In the course of my work, I come across all kinds of companies, but too many have no procedures or methods for managing incidents. So I’m writing this article for them. So that they can get a complete picture of the process and take control of it.

Photo by Elisa Ventur on Unsplash

First things first

A Security Incident is any event that occurs either by chance or deliberately, and which impacts communications or information processing systems.

A security incident is any event or set of circumstances that jeopardizes the confidentiality, integrity or availability of the organization’s information, data or services. This includes unauthorized access, use, disclosure, modification or destruction of data or services used or provided by the company.

The cybersecurity incident management process is the result of a collaborative effort between IT, HR and Legal. The aim of this process is to help understand what happened in the event of an event, to quickly identify potential risks or vulnerabilities that may have been exploited during the event, and then to take steps to mitigate these risks as far as possible.

To manage an incident effectively, there are three main phases: preparation, response and recovery or before – during – and after!

When preparing for a cybersecurity incident, you need to make sure that your organization has documented its information protection and privacy policies, as well as how it will handle such incidents when they occur.

During the response phase, you need to determine the level of impact of the incident, whether data has been lost and whether systems have been compromised in any way.

The recovery phase involves putting things right, and can include steps such as restoring data, restoring service and repairing any damage.

Definitions

Security incidents: A security incident is any event that contravenes the company’s security policy or a security directive; any event that causes or may cause damage to a company information asset; or any act or omission that causes or may cause a risk to materialize.

Preventive action: a measure taken to eliminate or reduce the likelihood of a particular problem or risk occurring. It can involve changes in policies, procedures or practices, and can be something as simple as training employees on how to protect information.

Corrective action: an action taken to rectify a problem or vulnerability. It may involve changes in policies, procedures or practices.

Tampering**: **Tampering is the unauthorized access, unauthorized modification or unauthorized and/or inappropriate deletion of computer systems, data and/or software.

An integrity breach can consist of unauthorized access to critical organizational resources, such as system files, programs and data. A breach of integrity is an access channel for another potential attack, such as the theft or loss of sensitive data, as well as being a violation of security policies in its own right.

Who is responsible for what?

Responsibility for managing information security incidents can be divided between different people within an organization. The IT department is often responsible for responding to security incidents, while the Human Resources department is responsible for managing any legal implications.

If the incident is serious, or if it appears that data has been leaked, it can be handled internally or by outside professionals. It’s important to have a plan in place for both scenarios.

If the incident is minor, you may be able to deal with it yourself. This may involve taking corrective action, such as changing passwords or implementing new security measures.

**Direction **: Coordinate operations in the event of major incidents, and participate in coordination meetings to take the necessary decisions quickly.

Security manager: Investigates the incident and takes steps to prevent it happening again. May also act as Data Privacy Officer. (DPO – Data Privacy Officer)

Incident Response Team: The Incident Response Team (IRT) is a key component of any organization’s cybersecurity plan. The IRT is responsible for responding to security incidents and includes representatives from different parts of the organization, such as IT, legal, HR and marketing.

The IRT must have clear roles and responsibilities, and be well trained in how to respond to security incidents.

Communications/Marketing/Sales team: act as the focal point for communications between team members and all suppliers, customers or other third parties.

**Human resources **: Apply disciplinary measures if necessary.

Public relations: Issue a statement to the media and interested parties.

**Legal affairs **: Collaboration with law enforcement and mandatory reporting if necessary.

The whole team: responsible for reporting incidents as quickly as possible to safety managers

The 6 steps to managing cyber incidents

Step 1 – Preparation

This stage, prior to any security incident, involves preparing users and teams to manage security incidents when they occur.

It’s important not to wait until a cyber-attack or hacking attempt has occurred before undertaking preparatory work, as cleaning up afterwards is a difficult task and one that we want to avoid.

Plan how your organization will react to various scenarios involving threats such as hacking, malware and social engineering.

Further preparatory measures are required:

  • Staff training and awareness to detect and react to suspected security incidents;
  • The implementation of automatic monitoring tools to help technical teams detect suspicious events;
  • developing a communications plan, so that the organization can communicate quickly and effectively with team members, customers, suppliers and other third parties;
  • the creation of an incident response manual to guide the team through the response process;
  • Determine the levels at which an incident can occur, with associated activities such as response times;
  • Check backup copies, i.e. confirm that they have been taken and stored on an external site that cannot be modified;
  • Implement preventive protection measures appropriate to the organization, such as security software on all systems, event log centralization tools.

Step 2 – Identification

One of the first steps in dealing with a cybersecurity incident is to find out what happened, and confirm that there has indeed been a security incident.

The identification stage, if an incident is present, is a continuous process that repeats itself with each new event detected.

This involves gathering information from all relevant sources, including IT, HR and legal. It’s important to gather as much information as possible in the early stages of an incident so that you can make informed decisions about how to proceed afterwards, such as whether the affected systems contain confidential data or personal information.

Do members of the organization need to be made aware of what a security incident is? Which events can be ignored and which require immediate action?

It can be difficult to recognize a security incident. However, there may be indicators of unauthorized activity or signs of abuse.

Here are a few indicators that a security incident has occurred, or is in progress:

  • User login activity, in particular any inactive users;
  • Excessive or unusual remote access activity. This could include our staff or suppliers;
  • The presence of any unusual activity with regard to programs, suspicious files, or new/unapproved executables and malware (malicious software);
  • Hardware or software recorders found connected to or installed on systems;
  • Lost or stolen: laptops, hard drives or other media containing payment card or other sensitive data;
  • Any complaints from employees or third parties about strange e-mails, phone calls or unexpected visits;
  • Audit reports showing a significant drop in system performance or an unusual anomaly.

Once you have a good understanding of what has happened, you need to decide how to respond. This involves assessing the level of risk associated with the incident, deciding what steps to take to mitigate that risk, and involving the right people in the response team, including the Chief Privacy Officer (CPO).

Stage 3 – Containment

As long as an intruder has unauthorized access to a system, it is unreliable and cannot be used.

System (or machine) containment is a protective measure applied to prevent the incident spreading to all other systems. For example, containment might involve disconnecting all users of the system concerned, in order to halt its activities and try to find a remedy.

In concrete terms, this stage aims to isolate the affected systems in order to prevent further damage, stop a data leak or avoid compromising the integrity of the information.

The containment steps can be performed iteratively with the detection and analysis phase steps, disconnecting each system discovered to be vulnerable.

Step 4 – Eradication

This stage involves identifying and eliminating the causes of the cybersecurity incident, for example, by taking the affected systems out of production.

Eradication is the removal of enabling elements, such as malicious code, compromised accounts and passwords, or other compromised systems and information. It involves removing corrupted data from affected systems to prevent their use.

The aim of eradication is to permanently remove compromised data and make the system or machine safe.

Step 5 – Recovery

This step is usually carried out in conjunction with the previous eradication step, when we re-initialize the systems to start from scratch and restore data from a previous backup.

Return affected systems to the production environment and monitor them closely

Step 6 – Lessons learned

This final stage, carried out once the incident has been resolved, consists of documenting and evaluating the event, so that the necessary lessons can be learned.

For example:

  • Identify the vulnerabilities and shortcomings that led to the incident;
  • Determine whether the teams’ ability to manage the security incident has lived up to expectations, and whether additional resources or tools are required;
  • Identify areas for improvement in the organization’s security posture;
  • Document information to enable communication to interested parties such as customers, suppliers or government bodies.

It is important to specify that the stages of information security incident management activities are iterative, and that consequently an organization must constantly make improvements to the way it does things. These improvements are based on lessons learned, incidents that have occurred and vulnerabilities discovered in its environment.

To succeed in today’s cybersecurity landscape, it’s important to have a solid plan of action. The incident management process described above should enable your team to start thinking about the various steps to be taken and the tools required.

Writing a single article on incident management requires further investigation, so here are a few outstanding questions to ponder:

  • What’s the right way for someone inside or outside the organization to report a security weakness or incident?
  • Is there a template for incident reports?
  • How will the evidence collected be preserved and protected over time?
  • How do you define the level of risk associated with a security incident?
  • Does system classification improve risk management?
  • Have people with responsibilities understood their roles?
  • How do you test such an incident management plan?

I’m curious to hear your tips and tricks for implementing a cybersecurity incident management plan!