The SIRT Team is responsible for timely and accurate documentation of every step in the security incident investigation. This documentation can best be organized using the following sample SIRT Team Incident Report Format.
Security Incident Response Report Format
(Note: Critical and major incidents require paging the SIRT Team Leader immediately.)
A. Incident Response Data Collection
This portion of the security incident documentation is concerned with documenting the "when" and "what" for the particular incident. Critical and Major security breaches or incidents will require SIRT Team Leader involvement.
B. Incident Response Forensics
This portion of the security incident documentation is concerned with documenting the "where," "why," and "what" for the particular incident. Critical and Major incidents will require SIRT Leader involvement in an effort to capture data and information that may be used as evidence in a court of law if a violation of a law, mandate, or regulation occurred.
The purpose of a SIRT is to carry out the procedures and guidelines for an appropriate response to a security breach or incident for the organization. This appropriate response is part of an overall data and information collection task so that forensic data and evidence can be analyzed and evidence can be used in a court of law if criminal charges are warranted. In many cases, the organization must assess whether it wants to file criminal charges should the perpetrator who violated the organization's IT infrastructure and assets be found. This would become public domain information and would be part of the public record, which some organizations prefer not to do.
Proper data and information collection techniques must be followed and the integrity of collected data and information pertaining to a security breach or incident must be maintained in accordance with local, state, provincial, and federal law enforcement guidelines. Organizations should contact their legal counsel to define guidelines pertaining to the collection of forensic data used for security breaches or incident investigations if this data or physical evidence is to be used in a criminal case.
Introduction to Assessing Network Vulnerabilities
Foundations and Principles of Security
Why Risk Assessment
Scoping the Project
Understanding the Attacker
Performing the Assessment
Tools Used for Assessments and Evaluations
Preparing the Final Report
Appendix A. Security Assessment Resources
Appendix B. Security Assessment Forms
Appendix C. Security Assessment Sample Report
Appendix D. Dealing with Consultants and Outside Vendors
Appendix E. SIRT Team Report Format Template