Security incident management is a critical control by ISO 27001 standards (Clause A13), and has an equal, if not higher, level of importance in other standards and frameworks. incident management forms an integral
To counter present day threat scenario, a utilitarian security incident management practice will not suffice and organizations must raise the bar on pre and post incident procedures to create a proactive incident response system. To achieve this state of maturity, the following security incident management processes must be included in the overall response system:
1. Clearly defined roles and responsibilities for the incident response team, which will have functional (development, infrastructure) as well as business (sales, administration, legal, finance) managers.
2. RACI chart that identifies the person who is Responsible, Accountable, Consulted or Informed for defined activities before and after an incident.
3. Training program for all activities defined within the security incident management practice, including functional, operational and tactical skills. Periodic training using test scenarios and functional training must be provided regularly.
4. Checklists and templates for operational maintenance response based on configuration items, including procedures for shutdown, startup, restoration, and others.
5. Clearly define links/touch points/dependencies of the security incident management policy and procedures with other information security management system controls. For instance, RACI charts, management contact information, checklists, startup and shutdown procedures would be common to security incident management and DR. Other touch points would be risk management since the impact ‘high’ risks may be addressed through proactive mitigation measures in the security incident management processes.
6. Evidence collection procedures to ensure it is ‘good’, forensically and legally sound, as part of first security incident management response. This is a specialized function, and an organization stands to lose a lot if the evidence is incorrect or insufficient. Acceptance in the court of law or appropriateness for analysis can be affected in case of a flawed evidence collection process.
7. Functional and forensics techniques for quarantining and containment, real time observation, investigation, analysis, and reporting. This is an adjunct to the evidence collection process, and team members having the required skills should be deputed to carry out this responsibility.
8. Awareness of responsibility for administration, legal, human resources, and finance teams. It is necessary for all functions in an organization to be sensitized to each other’s responsibilities and liabilities during an incident.
9. Learning from the incident and updating vulnerability/risk repository and other such measures to ensure proactive controls. All business and functional managers must participate in the analysis and learning sessions and ensure that the security incident management processes and documentation are updated.
10. Metrics and relevant reporting to management and other stakeholders should relate to functional and financial issues. For instance, a report can provide metrics for recovery happening earlier than the service level agreement, resulting in savings in cost and productivity.
Organizations can greatly reduce recovery costs with a strong security incident management process. This will ensure a high state of readiness, and incident avoidance will happen in a natural manner.
Considering that (nearly) all business operations, government functions, and utilities are dependent on computing resources, it is imperative for an organization to respond in the shortest possible time. Quick recovery means lower downtime costs and thereby, higher stakeholder and customer confidence.
About the author: Dinesh Bareja, CISA, CISM, ITIL, is an information security consultant specializing in strategic and customized IS solutions, MSS, SOCs, PCI, ISMS, ITSM and more. He is involved in training and conducts regular online mentoring sessions. Bareja also maintains thefaqproject.com for InfoSec certifications. You can connect with him at firstname.lastname@example.org
This was first published in January 2011