NIST SP 800-61, Rev. 2: Computer Security Incident Handling Guide
NIST SP 800-61 is designed to help organizations plan effective and efficient incident responses.
NIST SP 800-61 has step-by-step instructions organizations should follow to rapidly detect incidents, minimize loss, mitigate weaknesses, and restore IT services.
In SP 800-61, NIST defines a computer security incident as “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.” NIST calls NIST 800-61 a recommendations document to emphasize how important it is for organizations to have a well-established incident response plan and well-trained teams to carry out the plan. It also includes guidelines for analyzing incident-related data, determining the best response to each incident, and continually monitoring for attacks. These guidelines are applicable to all hardware platforms, operation systems, protocols, and applications.
The major phases of the incident response process are: preparation, detection/analysis, containment, eradication and recovery, and post-incident activity.
NIST 800-61 lists these actions as crucial to establishing an incident response capability:
- Developing an incident response policy and plan
- Designing procedures for incident handling and reporting
- Establishing guidelines for communicating with outside parties
- Choosing a team structure and staffing model
- Setting up relationships and lines of communication between the incident response team and internal (e.g., legal department) and external (e.g., law enforcement agencies) groups
- Deciding the services the incident response team should provide
- Staffing and training the incident response team.
Get Started with Cerberus Sentinel
Cerberus Sentinel’s team of experts has deep expertise and decades of experience working with federal agencies and public- and private-sector clients that adhere to NIST SP 800-61 guidance.