Developing an effective incident response programme
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
January 5, 2022680 views0 comments
No matter how prepared or no matter the number of information security controls a company possesses, a time will come when the organisation suffers a computer security compromise. It is just inevitable especially if the business runs most of its processes through a network system, online or through a third-party company. Sometimes, the incident might be a minor breach that can be quickly remediated or a major breach that might expose the company and turn into a media spotlight. Yet, many companies don’t have a methodical response when these incidents occur.
Planning in advance for incidents and various incidents helps business leaders and stakeholders decide how they will handle situations and prepare a well-thought response. Usually, an event is related to occurrences that happen to a security function within an organisation. For example, whenever a company tries to extract data from their cloud database into their Virtual Private Network there is a four second exposure which leaves room for hackers. Another example could be an administrator changing permissions on a shared folder could spring potential incidents.
The above examples might not necessarily lead to what information governance professionals call an “adverse event” but it is pertinent to record these incidents and draw lessons from them. An adverse event has negative consequences. For example, when there is a malware infection on a system or a user accesses file that he or she is not authorised to view which leads to the compromising of the information integrity. These acts violate computer security policies or a company’s acceptable use policies.
The first step to creating an effective incident response management is to create a security incident response team. These set of individuals or stakeholders will be responsible for responding to an information security incident that occur within an organisation by following the existing response procedures and incorporating subject matter expertise where needed. Usually, the team might include individuals from the IT, finance, HR, and privacy department. The formation of these team is dependent on the size of the company, and they must be able to respond to incident at any time and day.
There are four known phases in the incident response. To avoid poor decision making in the event of an incident, it is good for an organisation to embed these four phases into their incident response management plan.
The first phase is preparation. This phase includes creating a documented policy and assigning staff members who own these policies. This requires careful preparation to ensure that the proper foundation to operational procedures that will be effective in the organisation’s information security management framework is laid.
The next phase is detection and analysis phase which requires identifying the security incident that has taken place. Quite often, these incidents are usually spotted by trained experts or analysts. There are security event indicators, according to National Institute of Standard and Technology (NIST), which includes: alerts, logs, publicly available information, and people. NIST further recommends that organisations in this phase seek assistance from external resources, capture network traffic as soon as incident is suspected, and understand normal behaviour of users, systems, networks, and applications.
The third phase is containment, eradication and recovery which primarily includes activities designed to uncover and analyse information about the incident. This stage further helps the team to take informed measures to contain the effects of the incident, where necessary eradicate the incident and recover to normal BAU activities.
The fourth phase is the post incident activity. This is where recovery effort to restore business to normal operations occur. It is a lessons-learned review session to ensure that there is a new approach towards preventing a further recurrence of the event and creating an improved business procedure to prevent the incident.
Organisation must take incident management serious as these helps them prepare to handle incidents in a methodical fashion and helps prevent incidents from spiralling out of control. It is good practise to maintain a team that manages the whole incident management response within a company.