Learn about the security incident management process in Data Protection 101, our series on the fundamentals of information security.
A Definition of Security Incident Management
Security incident management is the process of identifying, managing, recording and analyzing security threats or incidents in real-time. It seeks to give a robust and comprehensive view of any security issues within an IT infrastructure. A security incident can be anything from an active threat to an attempted intrusion to a successful compromise or data breach. Policy violations and unauthorized access to data such as health, financial, social security numbers, and personally identifiable records are all examples of security incidents.
The Cybersecurity Incident Management Process
As cybersecurity threats continue to grow in volume and sophistication, organizations are adopting practices that allow them to rapidly identify, respond to, and mitigate these types of incidents while becoming more resilient and protecting against future incidents.
Security incident management utilizes a combination of appliances, software systems, and human-driven investigation and analysis. The security incident management process typically starts with an alert that an incident has occurred and engagement of the incident response team. From there, incident responders will investigate and analyze the incident to determine its scope, assess damages, and develop a plan for mitigation.
This means that a multi-faceted strategy for security incident management must be implemented to ensure the IT environment is truly secure. The ISO/IEC Standard 27035 outlines a five-step process for security incident management, including:
- Prepare for handling incidents.
- Identify potential security incidents through monitoring and report all incidents.
- Assess identified incidents to determine the appropriate next steps for mitigating the risk.
- Respond to the incident by containing, investigating, and resolving it (based on outcome of step 3).
- Learn and document key takeaways from every incident.
How Security Incident Management Works
While incident response measures can vary depending on the organization and related business functions, there are general steps that are often taken to manage threats. The first step may start with a full investigation of an anomalous system or irregularity within system, data, or user behavior.
For example, a security incident management team may identify a server that is operating more slowly than normal. From there the team will assess the issue to determine whether the behavior is the result of a security incident. If that proves to be the case, then the incident will be analyzed further; information is collected and documented to figure out the scope of the incident and steps required for resolution, and a detailed report is written of the security incident.
If needed, law enforcement may be involved. If the incident involves exposure or theft of sensitive customer records, then a public announcement may be made with the involvement of executive management and a public relations team.
Endpoint Detection and Response
Best Practices for Security Incident Management
- Develop a security incident management plan and supporting policies that include guidance on how incidents are detected, reported, assessed, and responded to. Have a checklist ready for a set of actions based on the threat. Continuously update security incident management procedures as necessary, particularly with lessons learned from prior incidents.
- Establish an incident response team (sometimes called a CSIRT) including clearly defined roles and responsibilities. Your incident response team should include functional roles within the IT/security department as well as representation for other departments such as legal, communications, finance, and business management or operations.
- Develop a comprehensive training program for every activity necessary within the set of security incident management procedures. Practice your security incident management plan with test scenarios on a consistent basis and make refinements as need be.
- After any security incident, perform a post-incident analysis to learn from your successes and failures and make adjustments to your security program and incident management process where needed.
In some situations, collecting evidence and analyzing forensics is a necessary component of incident response. For these circumstances, you’ll want the following in place:
- A policy for evidence collection to ensure it is correct and sufficient – or, when applicable, will be accepted in the court of law.
- The ability to employ forensics as needed for analysis, reporting, and investigation.
- Team members who have experience and training in forensics and functional techniques.
A strong security incident management process is imperative for reducing recovery costs, potential liabilities, and damage to the victim organization. Organizations should evaluate and select a suite of tools to improve visibility, alerting, and actionability with regard to security incidents.