Information Security Incident Management
The system of data leakage protection is based, above all, on the detection, prevention, registration and mitigation of information security incidents or events that violate regulated procedures. There are a number of techniques that determine benchmarks of their management. These techniques are implemented at the level of international standards that establish the criteria for assessing the quality of management systems in companies. Within these regulations information security events or incidents are identified and recorded, and their consequences are eliminated. After the analysis of causes the regulations and procedures are enhanced.
Definition of an incident
International regulations in the sphere of certification of information system management provide their definition of this phenomenon. According to them, the information security incident is an isolated, undesirable and unpredictable event that can affect the company's business processes, compromise them or violate the level of information security protection. In practice, this concept covers various events occurring during the work with the information in electronic form or on material media. These events include leaving the documents on the desk available to other employees and hacking, and both incidents can cause the same damage to the company's interests.
The main types of events include:
- Violation of the procedure for interaction with Internet providers, hosting, mail services, cloud services and other providers of telecommunications services
- Failure of both technical and software equipment for any reasons
- Software bugs
- Violation of rules for processing, storing, transferring information, both electronic and hard copies
- Unauthorized access of third parties to information resources
- Detection of external monitoring of resources
- Detection of viruses or other malicious programs
- Any compromise of the system, for example, releasing account passwords to the public.
All the events should be classified, described and included in the internal corporate documentation that regulate the procedure for ensuring information security. Moreover, regulatory documents should provide the hierarchy of events and divide them according to their severity. Note that a significant part of the incidents is barely noticeable as they occur outside the spotlight of the management’s attention. It is necessary to give a detailed description of such abnormal events and identify the measures for their detection.
When describing measures of the response, it should be taken into account that the change in the frequency and the total number of information security incidents serves an indicator of the IS system quality and is classified as a significant event. The increase in the number of events may indicate a deliberate attack on the company's information systems, so it should give rise to the analysis and further enhancement of the protection level.
Role of incident management in the common information security system
The regulations governing the management of information security incidents should constitute an integral part of business processes and their regulation. Assuming that the incident is an unauthorized event, it is necessary to apply a mechanism that would divide events and actions into allowed and prohibited and define bodies that have the right to develop such norms. In addition, the regulations enumerate methods for classifying the events that are not explicitly identified as significant, and a mechanism for detecting such events, their description and subsequent entry into regulatory documents.
For example, the regulations may prohibit the placement of confidential information on portable media without its encoding or encryption. At the same time, they don’t explicitly prohibit to take such devices outside the office. The accidental loss of a computer because of a criminal intrusion will be regarded as incident, but it will not be expressly prohibited. Accordingly, the documents should establish a mechanism for supplementing the norms and safety rules on ad-hoc basis with little red tape. This will allow promptly reacting to new challenges and finalizing protection measures in a timely manner, and not with a significant delay.
The ISO 27001 certification system requires the establishment of a specific procedure for information security incident management as a part of IS within a common standardization system related to business processes.
Aspects of incident security management
Despite the fact that the standards recommend to introduce the techniques for managing information security incidents, in practice, the introduction and implementation of these techniques is a challenging task. There are no separate incident management procedures, but it does not mean that incident management systems are good or bad, it just reveals a security flaw.
The management of information security incidents is based on the following actions:
- Definition. Companies lack a methodology to identify, classify incidents, and describe their main parameters. That is why employees face the need to either determine the criteria by themselves, or ignore an event. According to the standards, authentication under the account of another employee is an information incident, but it will not be logged, since employees consider this behavior normal and allowed, especially given the shortage of human resources.
- Notification. Even if the company’s methodology or an employee defines an event as an incident, there are no developed standards and ways to notify of such events. Even if an employee detects copying documents with commercial secrets, he/she will be stumped with the question who and in what form should be informed about the incident: manager, security service or another person.
- Logging and elimination of causes and consequences. Any incident leaves certain traces and consequences which, on the one hand, can interfere with the company's activities, and on the other hand serve as a material for investigation. The absence of regulations for the elimination of consequences can lead both to the accumulation of errors, and to the complete destruction of the evidence base, allowing identifying the perpetrator of the situation occurred. Any urgent measures taken to restore stability can accidentally or intentionally destroy the signs of an unauthorized access to the database.
- Incident response measures. In some cases, an incident may require urgent response measures, for example, disconnecting the computer from the network, suspending the transfer of information, contacting the provider. It is required to identify the bodies and officials responsible for the development of the response mechanism and its prompt implementation.
- Investigation. Investigative powers must be transferred from the IT department to the security services. The investigation should include the analysis of logs and the actions of all users and administrators who had access to the systems when the emergency incident occurred. Investigation should be one of the key elements of incident management. If necessary, the investigation can involve operational investigative bodies.
- Implementation of preventive measures. Usually, incidents are not isolated, they reveal a breach in the IS system, meaning that similar cases will happen again. In order to avoid these risks, it is necessary to prepare a report or a commission statement. It should be based on the investigation results with the indication of measures to be applied for preventing similar situations. In addition, it is necessary to apply certain disciplinary measures under the Labor Code and internal regulations.
- Analytics. All events that violate regulated processes and can be defined as information security incidents should serve the basis for the analysis. The analysis will help determine their nature, show consistency and develop recommendations to improve the IS system in the company.
The main problems related to violations of procedures are due to unwillingness of the staff to fully understand, adapt and implement the recommendations. Difficulties to understand incidents and react to them lead to situations and actions that are not governed by regulations or standards or seem to be redundant or excess.
Like any corporate procedure, the creation of IS incident management system must comprise several stages, from making a decision to implementation and audit. In practice, the management of most enterprises is not aware of the need to protect information perimeter. To initiate implementation, it is often necessary to audit IS systems by external consultants, to develop recommendations, implemented by the company's management. The decision of the executive bodies or higher levels of the company's management system, for example, the Board of directors serves as the starting point for the implementation of IS incident management procedures.
The joint decision is usually taken in line with the modernization of the existing IS system. The incident management system constitute the main part. At the decision-making level, it is necessary to define its role in the overall paradigm of the company's goals. Ideally, IS system should become one of the business objectives, and its operation should be supported by key performance indicators for responsible employees. Once the status of the system is determined, it is necessary to proceed to the development of internal documentation that mediates the relations in the company.
To reinforce IS management techniques, they must be approved at the level of the executive body (general director, management or the Board of directors). The document should be introduced to all employees who work with the information in e-form or on physical media.
The structure of the document, drawn up in the form of a provision or a regulation, should include the following subsections:
- Definition of events recognized as incidents in relation to the security system of a particular company. Thus, the use of external e-mail may violate IS in a state company and be a common event in a private company;
- Event notification procedure. The notification format (oral, memorandum, electronic message), the list of people to be notified, including those, duplicating their duties in case of absence, the list of other people, which receive information on the events (the company management), notification period after receiving information about the incident;
- List of measures for eliminating the consequences of the incident and the procedure for their implementation;
- Investigative procedure, which determines the officials responsible for investigation, the mechanism for evidence collection and recording, possible actions to identify a culprit;
- The procedure for bringing the guilty persons to disciplinary responsibility;
- Security enhancement measures to be applied after the investigation;
- Minimization of harm and elimination of consequences.
When developing regulations that mediate the management system of IS events, it is desirable to rely on already established and proven methods and documents, including report forms, logs and event notifications.
Elimination its causes and consequences, investigation
Once the officials concerned have been notified and the incident has been recorded, it is necessary to take response actions, namely, eliminate its causes and consequences. All the stages should be reflected in the regulations. They describe joint actions for the most significant events, specific steps and the period during which the measures should be applied. It is also necessary to assign responsibility for the non-application of established measures or their insufficient application.
At the investigation stage, the company officials are required to:
- Identify the causes of the incident and the shortcomings of regulatory documents and techniques that made the incident occur
- Identify responsible and guilty persons
- Collect and record evidence
- Determine the reasons of the incident and the circle of persons involved along with the company's staff, as well as identify the third party.
If further prosecution in connection with a IS incident or violation of a commercial secret is to be initiated, it is necessary to involve investigative bodies at the initial stage. The evidence gathered independently without observing the procedural measures will not be recognized as appropriate and will not be invoked in the proceedings.
Preventive measures, changing standards and eliminating consequences
Immediately after the incident is identified, it is necessary to take prompt measures for elimination of its consequences. The next stage requires the analysis of causes and set of actions aimed at preventing a possible recurrence of a similar event. Today, ISO/IEC 27000:2016, the latest version of the joint development of ISO and the Electrotechnical Commission, is the main regulatory document offering standards of the response to incidents. ISO/IEC 27000:2016 offers to create a special support service, the Service Desk, which should perform functions of incident management.
An audit of the compliance to IS incident management techniques is conducted at the reception of the ISO 27001 certificate, as well as when reviewing compliance with the standard requirements. Often an audit reveals that even standards cannot prevent a significant number of problems and misunderstandings regarding incident detection and investigation of the events that caused them. Investigations are complicated by the fact that several operators or administrators can use the same account which makes it difficult to authenticate them. Server controllers, in most cases, do not log events. The absence of a controlled user identification system makes it possible to randomly change information, stop the servers or modify their operation.
It is recommended to conduct the audit at least every six months. As the result, the list of events recognized as incidents should be updated, the list of necessary actions for their elimination should be finalized, and software tools protecting the information perimeter should be modified. If an organization uses DLP and SIEM systems, it can improve them based on the analysis of the incidents within a certain period and the audit results.
Audit should not be the only factor to reveal the weaknesses of the system. Another factor is process quality control mechanisms which should be developed at the stage of the system implementation. The results of the processes should be regularly reviewed.