Benchmarking Organizational Incident Management Practices
December 2019 • Podcast
Robin Ruefle and Mark Zajicek discuss recent work that provides a baseline or benchmark of incident management practices for an organization.
“We like to say everybody in an organization has a role in incident management, whether it is reporting something suspicious or helping to collect data or information or evidence or following those policies and procedures that are in place to help prevent bad things from occurring in your organization. Very often, we find that that communication and coordination is the key that is missing.”
Successful management of incidents that threaten an organization's computer security is a complex endeavor. Frequently an organization's primary focus is on the response aspects of security incidents, which results in its failure to manage incidents beyond simply reacting to threatening events. In this SEI Podcast, Robin Ruefle and Mark Zajicek discuss recent work that provides a baseline or benchmark of incident management practices for an organization. They also examine the importance of focusing on preparation for incident management; along with coordination and communication of analysis and response activities.
About the Speaker
Robin Ruefle is the team lead for the Security Operations ...
Robin Ruefle is the team lead for the Security Operations Development and Training team within the CERT Division of the Software Engineering Institute at Carnegie Mellon University. Her focus is on the development of management, procedural, and technical guidelines and practices for the establishment, maturation, operation, and evaluation of computer security incident response teams (CSIRTs), security operation teams or centers, incident management capabilities, and insider threat programs worldwide. A second focus area has been helping organizations build career path planning frameworks, training and mentoring frameworks, competency and curricula guidance, and readiness assessments. As a member of the CERT Division, Ruefle has worked with numerous organizations to help them plan and implement their incident management and insider threat capabilities. Ruefle has been the coauthor of a variety of publications, including Handbook for CSIRTs, 2nd edition; CSIRT Services List, Defining Incident Management Processes for CSIRTs: A Work in Progress; and The Competency Lifecycle Roadmap (CLR): Toward Performance Readiness. She has participated in the development of the CSIRT Services Framework for the Forum of Incident Response and Security Teams (FIRST). She develops and delivers sessions in the CERT Division’s CSIRT and Insider Threat suites of courses. She has co-developed two instruments for evaluation of incident management capabilities, the Incident Management Capability Assessment and the Mission Risk Diagnostic for Incident Management Capabilities, and the initial version of a similar assessment, the Federal Computer Network Defense Metrics. She is a co-author of the Insider Threat Program Evaluation (ITPE) assessment instrument and the supporting courses for building an insider threat program. Ruefle received an MPIA (master of public and international affairs) and a BA in political science from the University of Pittsburgh. She has also taught courses in information technology, management information systems, and information retrieval and analysis as an adjunct faculty member in the both the continuing education and MBA programs at Chatham University and in the Graduate School of Public and International Affairs (GSPIA) at the University of Pittsburgh.
Mark Zajicek is a member of the technical staff in the ...
Mark Zajicek is a member of the technical staff in the CERT Division within the Software Engineering Institute at Carnegie Mellon University. Zajicek’s current work focuses on helping other organizations to build their own computer security incident response team (CSIRT) or incident management capability. As a member of the CERT CSIRT Development and Training team, Zajicek is responsible for providing guidance to new and existing CSIRTs worldwide. He has co-developed a variety of documents and training materials, and he is an instructor for a suite of several courses that provide training for CSIRT managers and technical staff. Previously, Zajicek was the daily operations team leader for the CERT Coordination Center (CERT/CC), after having joined the CERT/CC’s incident handling staff in 1992 and supported the CERT/CC during its initial start-up in 1988.