However blunt, it’s true. It’s a question of not ‘if’ but ‘when’. This adage simply reflects the scale of malicious cyber activity that takes place. For instance, thousands of new malware variants appear every day.
An incident management strategy is vitally important to contain damage should it happen. In fact, IT system breaches need to be considered within the context of disaster recovery and business continuity, as well as mandatory reporting requirements.
One of the best ways to develop an incident management strategy is by using existing standards. The ISO 27000 family of standards help organisations keep information assets secure. Specifically the ISO/IEC 27001, the best known standard outlining the requirements for incident management. It covers people, processes and IT systems all of which are viewed through the lens of risk management.
These standards help organisations manage the security of its assets whether it’s financial information, intellectual property, employee details, customer details or third party information by providing a systematic approach.
The ultimate goal of ISO 27001 is ensuring security requirements are met and as such it incorporates incident management as a central component.
An incident management strategy starts with the identification of incidents typically with users logging them and also automatically generated incident logging based on pre-established conditions.
Incidents then need to be categorised to enable easy classification. In turn this informs prioritisation, such as; the effect an incident has on business, whether it needs to be dealt with urgently or whether can it be managed at a later stage.
Following the initial identification and categorisation of an incident, diagnosis, escalation, investigation and resolution need to take place. While some of these processes can be automated some are also dependent on human processes and intervention such as investigation and diagnosis.
Depending on the incident this often involves forensics. This is where a backtrack process takes place so the cause and location of the incident can be established. This is important because a hacker can plunder a customer database and have credit card or banking and personal information up for sale before the company is aware anything has happened. As such, it’s important to be able to detect the path of the attack and trace it back to a source, date and time.
In summary, an incident management strategy needs to be a central component in a wider disaster recovery strategy. The point of incident management is that it enables you to effectively identify and manage breaches.