T8.1 INFORMATION SECURITY INCIDENT MANAGEMENT POLICY
OBJECTIVE:
To maintain an information security incident management policy covering the information security incident procedures covering the detection, reporting and treatment of incidents
PERFORMANCE INDICATOR:
Extent of information security incident management policy deployment and adoption across the entity
AUTOMATION GUIDANCE
Not applicable
RELEVANT THREATS AND VULNERABILITIES
- Unsuitable or outdated information security incident management policy
- Unawareness of information security incident management policy
APPLICABLE CONTROLS
Followings are controls applicable for this control family.
T8.2 MANAGEMENT OF INFORMATION SECURITY INCIDENTS AND IMPROVEMENTS
OBJECTIVE
To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
PERFORMANCE INDICATOR
Percentage of security incidents that met reporting thresholds, were reported within specified timeframes, and were classified according to the incident classification policy.
AUTOMATION GUIDANCE
Incident management and tracking solutions should be considered. They can be very helpful to support teamwork, in particular in large entities. They are also useful for trend analysis and to support management with analysis of threats and of incident impact.
RELEVANT THREATS AND VULNERABILITIES
- Lack of incident response training
- Inappropriate incident response testing procedures
APPLICABLE CONTROLS
Followings are controls applicable for this control family.
- T8.2.1 - P2 - INCIDENT RESPONSE PLAN
- T8.2.2 - P2 - COMPUTER SECURITY INCIDENT RESPONSE TEAM
- T8.2.3 - P4 - INCIDENT CLASSIFICATION
- T8.2.4 - P4 - INCIDENT RESPONSE TRAINING
- T8.2.5 - P4 - INCIDENT RESPONSE TESTING
- T8.2.6 - P4 - INCIDENT RESPONSE ASSISTANCE
- T2.8.7 - P4 - INFORMATION SECURITY INCIDENT DOCUMENTATION
- T8.2.8 - P4 - LEARNING FROM INFORMATION SECURITY INCIDENTS
- T8.2.9 - P4 - COLLECTION OF EVIDENCE
T8.3 INFORMATION SECURITY EVENTS AND WEAKNESSES REPORTING
OBJECTIVE
To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken.
PERFORMANCE INDICATOR
Percentage of information security incidents reported within the required time frame per applicable incident category as defined in the information security incident management policy.
AUTOMATION GUIDANCE
For an automated identification of weaknesses, a large number of vulnerability scanning tools are available. Some enterprises have also found commercial services using remotely managed scanning appliances to be effective. To help standardize the definitions of discovered vulnerabilities in multiple departments of an entity or even across entities, it is preferable to use vulnerability scanning tools that measure security flaws and map them to vulnerabilities and issues categorized using one or more of the following industry-recognized vulnerability, configuration, and platform classification schemes and languages: CVE, CCE, OVAL, CPE, CVSS, and/or XCCDF.
Advanced vulnerability scanning tools can be configured with user credentials to log in to scanned systems and perform more comprehensive scans than can be achieved without login credentials. The frequency of scanning activities, however, should increase as the diversity of an entity’s systems increases to account for the varying patch cycles of each vendor.
Also, event log collectors and incident management systems should be considered. These technologies provide log collection, normalization, correlation and analysis: they can be very helpful both to detect incidents in their early stages and to investigate incidents.
RELEVANT THREATS AND VULNERABILITIES
- Leakage of reported weaknesses
- Unsuitable reporting procedures
APPLICABLE CONTROLS
Followings are controls applicable for this control family.
