CERT
 
Publications Catalog Historical Documents Authorized Users of "CERT" CERT Training Courses Incident Handling Certification Virtual Training Environment CERT Coordination Center Insider Threat Research Resiliency Engineering Research Build Security In
 


Evaluating Incident Management Capabilities

As CSIRTs and other incident management capabilities mature, it is beneficial for organizations to evaluate that they are meeting their missions and conducting their operations in an effective and efficient manner. Any evaluation criteria or mechanism should be done with management approval and collaboration.

Evaluations can be performed for a variety of reasons to meet different criteria including:

  • incident handling satisfaction
  • incident response timeliness
  • damage from an incident
  • process workflow
  • general mission success

Organizations can choose different measures including:

  • benchmarking against other organizations or established standards
  • interviews and discussions with constituency representatives
  • evaluation surveys
  • audits or third-party evaluations based on predefined quality parameters
The CERT CSIRT Development Team has two methods that organizations can use to evaluate and improve their capability for managing computer security incidents.

Incident Management Capability Metrics (IMCM)
The Incident Management Capability Metrics provide organizations with a baseline against which they can benchmark their current incident management processes or services.

The goal of this incident management capability evaluation is to help organizations assemble the right set of people, processes, and technology that enables them to protect and sustain their critical data, assets, and systems, and to conduct appropriate response and coordination actions for handling events and incidents when they occur. These metrics can be used to

  • evaluate an existing capability
  • identify areas for process improvement in an existing capability
  • help determine the services and functions needed to create an incident management capability

The results obtained from the IMCM help an organization determine the maturity of its incident management capability regardless of organization or sector type (commercial, academic, government, etc.).

Incident Management Mission Diagnostic (IMMD)
The Incident Management Mission Diagnostic Method is a risk-based approach for determining the potential for success of an organization's incident management capability.

This potential for success is based on a finite set of key indicators used to estimate the current incident management capability health relative to a defined benchmark. Decision-makers can determine if the current state of their capability is acceptable, or if actions are required to improve the situation. The IMMD can be viewed as an efficient, first-pass screening of the capability to provide a quick evaluation and diagnose any unusual circumstances that might affect its potential for success.

Other research in the area of evaluating incident management capabilities is being done by the CSIRT Metrics Special Interest Group (SIG) at FIRST. More information on that work can be found at http://www.first.org/global/sigs/metrics/

top

Last updated August 7, 2008