Incident management, disaster recovery
What are incidents?
Incidents are unplanned events of any kind that disrupt or impair the quality of service or threaten to do so. There are almost no organizations that haven‘t encountered any kind of incident.
In order to eliminate and continue operations as easily as possible, organizations must implement an incident management process that includes rules for reporting security events and incidents and how to respond to them.
It is important to note that not every event is an incident. The organisation should appoint an incident management team to analyse each report received and decide whether or not it is an incident based on predefined criteria.
What does incident management involve?
The key activities of the incident management process are:
- Event detection and reporting
In order to detect security events or vulnerabilities it is necessary to monitor system operating records – logos as well as alerts coming from surveillance tools, e.g. detectors, alarms, antivirus software, etc. It is important to raise awareness within the organisation that it is the duty of each employee to report an observed safety event or weakness.
- Analysis of reported event
Upon reporting the occurrence, the incident management team shall carry out an analysis of the incidents with a view to determining whether they are relevant at all. If not, it shall inform the applicant thereof.
- Detailed evaluation of the reported event
If the analysis determines that the reported event is relevant, a detailed evaluation shall be carried out and a decision shall be made on the categorisation of the event for which the team is also responsible. During the evaluation, the team may decide to report the reported event to CERT (Computer Emergency response team) in order to perform a quality evaluation of the reported event. CERT is a national authority that responds to computer security incidents and preventively acts to improve computer security of information systems.
The result of the evaluation of the reported event or incident is to define the type of incident, the cause that led to it, and to define the direct and indirect consequences of the incident on the organization(financial loss, interruption of business activities, failure to comply with legal regulations, loss of reputation, etc.).Based on the conducted evaluation, the Report on the incident is completed.
- Resolution of a security incident
Incident resolution consists of immediate resolution, reporting to the parties involved and gathering evidence and forensics. It is very important, once the incident has been identified, to inform all those at risk and involved in the recovery process, regardless of whether they are employees, external contractors or a third party. Since it is very important for the organization to limit the spread of the incident as soon as possible, the incident Management team defines the activities of solving the incident and employs the responsible persons for solving it.
In the event that the team decides that the organisation does not have the resources necessary to resolve it, it shall be forwarded to external counterparties or escalated. Once the incident has been resolved, it is necessary to inform all those involved in the resolution of the incident.
- Implementation of crisis activities (BCP)
If incident management team determines that the incident cannot be controlled with all activities undertaken and it jeopardises the functioning of the system, it is necessary to declare a state of emergency and initiate a business continuity plan.
After the incident has been solved, further analysis of observed events, weaknesses and incidents, as well as irrelevant reports, is conducted and possible ways of improving overall safety and management of incidents are sought. This analysis shall be carried out in order to prevent the occurrence of new incidents.
- Evidence collection and forensics
When resolving the incident, records should be kept, i.e. evidence of conducted activities should be recorded. Evidence should be collected for the purposes of internal problem analysis and as forensic evidence in the event of an investigation or legal proceedings. The storage method, retention time and access to evidence is defined by the incident Management team.
Any identified incident should be recorded, analysed and the cause that led to it identified as well as an assessment of the consequences it has on the organisation. There is no measure that will provide us with full protection and will remain a risk of the incident happening again, but it will be under control.
What is a disaster, and how do you recover from it?
Any major incident becomes a disaster and triggers the launch of a business continuity plan. The categorisation is performed by the incident management team according to predefined criteria.
A disaster is an event that causes the computer environment to shut down for more than a few minutes, often several hours, days, or years. Today is no longer a question of whether there will be a catastrophe, the question is only when will it occur? Therefore, establishing a sound disaster recovery system is crucial for organisations to survive significant events without major negative impacts on business.
Disaster restoration usually has several key steps, but since the situation after the crisis hardly ever goes as expected, so these steps are often mixed and their distinction is lost. The key task of disaster recovery is to halt its effects and address immediate consequences as quickly as possible.
Disaster recovery Plan (disaster recovery Plan) is defined as a business plan that describes how business activities can quickly and efficiently continue their work after the resulting disaster. The creation of a disaster recovery plan is a major challenge for each organisation. The effectiveness of the plan can be verified through simulated scenarios, but the actual functioning can only be seen once a disaster occurs.
How can ZIH help you?
ZIH in its work on projects implementing information security and business continuity systems that include incident management, uses world leading knowledge in this field, applies relevant methods and tools, and offers the following consulting services:
Conducting of analysis of the current state of incident management and business continuity processes
Establishment of incident management processes
Creation of BIA (Business impact analysis) for all key business processes
Development of a business continuity plan
Drawing up recovery plans
Preparation and conducting of testing of continuity plans
Education in the following field:
- How to manage information security incidents
- Certified ISO 27035 Foundation (PECB)
- Certified ISO 27035 Lead Incident Manager (PECB)
- Certified Disaster Recovery Foundation (PECB)
- Certified Disaster Recovery Manager (PECB)
- Certified Lead Disaster Recovery Manager (PECB)
- Certified Computer Forensics Foundation (PECB)
- Certified Lead Forensics Examiner (PECB)
- Certified ISO 22316 Foundation (PECB)
- Certified ISO 22316 Lead Resilience Manager (PECB)
You may also be interested in these services and trainings:
Why ZIH?
ZIH has extensive experience in projects that include implementation of management and information security and business continuity processes, as well as in implementation od incident management processes in private and public institutions in Croatia and the region.
Contact us
Fill out the form and our staff will contact you and arrange a visit or online meeting to find out how we can help you.
We want to share with you our experiences and the latest trends that can help you in your daily business.
