The incident management process is addressed in this section as seven steps: detection, response, mitigation, reporting, recovery, remediation, and lessons learned. The organization must perform some preparation and at least possess the foundation of an incident management program before IR activity will be successful.
One of the critical early steps in building an IR capability is to identify any policy or compliance requirements for IR. This will shape the structure, communications, and response activities.
It is crucial to discuss the many incident types and vectors. Incidents can be caused by malfunctions because of design and implementation errors. They can be the result of malicious attacks, either targeted or untargeted, and involve vectors such as email, the Web, or malware. Incidents can also result from improper usage by authorized users or from theft or loss of equipment or media. Some incidents have the potential to become a breach, such as malicious exfiltration of data, or through accidental disclosure of sensitive data (sometimes called a spill or spillage), while with some incidents, such as a DDoS attack, the concern is a degradation of service. The range of incidents that the organization could face will require a wide range of skills and specialists.
It makes sense that different combinations of response team members can be defined, based on the incident vector or incident type. The same is also true for creating multiple versions of response call trees to use to contact different combinations of people for different incident types.
Related Product : ISO 27001 Lead Auditor Training And Certification ISMS
Policy, Plan, and Procedures
Next, an incident management policy needs to be written, reviewed, and approved by senior management. This policy should give authority to a set of related incident management procedures. There are many existing standards and frameworks for IR that can be used to inform your organization’s own policy and approach to incident management. These include (but are not limited to) the following:
- ISO 27035, “Information Security Incident Management”
- NIST SP 800-61, “Computer Security Incident Handling Guide”
- ENISA, “CSIRT Setting Up Guide”
- ISACA, “Incident Management and Response”
The organization also needs an IR plan. Depending on geography or industry, this may also be called an incident management plan. The IR plan should define what reportable incidents are and how and to whom to report them. The plan also needs to define the skills, services, and resources needed to coordinate IR and which teams within the organization will provide them. To complement this point, the plan should also specify when and how the various IR stakeholders should contact each other.
Most organizations will form an IR team. The IR team should be an integrated team to facilitate communication and should have the range of skills needed to handle incidents. These skills may include forensic investigation knowledge, developers who can understand custom and potentially malicious code, operational security specialists, and people with the compliance and legal knowledge to know how to recognize and handle a breach.
From a program perspective, the IR plan should provide a set of metrics to measure the performance of the IR capabilities and drive continuous improvement. Lessons learned, taken from iterations of IR testing, exercises, and real incidents, should be captured and incorporated into process improvements in the IR plan and related procedures. When these changes are made to the IR plan, all stakeholders need to be notified and given access to the most current version of the documentation. Lastly, the plan itself should be protected from unauthorized disclosure and modification.
Now that we have discussed the incident management policy and plan, those two documents must flow down and give authority to a set of IR procedures that cover a comprehensive range of incident types. These IR procedures will offer a clear set of steps for handling incidents in moments when stakeholders could be surprised, tired, confused, stressed, and, on top of all these things, when response time is critical. At these moments, the correct responses in the correct sequence can save the organization resources and effort and minimize the impact to the organization and its customers and partners.
The procedures should cover monitoring and detecting information security events and incidents, including criteria for how to declare incidents and breaches; how to assess, escalate, and prioritize them; and how to report them across the organization. Procedures must also exist to address how to document incident management activities, handle forensic evidence, and recovery (when necessary) from an incident, including coordination between internal groups and external third parties.
Tests and Exercises
Once the organization has defined which teams respond to incidents and documented policies, the IR plan, and IR procedures, the next step is to test this IR capability. The IR capabilities should be assessed at regular, defined intervals by performing tests and exercises of the plan and its related procedures. The point here is to determine the overall effectiveness of the organization’s incident management capabilities.
The incident test or exercise often uses one or more scenarios, and the response team simulates responding to them using the appropriate checklist. Conversely, the organization may opt for live testing of the IR capability, including a partial interruption of production environment functionality.
As the response team works through the appropriate set of checklists and procedures, they make discoveries. Gaps, weaknesses, lack of training, and poor communications will make themselves evident in these exercises. For example, someone on the call tree may have a new mobile telephone number but didn’t update it in the documents, or a procedure was written for a certain version of OS or software, but that OS or software has been upgraded since the document was written, affecting some of the procedural steps. Dis- covering these details is one of the main points of the test/exercise and provides feedback for improvement. There are others benefits as well. The tests/exercises serve as a valuable form of training and often satisfy regulatory and compliance requirements.
Follow Us
https://www.facebook.com/INF0SAVVY
https://www.linkedin.com/company/14639279/admin/
