Incident management and security incident management

When does an incident become a Security Incident? Who decides when and on what basis? What happens, which process will be followed? ITIL does not directly respond to these questions. ITIL handles information on security management as a high-level process; it is not very detailed at an operational level.

ITIL does tell you though, that incident management has an interface with Information Security Management. ITIL also says that the security-related events: handling, escalation and communication should be clearly defined and documented. Should a security-related incident just be taken-care-of indiscriminately, using the same resources and tools as other incidents?

Be prepared to deal with security incidents. Set-up an incident management policy and establish a competent team to deal with security incidents. Security incident roles and responsibilities should be defined separately, so that each will receive sufficient attention, often referred to as SIRT (Security Incident Response Team).

In principle, all security-related incidents should be brought to the attention of SIRT from any stage of the Incident Management process. The easiest way to do this would be if the SD (Service Desk) tools had a checkbox for ‘security incident’, not all tools support this. It is always a decision whether this should be a category included with others, when configuring/tailoring the tool. Clear and urgent security-related events/incidents should be assigned to SIRT directly from the monitoring systems and SD when they are identified.

Identify and report information on security incidents. Sometimes, it is obvious from the beginning that this is a security-related incident, i.e. the Intrusion Detection System (IDS) detects the attack and sends the event to either the SD or the expert team. Occasionally, it may take time before you realize that this is wholly a security issue. So, please, train your personnel to define and recognize IT Security Incidents; any IT event that harms, or attempts to harm, the confidentiality, integrity and/or the availability of a service is a security issue. Events or attempted events that are classified as an IT Security Incident are listed:

• Malware
• Successful or unsuccessful hacker attack
• An alarm raised by an intrusion detection system
• Unauthorized access to sensitive information
• Unauthorized alteration of information
• Unauthorized access to classified or otherwise sensitive data
• Compromise of system/server integrity
• DoS / DDoS
• Unauthorized alteration of Web site contents
• Intrusion/penetration of a system/server
• Destruction of data
• IT fraud
• A significant personal misuse of IT equipment by an employee
• Misuse of corporate owned IT equipment for criminal actions
• Misuse of corporate owned IT equipment for massive infringements of ethical conducts

Classify incidents and make decisions about how they are to be addressed; patch-things-up and quickly resume business; collect forensic evidence, even if it delays resolving the issue(s). What kind of security incidents might there be? Set-out below are some examples of Security Incident problems:

• Breach of confidentiality: Intentional or accidental disclosure of classified information to unauthorized parties. Example: espionage - disclosure of sensitive information to a third party or competitor.
• Breach of Integrity: intentional or accidental unauthorized modification of information. Example: financial fraud – modified or fraudulent transactions.
• Loss of information availability: unavailability of information or the inability to access such information. Example: Sabotage or denial of service. (In the limited context of this procedure, the accidental disruption of the availability of services or information, due to an accidental system failure, is excluded from the definition. Such incidents/problems are managed by the normal incident management procedure.)
• Loss of accountability services: intentional or accidental disruption of the process tracing the information management activities. Example: Modification or destruction of audit logs.
• Security violation: non-compliance with the security plan. Violations classified as suspected Security incidents/problems. Example: breach of confidentiality, breach of integrity, loss of information availability, loss of accountability services are handled within this process.

Assess incidents and determine how they are to be dealt with.

Respond to incidents, i.e. contain, investigate and resolve them.

Learn lessons – more than simply identifying the elements that may have been improved on; this stage involves actually making changes that improve the processes.

The standard provides template reporting forms for information on security events, incidents and vulnerabilities.

ISO 27002 definition of Information security incident management

“Section 13: Information security incident management”

Information security events, incidents and weaknesses (including near-misses) should be promptly reported and properly managed.

13.1 Reporting in information security events and weaknesses

An incident reporting/alarm procedure is required, plus the associated response and escalation procedures. There should be a central point of contact, and all employees, contractors etc. should be informed of their incident reporting responsibilities.

13.2 Management of information security incidents and improvements

Responsibilities and procedures are required to manage incidents consistently and effectively, to implement continuous improvement (learning the lessons), and to collect forensic evidence.”

(http://www.iso27001security.com/html/27002.html#Section13)

Be prepared! It is important to be prepared for Security incidents. When it occurs, it’s much easier to follow the chosen process/procedure, than to start inventing it in the middle of a crisis. Document the process and share the information to help people identify security incidents and react to them.

Tommi Siekkinen
3gamma Finland

If you’d like to know more about how 3gamma can help your business get the great IT it deserves, contact us now.