11. Information security incident management
11.1 Management of information security incidents and improvements
11.1.1 Responsibilities and procedures
Management responsibilities and procedures should be established to ensure a quick, effective and orderly response to information security incidents.
The objectives for information security incident management should be agreed with management, and it should be ensured that those responsible for information security incident management understand the organization’s priorities for handling information security incidents.
1) Develop and and communicated adequately within the organization procedures for:
- incident response planning and preparation, including procedures for escalation, controlled recovery from an incident and communication to internal and external people or organizations;
- monitoring, detecting, analysing and reporting of information security events/weaknesses and incidents;
- logging incident management activities.
2) Procedures, including management responsibilities, ensure that:
- competent personnel handle the issues related to information security events and incidents;
- people are aware of a point of contact for security incidents’ detection and reporting;
- appropriate contacts with authorities to handle the information security incidents are maintained.
3) Reporting procedure:
- includes reporting forms ie templates that support the reporting action and help the person reporting to describe all necessary actions in case of an information security event;
- describes all necessary activities e.g. noting all details immediately, such as type of non-compliance or breach, occurring malfunction, messages on the screen and reporting to the point of contact;
- references to formal disciplinary process for dealing with employees who commit security breaches;
- describes suitable feedback processes to ensure that those persons reporting information security events are notified of results after the issue has been dealt with and closed.
11.1.2 Reporting information security events and weaknesses
Information security events should be reported through appropriate management channels as quickly as possible.
- Make sure that all employees and contractors are aware of their responsibility to report information security events as quickly as possible and the point of contact to which the events should be reported.
- Situations to be considered reporting include:
a) breach of information integrity, confidentiality or availability expectations;
b) malfunctions of software or hardware as they may be an indicator of a security attack;
c) any observed or suspected information security weakness in systems or services;
d) human errors;
e) access violations
f) non-compliances with policies or guidelines
g) breaches of physical security arrangements;
h) uncontrolled system changes;
i) ineffective security control.
11.1.3 Assessment of information security events
Information security events should be assessed and it should be decided if they are to be classified as information security incidents.
- Create agreed classification scale that helps to identify the impact and extent of an incident and thereby prioritize them. The point of contact records and assesses each information security event using the scale and decides whether the event should be classified as an information security incident.
- If the organization has a person responsible for information security, the assessment and decision can be forwarded to this person for confirmation or reassessment
Read more: 6. Taxonomy Classification in the Common Taxonomy for Law Enforcement and The National Network of CSIRTs, https://www.europol.europa.eu/cms/sites/default/files/documents/common_taxonomy_for_law_enforcement_and_csirts_v1.3.pdf
11.1.4 Response to information security incidents
Information security incidents should be responded to in accordance with the procedures.
- Nominate a point of contact and other relevant persons inside or outside the organization that respond to information security incidents.
- To respond to incident and initiate the necessary recovery:
a) collect evidence as soon as possible;
b) conduct forensics analysis if applicable;
c) escalate, if required;
d) ensure that all response activities are logged for later analysis;
e) communicate the existence of the incident to other internal and external people with a need-to-know;
f) deal with information security weakness(es) found to cause the incident;
g) close and record the incident after solving the incident. If necessary, analyse the incident additionally to identify the source of the incident.
11.1.5 Learning from information security incidents
Knowledge gained from analysing and resolving information security incidents should be used to reduce the likelihood or impact of future incidents.
- Analyse and evaluate continuously the reports of information security incidents by type, volume and cost to identify recurring or high impact incidents.
- Introduce enhanced or additional controls or review the internal procedures to limit the frequency, damage and cost of future incidents.
- Include the information of high impact incidents into the user awareness training and explain how to respond to such incidents and how to avoid them in the future.
11.1.6 Collection of evidence
The organization should define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence.
- For the purposes of disciplinary and legal action, develop and follow internal procedures when dealing with evidence. When collecting evidence, the chain of custody principle should be followed. Chain of custody is a process that tracks the movement of evidence through its collection, safeguarding, and analysis life cycle by documenting each person who handled the evidence, the date and time it was collected or transferred, and the purpose for the transfer.
- When an information security event is detected, it may not be obvious whether or not the event will result in court action. Therefore, the danger exists that necessary evidence is destroyed intentionally or accidentally before the seriousness of the incident is realized. It is advisable to involve police or CERT Tonga early in any action.
- In case forensic evidence transcends organizational or jurisdictional boundaries, contact CERT Tonga and ensure that the organization or person is entitled to collect the required information as forensic evidence and the internationally acknoledged requirements are followed.
Figure 5: Forensic process according to NIST Special Publication 800-86.
Read more:
Appendix A, NIST Special Publication 800-86