As the reliance of businesses on their information assets continue to grow so will the number of computer/security incidents. In the protection of their informational assets, most business’s will perform the following functions:
Implement some measure of security into their organisations
Attempt to maintain a certain level of security
Often left out is security incident handling. Despite best efforts to maintain security, “what happens in the event that an incident does occur within the organisation”.
This bulletin will discuss what an Incidence response programme is and the benefits to your business of developing and maintaining an in-house programme.
A practical approach to implementing an incidence response programme within your organisation is available in the gold edition of this bulletin. 1.2 What is Incidence Response?
Firstly let’s start by defining what an Incident is: “An incident is a situation that puts an organisations information assets at risk”
Common examples of incidents types are:
1. A computer virus is spread throughout the organisation by e-mail
2. Web site defacement: an organisations website is defaced, financial loss ensues
3. Employee found sending confidential information to rival organisation. All the above incidents could lead to significant financial loss for any organisation. The most severe type of incident is one that adversely affects the business functions of the organisation.
Incidence Response Programme (IRP)
The IRP can be defined as both the process by which an incident is handled and the way in which that process is carried out.
The Process: The following form the steps that are carried out when developing an IRP:
Prevention: Incidence response is an important part of an organisations security programme, as a result, it is important to ensure that the preventative measures an organisation has implemented is taken into account. In the event that an incident should occur, the response team needs to be aware of the organisations prevention mechanism and is therefore better prepared and capable of handling
the incident.
Planning: planning for an incident is important as it ensures that the relevant parties involved in responding to incidents are aware of their roles and responsibilities and the correct policies, processes and procedures are documented to avoid confusion. It also highlights to an organisation the level of technical and managerial expertise that is required for those charged with co-ordinating and responding to incidents.
Detection: This is the most important part of the IRP. The inability to detect an incident makes the IRP worthless. The detection of an incident can be carried out using tools such as intrusion detection systems as well as awareness training programmes for all employees so that everyone is trained in the identification and notification of security incidents.
Analysis: Once an incident has been detected, it is important that an organisation is capable of analysing both the business and technical impact.
Containment: It is important to ensure that the damage that could result is confined to a minimum. This step is important as it can significantly reduce the financial loss incurred if carried out effectively.
Investigation: The occurrence of an incidence will require investigation either internally or externally, either way the IRP must facilitate the investigation process.
Eradication: This step is vital in ensuring that all damage caused by the security incident is completely removed from all affected systems. Often the most effective way of doing this is to completely erase the system(s) that has been affected and re-build them again.
Post-mortem: Once the incident has been resolved, a review of what occurred and how it could have been improved must be carried out. This will ensure that future occurrences do not happen.
The method: The following outlines the manner in which the above process should be handled:
Cost effectively: Because the IRP is a cost of doing business and as a result is not revenue generating, it is important to ensure that cost of the IRP is kept to a minimum and adds value to the business operations.
Professionally: In order to function correctly the IRP must be treated as any other service that is delivered to a business.
Efficiently: It is important that the programme does not waste both the organisations time and resources and is reliable.
Repeatable: The process by which an incident is dealt with should not vary. Two similar incidents should be handled in an identical manner regardless of location or organisation.
Predictable: An organisation needs to know what response it will receive as a business service from the IRP.
Trinity Security Services (Trinity) is a leading independent information
security solutions and services provider. Customers include a range of FTSE
250 customers across UK and Europe
Trinity provides its customers with market leading expertise, delivering
solutions ranging from the technical such as IDS, VPN and E-commerce, to
strategic services including security policy and procedure development.
Related
