T8 Information Security Incident Management

OBJECTIVE:

To maintain an information security incident management policy covering the information security incident procedures covering the detection, reporting and treatment of incidents

PERFORMANCE INDICATOR:

Extent of information security incident management policy deployment and adoption across the entity

AUTOMATION GUIDANCE

Not applicable

RELEVANT THREATS AND VULNERABILITIES

1. Unsuitable or outdated information security incident management policy
2. Unawareness of information security incident management policy

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

• T8.1.1 - P2 - INFORMATION SECURITY INCIDENT MANAGEMENT POLICY

OBJECTIVE

To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.

PERFORMANCE INDICATOR

Percentage of security incidents that met reporting thresholds, were reported within specified timeframes, and were classified according to the incident classification policy.

AUTOMATION GUIDANCE

Incident management and tracking solutions should be considered. They can be very helpful to support teamwork, in particular in large entities. They are also useful for trend analysis and to support management with analysis of threats and of incident impact.

RELEVANT THREATS AND VULNERABILITIES

1. Lack of incident response training
2. Inappropriate incident response testing procedures

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

• T8.2.1 - P2 - INCIDENT RESPONSE PLAN
• T8.2.2 - P2 - COMPUTER SECURITY INCIDENT RESPONSE TEAM
• T8.2.3 - P4 - INCIDENT CLASSIFICATION
• T8.2.4 - P4 - INCIDENT RESPONSE TRAINING
• T8.2.5 - P4 - INCIDENT RESPONSE TESTING
• T8.2.6 - P4 - INCIDENT RESPONSE ASSISTANCE
• T2.8.7 - P4 - INFORMATION SECURITY INCIDENT DOCUMENTATION
• T8.2.8 - P4 - LEARNING FROM INFORMATION SECURITY INCIDENTS
• T8.2.9 - P4 - COLLECTION OF EVIDENCE

OBJECTIVE

To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken.

PERFORMANCE INDICATOR

Percentage of information security incidents reported within the required time frame per applicable incident category as defined in the information security incident management policy.

AUTOMATION GUIDANCE

For an automated identification of weaknesses, a large number of vulnerability scanning tools are available. Some enterprises have also found commercial services using remotely managed scanning appliances to be effective. To help standardize the definitions of discovered vulnerabilities in multiple departments of an entity or even across entities, it is preferable to use vulnerability scanning tools that measure security flaws and map them to vulnerabilities and issues categorized using one or more of the following industry-recognized vulnerability, configuration, and platform classification schemes and languages: CVE, CCE, OVAL, CPE, CVSS, and/or XCCDF.

Advanced vulnerability scanning tools can be configured with user credentials to log in to scanned systems and perform more comprehensive scans than can be achieved without login credentials. The frequency of scanning activities, however, should increase as the diversity of an entity’s systems increases to account for the varying patch cycles of each vendor.

Also, event log collectors and incident management systems should be considered. These technologies provide log collection, normalization, correlation and analysis: they can be very helpful both to detect incidents in their early stages and to investigate incidents.

RELEVANT THREATS AND VULNERABILITIES

1. Leakage of reported weaknesses
2. Unsuitable reporting procedures

APPLICABLE CONTROLS

Followings are controls applicable for this control family.

• T8.3.1 - P4 - SITUATIONAL AWARENESS
• T8.3.2 - P4 - REPORTING INFORMATION SECURITY EVENTS
• T8.3.3 - P4 - REPORTING SECURITY WEAKNESSES