NIST Special Publication 800-61 - Computer Security Incident Handling Guide


Below is an outline NIST Special Publication 800-61 (Revision 2) Computer Security Incident Handling Guide. If you’re a member, then you can log into the Library and view it in your browser using the email address you signed up with. PS. Only members can successfully log in.

  • Click HERE to log into the library (Members only).
  • Folder: Books and Guides > Security Docs

If you are having issues logging in, please check the following help guide, HERE.



Executive Summary
Purpose and Scope
Document Structure

Organizing a Computer Security Incident Response Capability
Events and Incidents
Need for Incident Response
Incident Response Policy, Plan, and Procedure Creation
Policy Elements
Plan Elements
Procedure Elements
Sharing Information With Outside Parties
Incident Response Team Structure
Team Models
Team Model Selection
Incident Response Personnel
Dependencies within Organizations
Incident Response Team Services

Handling an Incident
Preparing to Handle Incidents
Preventing Incidents
Detection and Analysis
Attack Vectors
Signs of an Incident
Sources of Precursors and Indicators
Incident Analysis
Incident Documentation
Incident Prioritization
Incident Notification
Containment, Eradication and Recovery
Choosing a Containment Strategy
Evidence Gathering and Handling
Identifying the Attacking Hosts
Eradication and Recovery
Post-Incident Activity
Lessons Learned
Using Collected Incident Data
Evidence Retention
Incident Handling Checklist

Coordination and Information Sharing
Coordination Relationships
Sharing Agreements and Reporting Requirements
Information Sharing Techniques
Ad Hoc
Partially Automated
Security Considerations
Granular Information Sharing
Business Impact Information
Technical Information
Appendix A - Incident Handling Scenarios
Scenario Questions
Appendix B - Incident-Related Data Elements
Basic Data Elements
Incident Handler Data Elements
Appendix C - Glossary
Appendix D - Acronyms
Appendix E - Resources
Appendix F - Frequently Asked Questions
Appendix G - Crisis Handling Steps
Appendix H - Change Log

Figure 2-1 Communications with Outside Parties
Figure 3-1 Incident Response Life Cycle
Figure 3-2 Incident Response Life Cycle Detection and Analysis
Figure 3-3 Incident Response Life Cycle Containment Eradication and Recovery
Figure 3-4 Incident Response Life Cycle Post-Incident Activity
Figure 4-1 Incident Response Coordination

Table 3-1 Common Sources of Precursors and Indicators
Table 3-2 Functional Impact Categories
Table 3-3 Information Impact Categories
Table 3-4 Recoverability Effort Categories
Table 3-5 Incident Handling Checklist
Table 4-1 Coordination Relationships


Next steps:

This article was contributed by Jason Jacobs from Guyana. Jason is a member of the Caribbean CSPA. 

Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.