Your initial answer to this question may be very different from your answer just 15 seconds later. Everyone wants to think that their team is ready to handle a security incident. But, even the most prepared organizations may not have considered every potential scenario or trained every employee on the proper procedures. Your organization’s ability to react appropriately is directly proportionate to the maturity of your information security program.
Perfection is Not Required
The goal of every executive team is to reduce the organization’s risk. The level of “acceptable risk” can vary significantly from one management team or board of directors to the next. Finding that balance of information security risk and investment for your organization is essential. Your information security program will mirror your corporate risk profile and mature as your team experiences alerts. The program (and your ability to respond) will continually improve as you refine your policies and procedures based on new security events.
Common Security Events
Let’s get back to our original question. To some degree, security events happen every day. With any luck, your firewall, antivirus software, and other security controls are doing their job and protecting your assets and users. Whether you have visibility to these events or not, they are happening—some are more dangerous than others. Awareness is your best defense. So, how do you think your users, IT team, and security specialists will handle these common security incidents?
- A malware alert from your antivirus or endpoint detection software
- A phishing email from a spoofed executive email address requesting a money transfer
- A user sending confidential information to the wrong external email address
- Inappropriate network activity from a compromised vendor account
- A distributed denial-of-service (DDoS) attack that takes your systems offline
Responding to an Incident
Each scenario above should trigger an alert from a security tool or prompt a team member to open a security ticket for assistance. From there, your policies and procedures will define how your organization responds. Not every alert is an “incident,” and not every incident is a “breach.” To determine the severity of the event, a thorough investigation by a trained cybersecurity professional will be required. Larger organizations may have this skillset in-house, while smaller organizations may contract with a managed security service provider (MSSP).
What is an Incident?
According to ISO 27001 definitions, an information security incident is “a single or series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security.” To categorize these events, our customers refer to the IT security triad:
Degree of Danger
A security breach will entail the loss (or partial loss) of one or more of these triad elements. When we consider time (duration of the loss), extent (number of assets involved and percent of the organization affected), and impact (degree of element lost), we can further classify an event as a “weakness,” “minor incident,” or “major incident.” The exact parameters for each classification are specific to an organization’s risk profile and are typically defined in an Information Security Incident Management Procedure. This document also includes the steps your team will take to triage and respond to the various types of events.
When you document the scope, statements, responsibilities, and enforcement of your information security policies, you help your employees, contractors, and suppliers understand your expectation of their actions. Clarity is crucial. Your information security procedures provide your IT and security teams with documented steps for responding to incidents and communicating with the appropriate parties.
The goals of your incident management procedure are to identify the affected assets, contain the damage, correct the issue, verify it’s resolved, and determine the root cause. The NIST Cybersecurity Framework uses the terms Identify, Protect, Detect, Respond, and Recover for similar procedural steps. Regardless of the methodology you choose, it is important to have a documented and approved process for your team to follow when they are in the middle of responding to an unexpected security event. Depending on the event’s severity, additional procedures may be enacted, such as an Incident Response Plan, Business Continuity Plan, Disaster Recovery Plan, or Breach Notification.
Protecting Forensic Evidence
During the response process, forensic evidence will need to be collected and preserved by a qualified professional. In the early stages of an investigation, it is difficult to know whether the incident will result in litigation. So, it is a best practice to treat everything as evidence and handle it properly, defining an appropriate and defendable chain of custody. In most cases, outsourcing this custodian role to an experienced, third-party forensics firm will safeguard your legal options.
Start Small, but Start Today
While all this may seem a little overwhelming, you won’t be the first organization to put security policies and procedures in place. You may find that you already have some pieces assembled, informally. For information security incident management best practices, we recommend taking a look at ISO 27002. Section 16 provides guidelines for responsibilities, communications, reporting, and handling forensic evidence. Whether your marketing research firm is required to be ISO 27001 certified or you just want to take the right steps toward better information security practices, understanding ISO 27000 guidelines will help you lay a proper foundation.
What Security Tools do we need?
It’s relatively easy to justify new security tools following a security incident. However, fixing a vulnerability without fully understanding your overall risk can be reckless. A better strategy is first to implement a Risk Assessment. The results of your assessment will help you prioritize your security investments for the most effective treatment of your risks.
Security incidents will happen. Continuous improvement of your policies and procedures from your lessons learned is the best way to protect your organization, reduce your risk, and nurture your security program. Be sure to analyze your alerts for potential patterns by updating and reviewing your incident log regularly. Make sure your vendors, suppliers, and partners that you share data with have mature security programs that align with yours. Establish metrics to track your progress and identify both positive and negative trends.
Responding to security incidents is a team sport. Your entire executive team and board of directors will be actively involved in managing, tracking, analyzing, and responding to your security incidents. Their primary goal is to reduce the risk to the business, but they will also be involved with escalation, communication, litigation, and investment decisions.
Ezentria can help you determine the best way to implement your incident management policies and procedures. We also offer expert managed security services and 24×7 incident response services, so you don’t have to build, scale, and retain an in-house security team.
If you have any questions, need assistance, or would like to start with a risk assessment, you can reach us at firstname.lastname@example.org. Our next post will be the first week of November.
Until then, be safe and secure.