The Unified Security Incident Response Plan (USIRP) is one of the primary means by which ICASI fulfills its mission of enhancing the global security landscape. Comprising a trusted forum and supporting processes, procedures, and tools, the USIRP enables Security Incident Response Teams (SIRTs) from ICASI member companies to collaborate quickly and effectively to resolve complex, multi-vendor Internet security issues. These issues include: vulnerabilities in commonly-used software; incidents - urgent or emergent - that affect three or more ICASI member organizations; and ongoing or long-term problems that warrant a strategic response.
The USIRP works by harmonizing ICASI member companies' internal security incident response procedures and personnel by providing a common, formal framework with which these organizations can: trigger a USIRP event; share critical information about it; and work together effectively on a coordinated response.
The components of the USIRP include:
- An Incident Handling Collaboration Manual that details the procedures for reporting and prioritizing USIRP security incidents, triggering investigations, engaging technical resources, developing plans, and resolving problems.
- A set of assigned roles and responsibilities for members of the ICASI Unified Security Incident Response Team (USIRT).
- A secure online collaboration portal.
- An Incident Handling System that includes a parent "work group;" the most current, approved versions of the Incident Handling Collaboration Manual; supporting templates; the USIRP Incident Tracking Log and other documentation; and multiple "subgroups" which are used as the team collaboration environment for each incident.
USIRP incidents are triggered when a designated USIRP incident initiator from an ICASI member company has investigated a security incident using that company's regular internal procedures and determined that the problem may involve three or more member companies. Because ICASI member companies developed a unique, multilateral non-disclosure agreement (NDA) expressly for the USIRP, they are able to collaborate and share critical information openly with one another while protecting each company's intellectual property.
The USIRP is a living plan that is continuously updated, revised, and refined as it is practiced.
For more information, contact secure@ICASI.org.
The Common Vulnerability Reporting Framework (CVRF) is an XML-based standard that enables stakeholders across different organizations to share critical vulnerability-related information in an open and common machine-readable format. This format replaces myriad nonstandard reporting formats, thus speeding up information exchange and processing. With CVRF, producers of vulnerability reports benefit from faster reporting, and end users gain the ability to find relevant information more quickly and easily. CVRF Version 1.0 was released in May 2011; the current version is CVRF 1.1, released in May 2012. It is available to the public free of charge.
As of 2013, work related to CVRF within ICASI has shifted to its Security Automation WG. Through that effort, ICASI member companies are working to leverage technologies and standards (such as CVRF) to more efficienctly and quickly share sensitive information around vulnerabilities and threats.
In the ever-complex world of IT security, coordination around threats and incidents is becoming more and more challenging. The ICASI Coordination WG is working to establish and promote best practices around coordination activities, inclusive of industry participants and established coordination bodies.
ICASI has established the Third Party Software Working Group, where members discuss best practices for handling security related to the ever-increasing volume of third-party software (including open source) underlying today’s IT solutions.
The Third Party Software WG is focusing its work in two main areas. The first is security engineering – the group will look into business-case drivers (for example, what is the real cost of using open source material?), and it will investigate the ways in which ICASI members track third party code being used in their enterprises. The supply chain around third-party software will also be considered.
The second area of focus is coordinated vulnerability disclosure around third-party software. The group will consider questions such as whether the ICASI structure could and/or should be used to share information around open source and other third-party vulnerabilities, and how ICASI can best deliver this information internally and externally.