Security Incident Response process definition

Security Incident ResponseProcess Definition replaces state flows and provides end users and service desks with the status of an incident. A process definition helps track the incident through its life cycle. Security Incident Response is a Service Management (SM) application, however, it has its own set of states for both incidents and their tasks. Invalid states are reported as part of Process Selection.

Different organizations use different incident response flows. Process Definition was created so you can choose a process or customize an incident response flow to follow established processes.

In addition to major process definitions (NIST, SANS) some slight variations were added to help open up the flow. These definitions can be further customized using workflow, client scripts, or business rules.

The sn_si.ProcessDefinition main script include controls process definitions. Process Definition determines which definition is in use (using Process Selection). It calls the appropriate script include file to determine the initial states and transitions for both security incidents and response tasks.

Important upgrade information

It is important to note that if you upgrade to Istanbul from an earlier version of Security Incident Response, none of your state flows are retrieved. Use the procedures in this section to set up process definitions, as needed.

Security Incident Response Process Definition

The default process definition (NIST Stateful) defines the following incident states:
Note: Available states vary based on the current state of the incident.
Table 1. Security Incident process definitions states
State Description
Draft The request initiator adds information about the security incident, but it is not yet ready to be worked on.
Analysis The incident has been assigned and the issue is being analyzed.
Contain The issue has been identified and the security staff is working to contain it and perform damage control. These actions can include taking servers offline, disconnecting equipment from the Internet, and verifying that backups exist.
Eradicate The issue has been contained and the security staff is taking steps to fix the issue.
Recover The issue is resolved and the operational readiness of the affected systems is being verified.
Review The security incident is complete and all systems are back to normal function, however, a post incident review is still needed.
Closed The incident is complete but before a security incident can be closed, you must fill out the information on the Closure Information tab.

Security Incident task process definitions

The following process definitions are used for security incident tasks.

Table 2. Task process definition states
State Description
Ready The task is ready to be worked on once it is assigned to an agent.
Assigned The task is assigned to an agent.
Work In Progress The assigned agent is working on the task.
Complete The task is complete.
Cancelled The task was canceled.

Process Definition provides the following process definitions with the base system:

  • NIST Stateful
  • NIST Open
  • SANS Open
  • Example (If demo data is loaded)