InfoSec incidents are unavoidable even in an organization which takes care of its information security extremely passionately. These days companies should not only invest on implementing layered security safeguards but also need to have a plan in case of a security incident like data breach.
Incident management is a development of a well understood and predictable response to such damaging events and/or incidents.
Like any other program, Incident Management Program needs to define and implement a process. The organization adopts this process in order to protect information assets, like IT infrastructure and information systems, if something bad happens. The incident response process depends on the security incident, which may involve malware breach and containment, information disclosure, data leakage, or a DDoS attack. This process in nothing but some detective and corrective safeguards/controls to detect and then respond to such events and intrusions. Minimizing harmful impacts, gathering forensic evidence, and learning are other roles of these safeguards. Incident response team shall follow the above-mentioned process in case of an emergency security event or an incident.
ISO 27K family of standards has a particular standard focusing on this issue: ISO/IEC 27035:2011, Information technology — Security techniques — Information security incident management.
Another source might be NIST 800–61 entitled Computer Security, Incident Handling Guide.
A typical incident management program requires such steps:
- Prepare to handle incidents by having an incident management policy in place and establish a team to handle the incidents
- Identify and report InfoSec incidents. This step can be performed by an employee, vendor, customer, partner, device, SIEM system or even a sensor. The problem should be reported to Incident Response Team or Security Operations Centers (SOC)
- Evaluate, analyse and assess incidents including the criticality of the event in order to address them. Bear in mind that lots of issues might be false positives so evaluation plays a big role here
- Respond to incidents by either fixing the problem as quick as possible or collecting forensic evidences, even if it delays regular business operations. You definitely need a checklist or reference in case of handling an InfoSec incident. Zeltser offers a series of free helpful cheat sheets for such purposes for Windows / Linux intrusions, DDoS attacks and more
- Investigate the problem in-depth after resolving and then document security weaknesses, report to senior management, and learn the lessons in order to change and improve the processes. Sometimes the problem should be reported to authorities or media as well in accordance with regulatory compliance laws and regulations. Check your local regulations about data disclosure or security incidents
If you need a good source to help you in auditing an Incident Management Program, this ISACA document may help a lot.