Categories Topics
Description
Incident Management

Overview
Incident Management is the process to ensure information security events and weaknesses (or "incidents") with information systems and processes are reported, investigated and resolved in a timely manner. Individuals should be made aware of their responsibilities and procedures to report information security incidents as soon as possible.

Guidelines
The types of information security incidents that should be reported include, but not limited to: system failures or loss of service, malicious software/code, denial of service, inaccurate business data, breaches of confidentiality and integrity or misuse of systems.  Information Security Incident Management program or process should consist of two primary components: Reporting and Management of Information Security incidents.

  • Incident Reporting:  a formal procedure should be established to report information security incidents to include:

    • Responsibilities of employees, contractors and third party users to report events and weaknesses in a timely manner
    • Escalation steps to report security incidents and point of contact
    • Ensure important details are disclosed (e.g. date/time, type of non-compliance or incident, messages on screen, malfunction, unusual behavior)
    • Reference to established disciplinary process for dealing with individuals who commit security breaches
    • Feedback mechanism to ensure those reporting events or weaknesses are notified of results after incident is closed
    • Ensure users do not attempt to test or prove suspected weaknesses in systems in lieu of reporting to appropriate security point of contact.

  • Incident Management: a formal procedure should be established to handle different types of information security incidents effectively to include:

    • Roles and responsibilities to ensure timely, effective response to information security incidents
    • Monitoring of systems and vulnerabilities to detect incidents in a timely manner
    • Process to formally document incidents to include date, time, type of incident, evidence and corrective actions taken
    • Appropriate evidence (e.g. audit trails, documents) is gathered and protected in accordance with the rules of evidence
    • Action to quickly recover from security breach and correct system failures
    • Process to ensure integrity of systems and controls is confirmed after incident is contained
    • Information from incidents should be evaluated to determine root cause and enhancement of controls in order to limit the frequency, impact and cost of future occurrences. 

For more information, please see standards NIST 800-61 (Computer Security Incident Handling Guide) and NIST 800-086 (Guide to Integrating Forensic Techniques into Incident Response) at links below.


Topic Category
Incident Management
Incident Management
 
News Articles
London Police Launch New Cybersecurity Initiative for Local Businesseswww.tripwire.com5/1/2018
All the Ways Equifax Epically Bungled Its Breach Responsewww.wired.com9/24/2017
Three Equifax execs sold $1.8 million of stock days after breach discoverywww.grahamcluley.com9/9/2017
UK SMBs value cyber security but remain unprepared for upcoming legislation changesblog.barracuda.com9/5/2017
TalkTalk breach: CEO dismisses encryption, 15-year-old arrestednakedsecurity.sophos.com10/27/2015
PagerDuty hacked ... and finally comes clean 21 days later. Cheerswww.theregister.co.uk7/31/2015
Backoff: New Point of Sale Malwarewww.us-cert.gov7/31/2014
US GAO Report Highlights Incident Response Shortcomingswww.fireeye.com7/15/2014
Most businesses unprepared for cyberattack, study findswww.zdnet.com3/18/2014
How Target detected hack but failed to act -- Bloombergnews.cnet.com3/13/2014
More retailers hit by security breaches; malware found on Target's POS machineswww.zdnet.com1/13/2014
Euro computer emergency teams need better support – ENISAwww.theregister.co.uk11/27/2013
Stern new data breach reporting requirement takes hold in EUwww.scmagazine.com8/26/2013
California data breach study indicates lack of encryptionwww.scmagazine.com7/15/2013
Infosec boffins meet to plan nuke plant hack responsewww.theregister.co.uk3/19/2013
US national vulnerability database hackedwww.theregister.co.uk3/14/2013
Google Debuts New Help for Hacked Sites Videos, Articlesthreatpost.com3/13/2013
How Facebook Prepared to Be Hackedthreatpost.com3/8/2013
Facebook hit by 'sophisticated attack'; Java zero-day exploit to blamewww.zdnet.com2/15/2013
EU: We'll force power plants, Apple and pals to admit hack attackswww.theregister.co.uk2/8/2013
China, The New York Times and the Value of Self-Shamingthreatpost.com1/31/2013
Adequate Attack Data and Threat Information Sharing No Longer a Luxurythreatpost.com11/15/2012
Dropbox finds no intrusions, continues spam investigationwww.zdnet.com7/20/2012
U.S. Critical Infrastructure Cyberattack Reports Jump Dramaticallywww.darkreading.com6/29/2012
Advanced persistent threats can be beaten, says expertwww.csoonline.com6/25/2012
Senators introduce guidelines bill for data security breachesthehill.com6/22/2012
DHS To Critical Infrastructure Owners: Hold On To Data After Cyber Attackthreatpost.com5/29/2012
FCC chairman calls on ISPs to adopt new security measureswww.computerworld.com2/22/2012
Want CSI without the blood? Investigate computer forensicswww.usatoday.com2/1/2012
EU 24-Hour Data Breach Notification Rule 'Unworkable': ATandT Executivewww.eweek.com1/26/2012
EU proposes 'right to be forgotten' by internet firmswww.bbc.co.uk1/23/2012
Zappos customer data accessed in security breachnews.cnet.com1/15/2012
Massive fines planned in European data breach crackdownwww.zdnet.com12/5/2011
SEC Mandates Cyber Incident Reportingwww.informationweek.com10/14/2011
Nominet suspends fake pharma domainswww.theregister.co.uk9/30/2011
WikiLeaks Tests Feasibility Of Government Data Securitywww.informationweek.com7/28/2011
White Papers
ENISA Annual Incident Reports 2012www.enisa.europa.eu8/20/2013
How to Deal with a Security Breachwww.privacyrights.org5/1/2012
Businesses Must Provide Victims and Law Enforcement with Transaction Records Relating to Identity Theftbusiness.ftc.gov5/1/2006
Policies
Security Incident Management Policy
Standards
NIST SP 800-61 Rev. 2 Computer Security Incident Handling GuideNIST8/1/2012
NIST SP 800-83 Guide to Malware Incident Prevention and Handling for Desktops and LaptopsNIST7/25/2013
NIST Guide to Integrating Forensic Techniques into Incident ResponseNIST8/1/2006
NIST Guide to Computer Security Log ManagementNIST9/1/2006
NIST Guide to Intrusion Detection and Prevention Systems (IDPS)NIST2/1/2007
NIST SP 800-101 Rev.1 Guidelines on Mobile Device ForensicsNIST5/28/2014