In today’s highly digital and global world, the potential for information security incidents has become more and more likely. Information security incidents are situations or issues where a threat has affected the security of your business network and the ability of your employees to do their work. Think hacking, malware, authentication issues and IT system failures.
While in an ideal world, your organisation would be able to anticipate these threats and develop controls to protect itself, unfortunately, information security controls can be easily overwhelmed, undermined, or fail to work partially or at all. As a result, information security incidents are bound to happen, even with the most secure organisations. This makes the need for solid security incident management that enables your organisation to effectively detect and respond to incidents incredibly important.
With strong information security incident management, companies can better reduce the impact of these incidents and hopefully prevent similar ones from happening in the future. In order to manage security incidents, your company should have a security incident management plan that covers five key components.
1. Prepare for potential incidents
This seems like a no brainer, but often this is something that companies don't do. Being prepared means first, having an incident management policy in place, so that there are protocols to follow when an incident does occur and it is ensured that all necessary rules and regulations are complied with. Second, this means establishing a competent team that will be ready to jump in and address a security issue when one occurs and if it's escalated. This team should be well trained with the skills and knowledge they'll need to manage incidents, and consist of functional roles across various teams and departments such as IT, security, finance, legal, communications/PR and operations.
2. Identify and report incidents
In order for incidents to be handled, they need to be detected. Detection of security issues calls for ongoing monitoring of your digital business assets such as your servers, firewalls and intrusion prevention system, to name a few. When an issue is detected, it should be reported immediately for further review and the appropriate management team members should be notified. Having an incident management software, like RiskWare for example, offers structure for the reporting process, so that it is quick and easy to report and escalate an issue as needed.
3. Assess and investigate incidents
When an issue is reported, it should first be assessed to determine if it's truly the result of a security incident. If it is, then it should be further analysed. The goal here is to identify the root cause of the incident, if possible. All findings will need to be well-documented, not only for the sake of reference, but to help with mitigating similar future risks. Again, this documentation can be recorded and tracked well in a software solution. Your team will need to decide whether the incident can be quickly fixed, so business-as-usual can resume, or if additional evidence needs to be collected even if it delays resolution.
4. Respond to incidents
Based on what was found when investigating the incident, it's time to respond. As mentioned, if your assessment indicated the incident can be resolved quickly then it should be. However, if more serious, your team should work to investigate further and perhaps try to contain the situation as much as is feasible in the meantime. All progress should be captured in detail in your report. However you are reporting your incidents, you want to note how the incident was handled over time, when and what was done, and the outcomes, so ultimately you can track trends in the types of incidents that have occurred within your organisation and management of the incidents.
5. Learn and revise your processes
All intel collected from investigating information security incidents and the actions taken to resolve them should be considered for updating your existing operations. In other words, the process of identifying, assessing and resolving an incident should be a learning experience that translates into improving how your relevant departments or teams work. For example, if multiple employees have experienced their accounts being hacked, perhaps a more secure log-in and identification verification process needs to be implemented and a stronger firewall might be needed. This type of incident therefore would have prompted a blanket improvement for the protection of all employees' accounts.
As your organisation is able to implement new preventative measures, make sure your security incident plan and affiliated policies are updated as well. Incident management isn't simply about resolving incidents, it's about taking what you learn from certain incidents to help your organisation grow and be more resilient.
If your company could use assistance defining, reporting and managing your incidents, check out RiskWare's Incident Management Module.