One of the main goals of an information security system in an organization is to provide protection against information security incidents. These include events that can lead to a violation of information security and the normal operation of the organization. Encryption of ransomware files, data leakage, inaccessibility of a web server as a result of DDoS or other cyber attack, exploitation of a vulnerability, and theft of media with confidential information are just a few obvious examples of information security incidents. If you want to avoid all these unpleasant incidents, you need to follow the steps in the SOC2 report review checklist. In the article, we propose to consider in more detail the concept of an information security incident and the main actions at the stage of their processing.
Table of Contents
Classification of Information Security Incidents
It is good practice when dealing with information security incidents to classify them. Incidents are divided into:
- by type,
- according to the degree of criticality (or the degree of possible damage) for the organization.
When classifying by types or types, the categories described in normative documents and standards, or defined by the organizations themselves, are most often used.
For example, consider the ISO/IEC 27035-1 standard. It defines the principles for managing information security incidents and also contains examples of types of information security incidents. For example:
- Denial of Service, DoS
- Unauthorized access
- Malware distribution
- Aggressive content
- Information meeting
As for determining the degree of criticality of an information security incident, as a rule, it is carried out by the organization independently for each incident/type of incident. The assessment uses the results of risk assessment, expert assessments, and other characteristics.
Information Security Incident Management
When managing information security incidents, it is important to define a unified approach for the organization that describes who, what, and how should do in the event of an information security incident. It can be presented in the form of a formalized regulation and, for example, a simpler and more accessible procedure or instructions published on some internal resource.
Typically, this documentation contains:
- a list of those responsible for identifying and responding to information security incidents,
- ways to notify responsible persons,
- description of the tools used,
- description of the main stages in incident management: detection, response, and analysis of consequences.
Responsibility for incident management is usually shared among all members of the organization. Ordinary employees are responsible for notifying and fulfilling the instructions of those responsible, and they, in turn, are responsible for monitoring and processing information security incidents. Responsible persons are appointed information security specialists, IT specialists, and in some cases employees of specialized departments.
Identification Of an Information Security Incident
At this stage, the identification, detection, and registration of an information security incident is carried out.
This is implemented by monitoring information security events – registration and subsequent analysis. Monitoring can be automated – using specialized tools (SIEM), manual or mixed, using both methods.
SIEMs allow for centralized collection and analysis according to predefined rules for the correlation of information security events. If a rule is triggered and an information security incident is detected, such systems inform the responsible person. It, in turn, makes a decision about the existence of an incident and proceeds to its processing.
If SIEM is not used in monitoring, the responsible persons review the event logs with a certain frequency and decide on the existence of an incident and further actions. Additional information that helps identify information security incidents may be obtained from users. For example, an employee reports potential information security breaches.
For further work with the incident, information about it can be recorded in SIEM or other tools, including log books. The final way of storing information is determined depending on the capabilities and features of the infrastructure, and applicable requirements. Information about the incident may include the date and time of its occurrence (detection), its description, and others.
Information Security Incident Response
Incident response requires urgency and consistency. Let’s look at the basic steps required to respond to incidents.
Here, responsible employees define the territory of the information security incident. To do this, affected resources are identified and measures are taken to limit the further spread of the incident. These measures depend on the characteristics and type of incident. For example, in the event of a malware infection, the accessibility of infected devices is restricted. Additionally, users who use the affected resources are notified about the ongoing work.
Identification And Analysis of Consequences
These, depending on the characteristics and type of an information security incident, may include changing the reference settings, modifying/deleting files, abnormal network activity, and others.
Elimination of Identified Consequences
The final step is to eliminate the negative consequences and restore the affected resources. For example, resetting the default settings, restoring infected files, changing authentication information, and so on.
Information about the affected resources, as well as the measures taken, is also recorded in the way determined by the company.
Analysis of Information Security Incidents
At this stage, possible evidence is formed and collected. For example, traffic dumps, malicious code samples, etc. All data is analyzed to investigate the causes of an information security incident.
The final step is to draw up and implement recommendations for improving the protection system. It is also important to analyze the actions taken to prevent the recurrence of information security incidents and improve the efficiency of response to them. Therefore, if you are interested in the compliance of the company’s security system according to the SOC2 report review checklist, we recommend that you contact UnderDefense.
Information Security Incident Response Solutions
The information security incident management process requires a lot of resources, time, and people. And the larger the infrastructure, the more these resources are required. You can simplify the process with the help of specialized solutions or organizations providing services in this area. For example, a SIEM system is used as the main tool at the stage of identifying an information security incident, and at other stages as a means of storing and visualizing information. If necessary, and sometimes due to legal requirements, an organization can use the services of SOC (Security Operation Center) or establish interaction with CERT (Computer Emergency Response Team).
Information security incident management is one of the fundamental elements of the information security system. A properly built process can significantly reduce the likelihood of recurrence of information security incidents, as well as the emergence of new ones. If you are striving to form a complete protection system and need a SOC2 report review checklist, we recommend that you contact UnderDefense.