T8.2.8 - LEARNING FROM INFORMATION SECURITY INCIDENTS Implementation Guidance

Back to T8.2.8 - P4 - LEARNING FROM INFORMATION SECURITY INCIDENTS

There should be mechanisms in place to enable the types, volumes, costs, and impacts of information security incidents to be quantified and monitored. The information gained from the evaluation of information security incidents should be used to identify recurring or high impact incidents and inform risk assessment and risk treatment activities.

Investigations based on information distributed by an information sharing community should be performed, to reduce the risks of similar incidents and develop a better understanding of the risks facing the community and any related significant information infrastructures. Such investigations could be performed by the community members involved, or by a supporting entity, if one exists.

Following reported incidents, post incident reviews should be performed by members of the information sharing community to trigger updates to security incident response plans, related procedures and the business risk profile, and implementation of additional controls even if the member was not affected by the incident in question. Each member should ensure that reported incident responses are assessed, and any lessons or possible improvements to the member’s own processes are identified and acted upon to continuously improve its own response processes.

Back to T8.2.8 - P4 - LEARNING FROM INFORMATION SECURITY INCIDENTS