Top

The Makings of a Great Incident Management Process

December 20, 2017

Category:

The importance of incident management is increasing. We’ve gotten to the point where every company, regardless of size, needs to have a proper Incident Management Process implemented.

Why is it so important?  

Simply because no one is exempt from cyber threats, and with today’s companies shifting towards digitalised activity, any attack can lead to a costly recovery. This is the double-edged  sword of modern business – technological advancements improve overall processes and profitability, but also amplify the effects of even the smallest data breaches. Under these circumstances, restoring normal service operation as quickly as possible is essential for minimizing the adverse impact on business operations.

Security and business teams need to integrate their efforts from the perspective of awareness and communication, as well as form a coordinated response in times of crisis (security vulnerability identified or exploited). Specifically, an Incident Management Process defines a product description, contact information, escalation paths, expected service level agreements (SLA), severity and impact classification, and mitigation/remediation timelines. By requiring business units to incorporate an IMP as part of their business continuity operations and as new products or services are developed and prepared for release to consumers, ensures that when an incident occurs, swift mitigation and remediation ensues.

What’s the point of the Incident Management Process?

The purpose of the process it to develop a policy that ensures the security incident management team has all the necessary information to formulate a successful response should a specific security incident occur. Here’s what some typical objectives look like:

  • Incident status is accurately reported
  • Queue of unresolved incidents is visible and reported
  • Incidents are properly prioritized and handled in the appropriate sequence
  • Incidents are properly contained, investigated, and resolved
  • Incidents are reported and further analysis is conducted (if required).

Incident Response Team – main roles (form template):

Role Person Job Title
Privacy Principal
Technical Lead
Internal Security Specialist
External Security Specialist
External Legal Counsel
Compliance
Public Relations

Process steps

The ISO/IEC Standard 27035 recommends a 5-step approach to the entire process. Here’s a simplified version that’s applicable to most organizations:

1. Plan and prepare to handle incidents

  • Establish the information security incident management policy, form the Incident Response Team, develop a threat checklist – separate specific actions for the different types of possible threats.

2. Monitor, report, identify

  • Spot and report “events” that might be or turn into incidents by constantly monitoring and reporting all incidents.

3. Assess and decide

  • Assess identified incidents to determine the next steps for mitigating the risk.

4. Respond

  • Contain, eradicate, recover from and forensically analyze the incident (depending on the outcome from step 3).

5. Report and post-incident analysis

  • Make systematic improvements as a consequence of the incidents you have experienced, and keep researching if needed.

 

Bottom line

The development, implementation, and execution of these steps are the primary responsibility of the Incident Response Team, in cooperation with additional teams if necessary, but before any action takes place, organizations need to start implementing Incident Management Processes.

Information security controls are imperfect in various ways: controls can be overwhelmed or undermined (e.g. by competent hackers, fraudsters or malware), fail in service (e.g. authentication failures), work partially or poorly (e.g. slow anomaly detection), or be more or less completely missing (e.g. not [yet] fully implemented, not [yet] fully operational, or never even conceived due to failures upstream in risk identification and analysis). Consequently, information security incidents are bound to occur to some extent, even in organizations that take their information security extremely seriously, according to the aforementioned ISO/IEC Standard 27035.

That’s actually the main point anyone should take from all of this. We’re living in cyber-sensible times and unfortunately, as plenty industry leaders have shown, no one is safe. Under these circumstances, preparing for worst case scenarios has become imperative.