Best Practices for Establishment of a National Information Security Incident Management Capability (ISIMC)

Authors

DOI:

https://doi.org/10.23962/10539/28656

Keywords:

cybersecurity, information security, cyber threats, CSIRT, national ISIMC, confidentiality, integrity, availability, standards, intrusion, protection, detection, incident management, incident handling, incident response

Abstract

The South African Government's National Cybersecurity Policy Framework (NCPF) of 2012 provides for the establishment of a national computer security incident response team (CSIRT) in the form of the National Cybersecurity Hub-more correctly referred to as an information security incident management capability (ISIMC). Among other things, the National Cybersecurity Hub is mandated to serve as a high-level national ISIMC that works in collaboration with sector ISIMCs to improve South Africa's critical infrastructure security. In this article, we identify standards, policies, procedures and best practices regarding the establishment of ISIMCs, and we provide recommendations for South Africa's deployment of an ISIMC collaboration network.

References

Alberts, C., Dorofee, A., Killcrece, G., Ruefle, R., & Zajicek, M. (2004). Defining incident management processes for CSIRTs: A work in progress. Report Number CMU/SEI-2004-TR-015. Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University. https://doi.org/10.21236/ADA453378

Arvidsson, J., Cormack, A., Demchenko, Y., & Meijer, J. (2001). Terena’s incident object de- scription and exchange format requirements. RFC No. 3067. RFC Editor. https://doi.org/10.17487/rfc3067

Atlassian. (n.d.-a). Confluence is an open and shared workspace. Retrieved from https:// www.atlassian.com/software/confluence

Atlassian. (n.d.-b). Jira: The #1 software development tool used by agile teams. Retrieved from https://www. atlassian.com/software/jira

Bourgue, R., Budd, J., Homola, J., Wlasenko, M., & Kulawik, D. (2013). Detect, SHARE, protect: Solutions for improving threat data exchange among CERTs. European Union Agency for Network and Information Security. Retrieved from https://www.enisa.europa.eu/publications/detect-share-protect-solutions-for-improving-threat-data-exchange-among-certs

Brownlee, N., & Guttman, E. (1998). Expectations for computer security incident response. BCP No. 21. RFC Editor. https://doi.org/10.17487/rfc2350

Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident handling guide: Recommendations of the National Institute of Standards and Technology. National Institute of Standards and Technology (NIST). https://doi.org/10.6028/NIST.SP.800-61r2

Cormack, A., Kossakowski, K.-P., Maj, M., Parker, D., & Stikvoort, D. (2017). CCoP - CSIRT Code of Practice (Standard No. CCoPv2.4/2005-2017). Retrieved from https://www.trusted-introducer.org/TI-CCoP.pdf

De Beaupré, A. (2009). Incident response vs. incident handling. SysAdmin, Audit, Network and Security (SANS) Internet Security Centre (ISC) InfoSec Forums. Retrieved from https://isc.sans.edu/forums/diary/Incident+Response+vs+Incident+Handling/6205

Department of Justice and Constitutional Development (2016). Cybercrimes and Cybersecurity Bill. Pretoria: Government of South Africa.

Dunbar Security. (n.d). Cyphon: An open source incident management and response platform. Retrieved from https://www.cyphon.io/

Dunbar, R. (1992). Neocortex size as a constraint on group size in primates. Journal of Human Evolution, 22(6), 469–493. https://doi.org/10.1016/0047-2484(92)90081-J

Elastic. (n.d). What is the ELK stack? .Retrieved from https://www.elastic.co/elk-stack

European Union Agency for Cybersecurity (ENISA). (2006). A step-by-step approach on how to setup a CSIRT. Retrieved from https://www.enisa.europa.eu/publications/csirt-setting-up-guide

Forum of Incident Response and Security Teams (FIRST). (2016). Traffic light protocol (TLP). FIRST standards definitions and usage guidance – version 1.0. Retrieved from https://www.first.org/tlp/

Haller, J., Merrell, S., Butkovic, M., & Willke, B. (2011). Best practices for national cyber secu- rity: Building a national computer security incident management capability, version 2.0. Technical Report No. CMU/SEI-2011-TR-015. Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University. Retrieved from https://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9999

International Organisation for Standardisation (ISO). (2016). Information technology — Security techniques — Information security incident management. Standard No. ISO/ IEC 27035:2016. Geneva. Retrieved from https://www.iso27001security.com/html/27035.html

Mooi, R., & Botha, R. A. (2015). Prerequisites for building a computer security incident re- sponse capability. In IEEE (Ed.), 2015 Information Security for South Africa (ISSA). https://doi.org/10.1109/ISSA.2015.7335057

Schneier, B. (2000). Secrets and lies: Digital security in a networked world (1st ed.). New York: John Wiley & Sons.

Schneier, B. (2014). The future of incident response. IEEE Security Privacy, 12(5), 95–96. https://doi.org/10.1109/MSP.2014.102

Shirey, R. (2000). Internet security glossary, version 2. RFC No. 2828. RFC Editor. Retrieved from https://tools.ietf.org/html/rfc4949

Stikvoort, D. (2010). SIM3: Security incident management maturity model. Retrieved from https://www.terena.org/activities/tf-csirt/publications/SIM3-v15.pdf

Stikvoort, D., Arvidsson, J., Cormack, A., Jansen, X., Moens, A., & Peters, P. (2015). Incident classification/incident taxonomy according to ecsirt.net – adapted international version. Standard No. 1.0. Forum of Incident Response and Security Teams (FIRST).

Trusted Introducer. (n.d). Listed, accredited and certified teams directory. Retrieved from https://www.trusted-introducer.org/directory/teams.html

Van der Kleij, R., Kleinhuis, G., & Young, H. (2017). Computer security incident response team effectiveness: A needs assessment. Frontiers in Psychology, 8, 1–8. https://doi.org/10.3389/fpsyg.2017.02179

Wang, Q., Gao, J., Zhou, T., Hu, Z., & Tian, H. (2016). Critical size of ego communication networks. EPL (Europhysics Letters), 114(5), 1–6. https://doi.org/10.1209/0295-5075/114/58004

Downloads

Published

06-12-2019

Issue

No. 24 (2019)

Section

Research Articles

License

Copyright (c) 2019 https://creativecommons.org/licenses/by/4.0

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

Pretorius, M. and Ngejane, H. (2019) “Best Practices for Establishment of a National Information Security Incident Management Capability (ISIMC)”, The African Journal of Information and Communication (AJIC) [Preprint], (24). doi:10.23962/10539/28656.
Views
  • Abstract 395
  • pdf 237