsibility for addressing security incidents or threats common to their separate constituencies.
After considerable discussion, the Working Group decided not to attempt a definition of "security", but instead to rely on intuition, or on definitions in other documents such as the Site Security Handbook.
For the purpose of this document:
'A computer security incident is any event which compromises some aspect of computer or network security.'
The definition of an incident may vary between organizations, but at least the following categories are generally applicable:
These are very general categories. For instance the forging of an electronic mail message and a successful password attack are two examples of 'compromise of integrity.'
Within the definition of an incident the word 'compromised' is used. Sometimes an administrator may only 'suspect' an incident. During the handling of a call it must be established whether or not an incident really occurred.
Based on two of the definitions given above:
'A Security Incident Response Team is a group authorized to deal with security incidents that occur within its defined constituency.'
It should provide a channel for receiving reports about suspected incidents and for disseminating incident-related information to its constituency and to other related parties; it should also provide assistance to members of its constituency in handling these incidents.
A 'vendor' is any entity that produces networking or computing technology, and is responsible for the technical content of that technology. Examples of 'technology' include hardware (routers, switches, etc), and software (operating systems, mail forwarding systems, etc).
Note that the supplier of a technology is not necessarily the 'vendor' of that technology. As an example, an Internet Services Provider (ISP) might supply routers to each of its customers, but the 'vendor' is the manufacturer, being the entity responsible for the technical content of the router, rather than the ISP.
A 'vulnerability' is a characteristic of a piece of technology which can be exploited to perpetrate a security incident. For example, if a program allowed ordinary users to execute operating system commands in privileged mode, this "feature" would be a vulnerability.