ABSTRACT
Incident management and response are the last step in risk management and the final barrier to what may become an unmitigated disaster. The decisions that must be made require accurate and timely information and will probably include many of the following:
Is it actually an incident? ◾ What kind of incident is it? ◾ Is it a security incident? ◾ What is the severity level? ◾ Are there multiple events and impacts? ◾ Will they need triage? ◾ What is the most effective response? ◾ What immediate actions must be taken? ◾ Which incident response teams and other personnel must be mobilized? ◾ Who must be notified? ◾ Who is in charge? ◾ Is it becoming a disaster? ◾
There may be assistance available for making some of the necessary decisions such as event detection and correlation tools. Specific suggestions for metrics are difficult as individual circumstances are highly variable. Nevertheless, this is a vital area for most organizations and we will attempt to identify the different types of information
needed and some possibilities for acquiring it. Once again, management information requirements will differ from operational or incident response needs.
