CSE3501

Information Security Analysis and Audit

By,
Dr.Swetha.N.G.,
Assistant Professor Senior,
Department of Analytics,
School of Computer Science and Engineering,
Vellore Institute of Technology, Vellore.

Email: swetha.ng@vit.ac.in Mobile: 8903580808 Cabin: PRP 217-16

Security Incident
• A security incident may stand alone or consist of multiple events that
together indicate that an organization’s systems or data may have
been compromised or that protective measures may have failed.
• This includes any intentional or unintentional incident that poses an
increased threat to IT security.
• Eg: Loss of Data, Corrupted Data, Various Attacks which cause threat
to CIA triad.
Major Incident
• A major incident is a serious incident with the highest priority.
• These types of incidents can lead to significant disruptions or even a
complete shutdown of business operations, so they require special
measures.
• Major incidents represent a risk that cannot be neglected.
Incident Handler
• The incident handler’s job is to contain and mitigate the security incident.
• To do this, he or she plans, manages, coordinates activities, as well as
communicates with other cybersecurity professionals.
• Mainly, incident handlers define, document, and communicate the roles that
various professionals take on during an incident.
• These roles vary depending on the severity of the incident.
• Incident handlers establish, test and verify communication channels and
communicate them to the appropriate personnel.
• This is a must to ensure the proper flow of tasks and communications.
• They also ensure that all incident handling and response best practices,
standards, cybersecurity frameworks, laws and regulations are followed and
estimate the costs that an incident may incur.
Importance of Security Incident Management
• Companies are regularly attacked by cybercriminals and often suffer long-term
damage.
• The world is networked and digitalization is advancing.
• We experienced this very clearly in 2020, in particular, when more and more people moved
their workplace to a home office. They moved from a network managed by IT professionals
to a workplace with no corporate firewalls and possibly no professional antivirus programs
protecting them.
• This situation makes businesses a sitting duck for cybercriminals and poses major
challenges for IT departments.
• However, IT security is not just the concern of security specialists; it is also the
responsibility of every single employee. Seemingly simply tasks, such as
• Changing passwords regularly,
• sharing confidential information only with known and verified sources,
• updating software,
• regularly backing up data, and
• consistently employing a clean desk / desktop strategy
• Every opportunity should be taken to repeatedly sensitize employees to the topic.
Considerations for Incident Preparation
• The most important thing is to ensure that all employees know their roles and
responsibilities in the event of a security incident.
• To this end, scenarios can be developed and regularly run through so that they
can then be evaluated and optimized, if necessary.
• A response plan should be well documented, as well as detailing and explaining
the roles and responsibilities of everyone involved.
• Above all, the competence of each individual counts. The better prepared your
employees are, the less likely they are to make critical mistakes.
• Answer the following questions for yourself:
• Have employees been trained on the security policy?
• Have the security policies and incident management plan been approved by the appropriate
leadership?
• Does the incident response team know its responsibilities and whom to notify?
• Have all members of the team participated in practice drills?
Information Security Incident Management
• Objectives focus on notification, containment and management of
information security incidents.
• Goals
1. Reporting Information Security Events and Weaknesses
2. Management of Information Security Incidents and Improvements
• Predefined formats are available for the purposes of handling security
incidents.
Reporting Information Security Events and
Weaknesses
1.Reporting Information Security Events
• Identified or suspected events
• Key Risk Indicator: Yes
• Control Class: Management (M) / Operations (O)
• Key Questions
• Does the organization have a formal information security incident reporting process?
• How are the employees trained to handle it?
• How frequently is the process tested?
• Additional Information
• Incident Response Systems, Emergency Response Systems and etc.
Reporting Information Security Events and
Weaknesses
2.Reporting Security Weakness
• All suspected and identified Weakness
• Key Risk indicator: No
• Control Class: Management (M) / Operational (O)
• Key Questions
• Does your organization require all the user to report the weakness?
• What type of training does the organization offer to understand the weaknesses?
• Do all users understand what to do and what not to do if a security weakness is
identified?
• Additional Information
• Create an environment and associated process to enable the user to report the
weakness.
• Awareness and education
Management of Information Security incidents
and improvements
• Managing information security incidents is challenging.
• Clear documentation outlining the responsibilities and actions should
be provided by the management for handling the incidents.
• Responsibilities and Procedures
• Learning from the incidents
• Collection of Evidence
1. Responsibilities and Procedures
• Information Security incidents cause panic and stress for all the parties.
• Management responsibilities and associated procedures should be
developed when there are no incidents in progress.
• Key Risk Factor: NO
• Control Class: (M/O)
• Key Questions:
• Does your organization have written procedures for handling information security
incidents?
• How does your organization monitor for information security incidents.
• When is the last time your management tested procedures for incident
Management?
2. Learning from Incidents
• Management should develop a method and system to ensure that
information is properly collected during an incident.
• This is ensured to facilitate future learning.
• Key Risk Indicator: No
• Control Class: (M)
• Key Questions:
• What type of methods or processes has management developed and published to
collect the key data during incident?
• Is the process in place?
• Additional Information
• The data collected will help the management to identify patterns that require
immediate attention.
3.Collection of Evidences
• Incidents can have legal implications.
• So, proper guidelines must be followed for collection of evidences.
• Key Risk indicator: No
• Control Class: M / O / T Technical
• Key Questions:
• How does your organization handle the collection of evidences?
• How does your organization makes sure that the users are aware that
evidence collection is a part of incident management?
Incident Management Plan
• Preparation
• Analysis and Identification
• Containment
• Eradication
• Recovery
• Lessons Learned
ITIL Incident Management

ITIL Incident Management Plan

ITIL Incident Management

Procedure
Third Party Security Management
• Third Party Security Risk Management is the process of analyzing and
controlling risks associated with outsourcing to third-party vendors or
service providers.
• This could include access to your organization’s intellectual property, data,
operations, finances, customer information or other sensitive information.
• Applicability
• Organizations rely heavily on third party vendors, contractors, and partners to help
meet customer demands and maintain daily operations.
• Unfortunately, these contractual partnerships also come with critical cybersecurity
risks that companies should continually be working to mitigate.
• To minimize these risks, organization should take comprehensive steps to ensure
that third parties comply with regulations and also protect confidential
information.
Objective
• To analyze and control third party risks. Avoid damages. Strengthen
relationships.
• To minimize your organization’s exposure to risks, manage third party
relationships at scale.
Approach
• Phase 1: Requirement
• Identify the objectives (policies & standards) and compliance needs.
• Phase 2: Planning
• Align resources and set roles & responsibilities to execute risk assessments.
• Phase 3: Scoping
• Categorize third-party vendors as per the requirements. This reduces redundancy in
questionnaires improving the timelines for completing assessments.
• Phase 4: Execution
• Execute risk assessment exercise to identify compliance and risk score.
• Phase 5: Remediation
• Analyze identified issues and remediate them with corrective measures for third party.
• Phase 6: Monitoring
• Continuous monitoring of vendor performance by comparing current assessment with previous
assessment to minimize risk scores.
Best Practices in Third Part Security
Management
Incident Management Components
• Four Critical Components of Effective Incident Management
• A well-defined incident management process
• Tooling that supports and accelerates incident response
• Internal and external communications plans
• Clear incident process documentation
 Roles and Responsibilities
Role Primary Objective Secondary Objective Other Names

Incident The incident manager has the overall responsibility and authority during the Everything someone else isn’t assigned to. Incident commander,
manager incident. major incident
They coordinate and direct all facets of the incident response effort. manager
As a rule of thumb, the incident manager is responsible for all roles and and
responsibilities until they designate that role to someone else.
Tech lead The tech lead is typically a senior technical responder. Communicate updates to incident On-call engineer,
They are responsible for developing theories about what's broken and why, manager and other team members. subject matter expert
deciding on changes, and running the technical team during the incident.
Communicati The communications manager is the person familiar with public Collect customer responses, interface with Communications
ons manager communications, possibly from the customer support or public relations executives and other high-level officer,
teams. stakeholders. communications lead
They are responsible for writing and sending internal and external
communications about the incident.
Customer The person in charge of making sure incoming tickets, phone calls, and tweets Pass customer-sourced details to the Help desk lead,
support lead about the incident get a timely, appropriate response. incident-response team. customer support
agent
Social media A social media pro in charge of communicating about the incident on social Updating the status page, sharing real- Social media manager,
lead channels. time customer feedback with the incident communications lead
response team.
Scribe A scribe is responsible for recording key information about the incident and Maintain an incident timeline, keep a
its response effort. record of key people and activities
throughout the incident.
Problem The person responsible for going beyond the incident’s resolution to identify Coordinate, run, and record an incident Root cause analyst
manager the root cause and any changes that need to be made to avoid the issue in postmortem, log and track remediation
the future. tickets.