Please enable JavaScript.
Coggle requires JavaScript to display documents.
16:5 (INCIDENT RESPONSE MANAGEMENT (To minimize damage from security…
16:5
INCIDENT RESPONSE MANAGEMENT
To
minimize damage from security incidents and to recover and to learn
from such incidents, a formal incident response capability should be established.
incident response capability should be
coordinated or centralized with the establishment of key roles and responsibilities.
This should include:
• A
coordinator
who
acts as the liaison to business process owners
• A
director
who
oversees the incident response capability
•
Managers
who
manage individual incidents
•
Security specialists
who
detect, investigate, contain and recover from incidents
•
Non security technical specialists
who provide assistance based on subject matter expertise
•
Business unit leader liaisons
(legal, human resources, public relations, etc.)
Establishing
this process makes employees and contractors aware of procedures for reporting the different types of incidents
(e.g., security breach, threat, weakness or malfunction)
that might have an impact on the security of
organizational assets.
should establish a formal disciplinary process for dealing with those who commit security breaches, such as employees and third parties.
Incident management processes should include vulnerabilities management practices
Post incidence review phase >> vulnerabilities not addressed >> input provided for improvement of policies and procedures
analyzing the cause of incidents may reveal errors in the risk analysis,
CSRIT (Computer security incident response team )
Ideally, an organizational computer security incident response team (CSIRT) or CERT
should be formed with clear lines of reporting, and responsibilities for standby support should be established.
act as an
efficient detective and corrective control.
what they do
disseminate security alerts,
such as recent threats,
security guidelines and security updates to the users and assist them in understanding the security risk of errors and omissions.
:rotating_light:
should
act as single point of contact
for all incidents and
issues related to information security
should also
respond to abuse reports
pertaining to the network of its constituency
IS auditor should ensure
that the CSIRT is actively involved with users to
assist them in the mitigation of risk arising from security failures
also to prevent security incidents
ensure that there
is a formal,
documented plan EXISTS
and contains
vulnerabilities identification,
reporting
incident response procedures to common, security-related threats/issues
•
Virus outbreak
:crab:
• Web defacement
an attack on a website that changes the visual appearance of a website or a web page.
• Unauthorized access alert from audit trails
• Security attack alerts from intrusion detection systems (IDSs)
• Hardware/software theft
• System root compromises
• Physical security breach
• Spyware/malware/Trojans detected on personal computers (PCs)
• Fake defamatory information in media, including on websites
• Forensic investigations
•
Abuse notification
MDRL
RR