Workflow Descriptions

The workflow descriptions are contained in tables describing details about multiple aspects of each process and its activities. Separate descriptions are also provided for each handoff.

These tables include a wide range of information that reflects good practices, as well as a list of possibilities for some categories, such as Key People. For example, in the workflow dia-gram for PI: Protect Infrastructure on page 80 we can see that in the first subprocess, PI1:

Evaluate Infrastructure, the key people who might be involved in this activity are listed as IT staff, audit staff, risk management staff, third-party managed security service providers, or CSIRT staff. Depending on the organizational structure and procedures, any of these people might perform this work. That is why several people are listed. It does not mean that for any given organization, all these people would perform this work.

Any organization tailoring these descriptions would select from the presented choices to indi-cate precisely who, in their organization, performs these tasks. Once those roles and respon-sibilities were established, necessary interactions and interfaces with other parts of the inci-dent management capability would then be outlined and, where appropriate, put in place. For example, if the evaluation of the incident management capability was to be done by the audit staff, then according to the processes outlined in PI1: Evaluate Infrastructure, the audit staff would need to know how to report any indication of incidents or other problems they may uncover. This would mean that policies and procedures and supplemental materials such as incident reporting forms would need to be created and a formalized process put in place to hand off the discovered incidents to whoever has been designated as the receipt contact point for incident and event reports in the Detect process.

Handoffs are exchanges between actors (e.g., from one person to another or even from a tech-nology to a person, or a person to a techtech-nology) and occur between the major processes such as

If event requires further incident management action

Event information

If event is closed D2: Receive

Information

To other organizational processes If event is reassigned outside of

incident management process Reassigned events

Closed events

Archive T1: Categorize and Correlate Events

CMU/SEI-2004-TR-015 47

Detect to Triage, Triage to Respond, etc. Another term for handoff is interface; this is usually for system-to-system types of exchanges. The categories of information provided in each proc-ess description and handoff description are defined according to Table 4 and Table 5.

Table 4: Incident Management Workflow Description Information Categories

Information Category Description

Mission/objectives The goals for this process. Defines what should be accomplished by the successful completion of the process activities.

Triggers Activities that initiate the process. This could be an event or an input.

Completion criteria Conditions that must be met for the process to be successfully completed.

Policies and rules Any policies, laws, regulations, rules, etc. that govern this process or its outputs.

General requirements Any type of supporting information, procedures, or technology that may be needed to successfully perform activities associated with this process.

Inputs The required inputs for this process.

Input name The name of the input.

Input description A short description of the input, including the sending process.

Input form The form of the input (usually verbal, electronic, and/or physical).

Outputs The possible outputs of this process.

Output decision Any relevant decisions that will produce one output vs. another.

Output name The name of the output.

Output description A short description of the output, including its destination.

Output form The form of the output (usually verbal, electronic, and/or physical).

Subprocess All of the subprocesses or activities for this process.

Subprocess name and diagram

The acronym (e.g., D1 for the first subprocess of Detect), the name (e.g., Notice Events), and a simple diagram indicating the relevant box on the process flow as a visual reference for the reader.

Subprocess requirements

The requirements for this subprocess, namely what must occur for this subprocess to be successful. Also included are any inputs/outputs related to these subprocess requirements.

Written procedures Any procedures that must be followed by those conducting this subprocess.

Key people The types of key people who may conduct this subprocess or who need to be involved in any discussions or decisions.

Technology The types of supporting technology that may be needed to successfully perform this subprocess.

Other/miscellaneous Any other relevant items for this subprocess.

48 CMU/SEI-2004-TR-015

Table 5: Incident Management Handoff Description Information Categories

Information Category Description

Mission/objectives The goals for this handoff. Defines what should be accomplished by the successful completion of the handoff.

Triggers Activity that initiates this process. This could be an event or an input.

Completion criteria What constitutes success for this handoff.

Policies and rules Any policies, laws, regulations, rules, etc. that govern this handoff.

Processes involved Identifies the processes on either side of this handoff or interface.

Sending process The acronym and name of the process sending the objects being transmitted.

Receiving process The acronym and name of the process receiving the objects being transmitted.

Objects being

transformed/transmitted

The objects being exchanged between the sending and receiving processes.

Object name The name of the object being transmitted.

Object description A short description of the object being transmitted.

Handoff descriptions Set of descriptive information for each possible type of handoff (person to person, person to technology, technology to person, technology to technology).

Handoff requirements Any specific requirements governing how the handoff is to be conducted.

Written procedures Any procedures that must be followed by people or associated technology to successfully complete this handoff.

Sending actor Possible types of sending actors.

Receiving actor Possible types of receiving actors.

Transmission/transportation modes

Relevant modes of transportation that can be used (usually verbal, electronic, and/or physical).

Transmission/transportation mechanisms

Relevant types of transportation mechanisms that can be used (e.g., phone, email, etc.).

Other/miscellaneous Any other relevant characteristics of this handoff.

CMU/SEI-2004-TR-015 49

4 Incident Management Process

Workflows and Descriptions