• The Unified Security Incident Response Plan (USIRP)
• Common Frameworks for Vulnerability Disclosure and Response (CVRF)

The Unified Security Incident Response Plan (USIRP) is one of the primary means by which ICASI fulfills its mission of enhancing the global security landscape. Comprising a trusted forum and supporting processes, procedures, and tools, the USIRP enables Security Incident Response Teams (SIRTs) from ICASI member companies to collaborate quickly and effectively to resolve complex, multi-vendor Internet security issues. These issues include: vulnerabilities in commonly-used software; incidents -- urgent or emergent -- that affect three or more ICASI member organizations; and ongoing or long-term problems that warrant a strategic response.

The USIRP works by harmonizing ICASI member companies' internal security incident response procedures and personnel by providing a common, formal framework with which these organizations can: trigger a USIRP event; share critical information about it; and work together effectively on a coordinated response. The components of the USIRP include:

• an Incident Handling Collaboration Manual that details the procedures for reporting and prioritizing USIRP security incidents, triggering investigations, engaging technical resources, developing plans, and resolving problems;
• a set of assigned roles and responsibilities for members of the ICASI Unified Security Incident Response Team (USIRT);
• a secure online collaboration portal;
• an Incident Handling System that includes a parent "work group" the most current, approved versions of the Incident Handling Collaboration Manual, supporting templates, the USIRP Incident Tracking Log and other documentation; and multiple "subgroups" which are used as the team collaboration environment for each incident.

USIRP incidents are triggered when a designated USIRP incident initiator from an ICASI member company has investigated a security incident using that company's regular internal procedures and determined that the problem may involve three or more member companies. Because ICASI member companies developed a unique, multilateral non-disclosure agreement (NDA) expressly for the USIRP, they are able to collaborate and share critical information openly with one another while protecting each company's intellectual property.

Version 1.0 of the USIRP became operational in February of 2009. The USIRP is a living plan that is continuously updated, revised and refined as it is practiced.

For comments or questions contact: information@icasi.org

In recent years, IT vendors have made significant progress in categorizing and ranking the severity of vulnerabilities in information systems with the widespread adoption of the Common Vulnerabilities and Exposure (CVE) dictionary (http://cve.mitre.org) and Common Vulnerability Scoring System (CVSS) (http://nvd.nist.gov/cvss.cfm). However, one major gap in vulnerability standards remains: there is no common framework for reporting and sharing vulnerability information among multiple organizations.

Current methods of vulnerability reporting, such as embedding security metric and vulnerability data inside response reports, are vendor-specific, non-standard, and non-cooperative. Because each producer of vulnerability reports employs a unique document structure that does not facilitate automated processing, users must manually parse individual vulnerability reports to find information that is germane to their environments.

In an effort to solve this problem, ICASI has initiated the Common Vulnerability Reporting Framework (CVRF) project. Building on the excellent work started by organizations such as the National Infrastructure Advisory Council (NIAC), ICASI's CVRF industry working group is studying, expanding and integrating various frameworks into a common framework intended to bring consolidation and consistency to the vulnerability reporting space. The CVRF will standardize vulnerability reporting in the form of an XML framework. Once the CVRF is available, discoverers, vendors, users and coordinators of security response efforts worldwide will be able to use it to share critical vulnerability-related information, speeding information dissemination, exchange, and incident resolution. Producers of vulnerability reports will benefit from faster reporting, and end users will gain the ability to find relevant information more quickly and easily. For more information about the CVRF project, email contactcvrf@memberws.org.

View the CVRF white paper here.