Security incident means any harmful activity which can lead to negative impact to company’s tangible or intangible assets. It is a compromise or violation of an organization’s security eg. it can be a software development company. An incident can range from anything outage such as a power or hardware failure to the incidents such as a violation of organizational policy by disgruntled employees or being hacked.
Incident management is the activities of an IT organization to identify, analyse, and correct hazards to prevent a future re-occurrence of it. Incidents within an organization are normally dealt with by either an Incident Response Team (IRT), or an Incident Management Team (IMT). These team work to restore normal functions of the company.
When any incident occurs IRT take some basic steps and those steps are preplanned. They are;
1. Preparation
This phase deals with the pro-actively preparing a team to be ready to handle an incident. The following should be performed :
- Response Plan/Strategy
- Communication
- Documentation
- Access Control
- Training
2. Identification
This phase deals with the detection and determination of whether there is a deviation from normal operations within an organization, and its scope assuming that the deviation is indeed an incident. This step includes one to gather events from various sources such as past reports, error messages, log files, and other resources, such intrusion detection systems and firewalls. That may produce evidence as to determine whether an event is an incident. If a particular event is determine to be an incident then it should be reported immediately in order to allow the team enough time to collect evidence and prepare for the preceding steps.
3. Containment
The purpose of this phase is to limit the damage happened and prevent any further damage from happening. Basically the focus of this step is to limit the damage as soon as possible and take actions which are corrective.
4. Eradication
This phase deals with the removal and restoration of affected systems. Antivirus and other corrective software will be used.
5. Recovery
The purpose of this phase is to bring affected systems back into the production environment carefully ensuring that it will not lead another incident. The system is tested, monitored, and validated that are being put back into production to verify that they are not being re-infected by malware or compromised by some other means.
It is not necessary in every incident there will be a disciplinary action which should be taken. It depends on what kind of breaches happened after the incident took place. How incident impacted the CIA of the information asset of the organization, and what is the criticality of incident, depending on that disciplinary actions should be taken.
Information security incident management process:
1) Corrective Action of the incident
2) Identification and reporting of the incident.
3) Classify the incident i.e critical, moderate, high or low
4) Identification of stakeholder who all should be involved for managing the incident
5) Root Cause Analysis of the incident
6) Preventive action of the incident to stop or minimize the re-occurrence of the incident
7) Learning communicated to either whole organization or to the stakeholders only
Thus, incident management is significant aspect for every organization including custom software development. Every organization should have proper planning to handle incidents.
Great Post Gail, Such useful information you have shared among us with the awesome explanation, Predict360’s Incident Management Software enables organizations to collect, store and track and collaborate on compliance-related incidents.
ReplyDeletehttp://www.360factors.com/environmental-management-system/incident-management