Guidance

10 Steps: Incident Management

Updated 16 January 2015

This guidance was withdrawn on 11 July 2016

This content has been moved to the CESG website: https://www.cesg.gov.uk/10-steps-cyber-security

1. Summary

All organisations will experience an information security incident at some point. Investment in establishing effective incident management policies and processes will help to improve resilience, support business continuity, improve customer and stakeholder confidence and reduce any financial impact.

2. What is the risk?

Security incidents are inevitable and they will vary in their business impact. All incidents need to be effectively managed, particularly those that invoke the organisation’s disaster recovery and business continuity plans. Some incidents can, on further analysis, be indicative of more severe underlying problems.

If businesses fail to implement an incident management capability that can detect, manage and analyse security incidents the following risks could be realised:

A major disruption of business operations

Failure to realise that an incident has occurred and manage it effectively may compound the impact of the incident, leading to a long term outage, serious financial loss and erosion of customer confidence

Continual business disruption

An organisation that fails to address the root cause of incidents by addressing weaknesses in the corporate security architecture could be exposed to consistent and damaging business disruption

Failure to comply with legal and regulatory reporting requirements

An incident resulting in the compromise of sensitive information covered by mandatory reporting controls that are not adhered to could lead to legal or regulatory penalties

The organisation’s business profile will determine the type and nature of incidents that may occur, and the impact they will have, and so a risk-based approach that considers all business processes should be used to shape the incident management plans. In addition, the quality and effectiveness of the security policies and the standards applied by the organisation will also be contributing factors to preventing incidents.

3. How can the risk be managed?

3.1 Obtain senior management approval and backing

The organisation’s Board needs to understand the risks and benefits of incident management and provide appropriate funding to resource it and lead the delivery.

3.2 Establish an incident response capability

The organisation should identify the funding and resources to develop, deliver and maintain an organisation-wide incident management capability that can address the full range of incidents that could occur. This capability could be outsourced to a reputable supplier, such as those on the Cyber Incident Response (CIR) scheme. The supporting policy processes and plans should be risk based and cover any legal and regulatory reporting or data accountability requirements.

3.3 Provide specialist training

The incident response team may need specialist knowledge and expertise across a number of technical (including forensic investigation) and non-technical areas. The organisation should identify recognised sources of specialist incident management training and maintain the organisation’s skill base.

3.4 Define the required roles and responsibilities

The organisation needs to appoint and empower specific individuals (or suppliers) to handle ICT incidents and provide them with clear terms of reference to manage any type of incident that may occur.

3.5 Establish a data recovery capability

Data losses occur and so a systematic approach to the backup of the corporate information asset base should be implemented. Backup media should be held in a physically secure location on-site and off-site where at all possible and the ability to recover archived data for operational use should be regularly tested.

3.6 Test the incident management plans

All plans supporting security incident management (including Disaster Recover and Business Continuity) should be regularly tested. The outcome of the tests should be used to inform the development and gauge the effectiveness of the incident management plans.

3.7 Decide what information will be shared and with whom

For information bound by specific legal and regulatory requirements the organisation may have to report any incidents that affect the status of that information within a specific timeframe. All internal and external reporting requirements should be clearly identified in the Incident Management Plans.

3.8 Collect and analyse post-incident evidence

The preservation and analysis of the user or network activity that led up to the event is critical to identify and remedy the root cause of an incident. The collected evidence could potentially support any follow on disciplinary or legal action and the incident management policy needs to set out clear guidelines to follow that comply with a recognised code of practice.

3.9 Conduct a lessons learned review

Log the actions taken during an incident and review the performance of the incident management process post incident (or following a test) to see what aspects worked well and what could be improved. Review the organisational response and update any related security policy, process or user training that could have prevented the incident from occurring.

3.10 Educate users and maintain their awareness

All users should be made aware of their responsibilities and the procedures they should follow to report and respond to an incident. Equally, all users should be encouraged to report any security weaknesses or incident as soon as possible and without fear of recrimination.

3.11 Report criminal incidents to Law Enforcement

It is important that online crimes are reported to Action Fraud or the relevant law enforcement agency to build a clearer view of the national threat picture and deliver an appropriate response.