Security incidents have become commonplace, both in business and private life. Security threats are growing and devastating, and the consequences they leave often require a large financial outlay from the organization. The main problem, when it comes to security incidents, is how to react to them. The risks that lead to incidents are present all around us and it is necessary to take proper preventive action to prevent the occurrence of a security incident or, if it occurs, to mitigate the consequences for the organization.
Security incidents include any events or vulnerabilities that adversely affect the operations and services of a particular organization, as well as security itself.
How to identify security events or vulnerabilities?
Any event that in any way compromises the confidentiality, integrity and availability of the organization’s information assets is considered a security event or vulnerability to be reported to the Authority / Security Incident Management Team.
What exactly are security incidents?
Security incidents refer to unwanted or unexpected security events that have a significant likelihood of jeopardizing business activities. Some examples of security incidents are:
- loss of service, equipment or devices,
- system malfunction or system overload,
- human error,
- uncontrolled system changes,
- software or hardware malfunctions,
- disclosure of confidential information
- and others.
The first step in implementing an organization’s security incident management process is to identify the organization’s critical assets, conduct a risk assessment on the organization, and define activities to manage those assets in a way that reduces the possibility of a security incident.
In order for the security incident management process to be effective, the organization must appoint a Security Incident Management Team whose members are key employees, responsible for risk management in the field of IT, human resources, compliance with legislation, etc.
What does the security incident management process involve?
The key activities of the security incident management process are:
- spotting and reporting a security event or vulnerability
In order to detect security events or vulnerabilities, it is necessary to monitor the records of the system – logs as well as alerts coming from monitoring tools, such as detectors, alarms, antivirus software, etc.
It is important to raise awareness within the organization that it is the duty of every employee to report a perceived security event or weakness.
- security event or weakness analysis
Upon reporting a security event or weakness, the Security Incident Management Team conducts an analysis of the security incidents to determine if they are relevant at all. If they are not, it informs the applicant.
- a detailed evaluation of the reported security event or vulnerability
If the analysis determines that the reported security event or weakness is relevant, a detailed evaluation is performed and a decision is made on their categorization, which is also the responsibility of the Team. During the evaluation, the Team may decide to report the reported security event or vulnerability to the Computer Emergency Response Team (CERT) in order to conduct a quality evaluation of the security event or vulnerability. CERT is a national body that responds to computer security incidents and acts preventively to improve the computer security of information systems.
The result of evaluating a security event or incident is defining the type of security incident, the cause that led to it and defining the direct and indirect consequences of the security incident on the organization (financial loss, business interruption, dissatisfaction with legislation, loss of reputation, etc.). Based on the conducted evaluation, the Security Incident Report is completed.
- resolving a security incident
Resolving a security incident consists of immediate resolution, reporting to the parties involved, and gathering evidence and forensics.
It is very important, after it is determined that it is a security incident, to inform all those who are endangered and involved in the recovery process, regardless of whether it is employees, external collaborators or a third party.
Considering that it is very important for the organization to limit the spread of the security incident as soon as possible, the Security Incident Management Team defines the activities for resolving it and engages those responsible for resolving it. In case the Team decides that the organization does not have the resources needed to resolve it, it is forwarded to external contractors, ie escalation is carried out.
After the security incident is resolved, it is necessary to inform all those who were involved in solving it.
- realization of crisis activities (BCP)
If the Security Incident Management Team determines that the security incident cannot be brought under control with all the activities undertaken and it endangers the functioning of the system, it is necessary to declare a state of crisis and launch a Business Continuity Plan.
Once the security incident has been resolved, further analysis of identified security incidents, weaknesses and incidents, as well as irrelevant reports, is carried out and possible ways to improve overall security and ways to manage security incidents are sought. This analysis is carried out in order to prevent the emergence of new security incidents.
- gathering evidence and forensics
When resolving a security incident, it is necessary to keep records, ie to record evidence of the activities carried out. Evidence needs to be collected for the purposes of internal problem analysis and as forensic evidence in the case of an investigation or legal proceeding. The method of storage, storage time and access to evidence is defined by the Security Incident Management Team.
Security incidents are inevitable and therefore organizations should accept them and apply pre-defined activities to reduce the damage and improve the security of the attacked system.
Each identified security incident needs to be recorded, analyzed and the cause that led to it identified as well as the consequences it has on the organization assessed. There is no measure that will provide us with full protection, and even after their application, there will be a risk that the incident will happen again, but it will be under control.
In order to improve the quality of their services, organizations need to apply the practice of resolving a large number of incidents within a defined period of time and with as few escalations as possible. An inefficient security incident management process will potentially increase the possibility of incidents as well as the negative effects on the organization that can lead to business interruptions.