Monday, May 2, 2016

Requirements of an Incident Management Program

InfoSec incidents are unavoidable even in an organization which takes care of its information security extremely passionately. Incident management is a development of a well understood and predictable response to such damaging events and/or incidents. 

Like any other program, Incident Management Program needs to define and implement a process. The organization adopts this process in order to protect information assets, like IT infrastructure and information systems, if something bad happens. The incident response process depends on the security incident, which may involve malware breach and containment, information disclosure, data leakage, or a DDoS attackThis process in nothing but some detective and corrective safeguards to detect and then respond to such events and intrusions. Minimizing harmful impacts, gathering forensic evidence, and learning are other roles of these safeguards. Incident response team shall follow the above-mentioned process in case of an emergency security event or an incident. 

ISO 27K family of standards has a particular standard focusing on this issue: ISO/IEC 27035:2011, Information technology -- Security techniques -- Information security incident management

Another source might be NIST 800-61 entitled Computer Security, Incident Handling Guide. 

ISO 27001:2013 neither asks for implementation the program based on ISO 27035 nor the specifications in item A.16 of its controls. You can adapt any approach to put such a program in your ISMS.

A typical incident management program requires such steps: 
  • Prepare to handle incidents by having an incident management policy in place and establish a team to handle the incidents
  • Identify and report InfoSec incidents. This step can be performed by an employee, vendor, customer, partner, device, SIEM system or even a sensor. The problem should be reported to Incident Response Team or Security Operations Centers (SOC)
  • Evaluate, analyse and assess incidents including the criticality of the event in order to address them. Bear in mind that lots of issues might be a false positive so evaluation plays a big role here
  • Respond to incidents by either fixing the problem as quick as possible or collecting forensic evidences, even if it delays regular business operations. You definitely need a checklist or reference in case of handling an InfoSec incident.  Zeltser offers a series of free helpful cheat sheets for such purposes for Windows / Linux intrusions, DDoS attacks and more 
  • Investigate the problem in-depth after resolving and then document security weaknesses, report to senior management, and learn the lessons in order to change and improve the processes. Sometimes the problem should be reported to authorities or media as well in accordance with regulatory compliance laws and regulations

If you need a good source to help you in auditing an Incident Management Program, this ISACA document may help a lot. 

Labels: , , , ,