10 Steps: Incident Management
Updated 16 January 2015
1. Summary
All organisations will experience an information security incident at some point. Investment in establishing effective incident management policies and processes will help to improve resilience, support business continuity, improve customer and stakeholder confidence and reduce any financial impact.
2. What is the risk?
Security incidents are inevitable and they will vary in their business impact. All incidents need to be effectively managed, particularly those that invoke the organisation’s disaster recovery and business continuity plans. Some incidents can, on further analysis, be indicative of more severe underlying problems.
If businesses fail to implement an incident management capability that can detect, manage and analyse security incidents the following risks could be realised:
A major disruption of business operations
Failure to realise that an incident has occurred and manage it effectively may compound the impact of the incident, leading to a long term outage, serious financial loss and erosion of customer confidence
Continual business disruption
An organisation that fails to address the root cause of incidents by addressing weaknesses in the corporate security architecture could be exposed to consistent and damaging business disruption
Failure to comply with legal and regulatory reporting requirements
An incident resulting in the compromise of sensitive information covered by mandatory reporting controls that are not adhered to could lead to legal or regulatory penalties
The organisation’s business profile will determine the type and nature of incidents that may occur, and the impact they will have, and so a risk-based approach that considers all business processes should be used to shape the incident management plans. In addition, the quality and effectiveness of the security policies and the standards applied by the organisation will also be contributing factors to preventing incidents.
3. How can the risk be managed?
3.1 Obtain senior management approval and backing
The organisation’s Board needs to understand the risks and benefits of incident management and provide appropriate funding to resource it and lead the delivery.
3.2 Establish an incident response capability
The organisation should identify the funding and resources to develop, deliver and maintain an organisation-wide incident management capability that can address the full range of incidents that could occur. This capability could be outsourced to a reputable supplier, such as those on the Cyber Incident Response (CIR) scheme. The supporting policy processes and plans should be risk based and cover any legal and regulatory reporting or data accountability requirements.
3.3 Provide specialist training
The incident response team may need specialist knowledge and expertise across a number of technical (including forensic investigation) and non-technical areas. The organisation should identify recognised sources of specialist incident management training and maintain the organisation’s skill base.
3.4 Define the required roles and responsibilities
The organisation needs to appoint and empower specific individuals (or suppliers) to handle ICT incidents and provide them with clear terms of reference to manage any type of incident that may occur.
3.5 Establish a data recovery capability
Data losses occur and so a systematic approach to the backup of the corporate information asset base should be implemented. Backup media should be held in a physically secure location on-site and off-site where at all possible and the ability to recover archived data for operational use should be regularly tested.
3.6 Test the incident management plans
All plans supporting security incident management (including Disaster Recover and Business Continuity) should be regularly tested. The outcome of the tests should be used to inform the development and gauge the effectiveness of the incident management plans.
3.7 Decide what information will be shared and with whom
For information bound by specific legal and regulatory requirements the organisation may have to report any incidents that affect the status of that information within a specific timeframe. All internal and external reporting requirements should be clearly identified in the Incident Management Plans.
3.8 Collect and analyse post-incident evidence
The preservation and analysis of the user or network activity that led up to the event is critical to identify and remedy the root cause of an incident. The collected evidence could potentially support any follow on disciplinary or legal action and the incident management policy needs to set out clear guidelines to follow that comply with a recognised code of practice.
3.9 Conduct a lessons learned review
Log the actions taken during an incident and review the performance of the incident management process post incident (or following a test) to see what aspects worked well and what could be improved. Review the organisational response and update any related security policy, process or user training that could have prevented the incident from occurring.
3.10 Educate users and maintain their awareness
All users should be made aware of their responsibilities and the procedures they should follow to report and respond to an incident. Equally, all users should be encouraged to report any security weaknesses or incident as soon as possible and without fear of recrimination.
3.11 Report criminal incidents to Law Enforcement
It is important that online crimes are reported to Action Fraud or the relevant law enforcement agency to build a clearer view of the national threat picture and deliver an appropriate response.