[Cialug] FOSS Incident tracking
Todd Walton
tdwalton at gmail.com
Sun Nov 20 21:11:50 CST 2011
On Thu, Nov 17, 2011 at 4:36 PM, Josh More <jmore at starmind.org> wrote:
> Huh. In my world, we call those "events".
>
> An "incident" is, by definition, an event that has been analyzed and
> determined to have a security concern.
The difference between your definitions and the regular help desk
definitions are not as great as they seem. In help desk land, an
event is just something that happened, no matter its significance. An
"incident" is when something has happened that matters, i.e. when it
is a failure of the system to provide what it was intended to provide.
So, disk space getting down to 20% free might be an event, but if it
doesn't cause anyone a problem then it's not an incident. But if
someone tries to access a web service and gets an error, then it's an
incident, because it resulted in a failure of the intended operation.
Tree falling = event. Someone hears it = incident.
That's almost like what it is in the security world, as I understand
it. In help desk land it's the customer who matters. The customer's
experience is what determines the difference between an incident and
an event. In the security world, it's someone else setting the terms.
The security officer or someone like that. They care about different
things. From their perspective, it doesn't matter if documents were
lost, unless those documents contained secret information and the
information may have been consumed by someone not authorized to do so.
In both cases, an incident is a violation of the standard. The help
desk version is just a little more open and subjective.
--
Todd
More information about the Cialug
mailing list