Professional Documents
Culture Documents
2
Chapter 4—Information Security Incident Management
3
Incident Management Overview
4
4.1 Incident Management Overview
5
4.1 Incident Management Overview
7
4.1 Incident Management Overview
Events:
Technical, such as network attacks via viruses, denial of service (DoS)
or system intrusion. The result of mistakes, accidents, or system or
process failure.
Physical events, such as theft of proprietary information, social
engineering, lost or stolen backup tapes or laptops.
Environmental conditions such as floods, fires, or earthquakes.
8
4.1 Incident Management Overview
9
4.1 Incident Management Overview
The goal of incident management and response activities are to:
Detect incidents quickly
Diagnose incidents accurately
Manage incidents properly
Contain and minimize damage
Restore affected services
Determine root causes
Implement improvements to prevent recurrence
Document and report
Incident management and response can be part of the trade-off that may
reduce the cost of risk management efforts by allowing higher levels of
acceptable risk
10
4.1 Incident Management Overview
11
4.1 Incident Management Overview
Responsibilities of information security manager towards incident
management include:
o Developing information security incident management and response
plans.
12
Incident Management Resources
13
4.2 Incident Management Resources
14
4.2 Incident Management Resources
15
4.2 Incident Management Resources
2. Personnel:
2.1 An Incident Management Team (IMT) usually consists of:
The information security manager.
Security Steering Group (SSG): senior managers responsible for
approving the charter and serves as an escalation point for the IMT.
Permanent/dedicated team members: may include incident handlers,
investigators and forensics experts, and IT and physical security
specialists.
Virtual/temporary team: normally consist of business representatives
(middle management), legal staff, communications staff (public
relations), HR staff, other security groups (physical security), risk
management and IT specialists. Requited when necessary to fill gaps
within the IMT.
16
4.2 Incident Management Resources
2.2 Incident Response Team (IRT) are incident handlers who analyze
incident data, determine the impact of the incident, and act
appropriately to limit the damage to the organization and restore
normal services.
Technical skills:
Technical foundation skills.
Incident handling skills.
18
4.2 Incident Management Resources
5. Awareness and education:
Organizations may develop relationships with external experts to fill the
gap in internal expertise.
Organization may need to expand the staff’s basic skills to include more
in-depth knowledge to handle incidents properly.
6. Audits:
Internal and external audits are performed to verify compliance with
policies, standards and procedures.
19
4.2 Incident Management Resources
7. Outsourced security providers:
Outsourcing incident management capability may be a cost-effective
option for an organization.
20
Incident Management Objectives
21
4.3 Incident Management objectives
1. Defining objectives.
2. The desired state.
3. Strategic alignment.
4. Risk management.
5. Assurance process integration.
6. Value delivery.
7. Resource management.
22
4.3 Incident Management objectives
1. Defining objectives
Handle incidents when they occur so that the exposure can be
contained/eradicated within an AIW.
Acceptable Interruption window (AIW): the time the company can wait
from the point of failure to the restoration of the minimum and critical
services or applications. After this time, the progressive losses caused by
the interruption are excessive for the organization.
23
4.3 Incident Management objectives
24
4.3 Incident Management objectives
3. Strategic alignment
Incident management must be aligned with the organization’s strategic
plan.
4. Risk management
Successful outcomes of risk management include effective incident
management and response capabilities.
Any risk that is not prevented by controls will constitute an incident that
must be managed and responded to with the intent that it does not
escalate into a disaster.
25
4.3 Incident Management objectives
6. Resource management
Resource management includes time, people, budget and other factors to
achieve objectives efficiently under given resource constraints.
26
4.3 Incident Management objectives
7. Value delivery
To deliver value, incident management should:
Integrate with business processes and structures as seamlessly as
possible.
27
Incident Management Metrics and Indicators
28
4.4 Incident Management Metrics and Indicators
Incident management metrics, measures and indicators are the criteria used
to measure the effectiveness and efficiency of the incident management
function.
Incident management reports and measures are useful for the IMT for self-
assessment.
Examples:
Total number of reported incidents.
Total number of detected incidents.
Average time to respond to an incident relative to the AIW.
Average time to resolve an incident.
Total number of incidents successfully resolved.
Total damage from reported and detected incidents if incident
response was not performed. 29
Developing an Incident Response Plan
30
4.5 Developing an Incident Response Plan
The IRP details the actions, personnel and activities that take place in case
of adverse events.
Gap analysis report can be used for planning purposes to determine the
following:
Processes that need to be improved to be more efficient and
effective.
Resources needed to achieve the objectives for the incident
response capability.
Prioritize efforts of improvement based on the areas of greatest
potential impact and the best cost benefit.
32
4.5 Developing an Incident Response Plan
2. Business Impact Assessment
BIAs have three primary goals:
Criticality prioritization: every critical business unit process must be
identified and prioritized. The impact of an incident must be
evaluated — the higher the impact, the higher the priority.
33
4.5 Developing an Incident Response Plan
34
4.5 Developing an Incident Response Plan
3. Escalation process for effective incident management
A detailed description of the escalation process should be documented.
35
4.5 Developing an Incident Response Plan
4. Help desk processes for identifying security incidents
Processes should be defined for help desk personnel to distinguish a
typical help desk request from a possible security incident.
The help desk is likely to receive the first reports indicating a security-
related problem, thus prompt recognition of an incident and escalation
to appropriate parties is critical to minimizing the damage.
36
4.5 Developing an Incident Response Plan
5. Incident management and response teams
IRP must identify teams and define their assigned responsibilities in the
event of an incident. Examples:
Emergency action team: Designated “fire wardens” and “bucket
crews” whose function is to deal with fires or other emergency
response scenarios.
37
4.5 Developing an Incident Response Plan
Security team: Often called a computer security incident response
team, it is responsible for monitoring the security of systems and
communication links, containing any ongoing security threats, resolving
any security issues that delay the recovery of the systems, and assuring
the proper installation and functioning of every security software
package.
38
4.5 Developing an Incident Response Plan
5. Organization, training and equipping the response staff
Training the response teams includes developing event scenarios and
test the response and recovery plans to ensure that teams are familiar
with their tasks and responsibilities.
Risk management, HR, legal, public relations and network operations are
the most likely functions to be notified in case of an incident.
40
4.5 Developing an Incident Response Plan
Challenges in developing an incident management plan
41
Business Continuity and Disaster Recovery Procedures
42
4.6 Business Continuity and Disaster Recovery Procedures
An effective strategy for recovery plans will strike the most cost-effective
balance between risk management efforts, incident management and
response, and BC/DRP.
43
4.6 Business Continuity and Disaster Recovery Procedures
44
4.6 Business Continuity and Disaster Recovery Procedures
Warm sites:
Complete infrastructures, but are partially configured in terms of IT,
usually with network connections and essential peripheral
equipment such as disk drives, tape drives and controllers.
Sometimes a warm site is quipped with a less-powerful central
processing unit (CPU) than the primary site.
The installation of missing units as computers, may take days or
weeks.
Is less costly than a hot site.
Cold sites:
Have only the basic environment (electrical wiring, air conditioning,
flooring, etc.).
The cold site is ready to receive equipment, but does not offer any
components at the site in advance of the need.
Activation of the site may take several weeks.
Portable centers belong to this category.
45
4.6 Business Continuity and Disaster Recovery Procedures
Mobile sites:
Specially designed trailers that can be quickly transported to a
business location or an alternate site to provide a ready-conditioned
IPF.
Can be configured with servers, desktop computers,
communications equipment, and even microwave and satellite data
links.
They are a useful alternative when there are no recovery facilities in
the immediate geographic area.
They are also useful in case of a widespread disaster and may be a
cost-effective alternative for duplicate IPFs for a multisite
organization.
46
4.6 Business Continuity and Disaster Recovery Procedures
47
4.6 Business Continuity and Disaster Recovery Procedures
Alternative routing:
Alternative routing means routing information via an alternate medium
such as copper cable or fiber optics.
This involves use of different networks, circuits or end points, if the
normal network is unavailable.
Dial-up circuits as an alternative to dedicated circuits, a cellular phone
and microwave communications as alternatives to land circuits, and
couriers as an alternative to electronic transmissions.
48
4.6 Business Continuity and Disaster Recovery Procedures
High-availability considerations
Server recovery should also be included in the disaster recovery plan.
49
4.6 Business Continuity and Disaster Recovery Procedures
Insurance
The recovery plan should also contain key information concerning the
organization’s insurance.
50
4.6 Business Continuity and Disaster Recovery Procedures
ISM should test the Business Continuity and Disaster Recovery Procedures
Types of tests:
Checklist review: A preliminary step to a real test. Recovery checklists
are distributed to all members of a recovery team to review and ensure
that the checklist is current.
Structured walkthrough: Team members physically implement the
plans on paper and review each step to assess its effectiveness, identify
enhancements, constraints and deficiencies.
Simulation test: The recovery team role play a prepared disaster
scenario without activating processing at the recovery site.
Parallel test: The recovery site is brought to a state of operational
readiness, but operations at the primary site continue normally.
Full interruption test: Operations are shut down at the primary site and
shifted to the recovery site in accordance with the recovery plan; this is
the most rigorous form of testing, but is expensive and potentially
disruptive.
51
4.6 Business Continuity and Disaster Recovery Procedures
Recovery test metrics
Metrics should be developed and used in measuring the success of the plan
and testing against the stated objectives.
Metrics results should be used not only to measure the effectiveness of the
plan, but more importantly, to improve it.
52
4.6 Business Continuity and Disaster Recovery Procedures
Percentage and/or number:
The number of vital records successfully carried to the backup site
versus the required number.
The number of supplies and equipment requested versus actually
received.
The number of critical systems successfully recovered can be
measured with the number of transactions processed.
Accuracy:
Accuracy of the data entry at the recovery site versus normal
accuracy (as a percentage).
The accuracy of actual processing cycles by comparing output
results with those for the same period processed under normal
conditions.
53
Post-Incident Activities and Investigation
54
4.7 Post-Incident Activities and Investigation
55
4.7 Post-Incident Activities and Investigation
Documenting events
There should be a clear record of events, so information be investigated and
provided to a forensics team or authorities if necessary.
56
4.7 Post-Incident Activities and Investigation
57
4.7 Post-Incident Activities and Investigation
58
4.7 Post-Incident Activities and Investigation
59
60