In this blog, let us discuss the fourth domain of ISACA’s CISM, Information Security Incident Management.
Before directly jumping into incident management, let us first discuss what a security incident actually is. Why do security incidents occur? And then, we will go to the Security Incident Management process and its best practices. So go through this blog thoroughly to understand Security Incident Management.
An information security incident is a successful, attempted, imminent, or suspected threat of an unauthorized breach, access, destruction, disclosure, or modification of information.
In simple terms, an incident is an event that compromises the confidentiality, integrity, and availability of an information asset.
Why do security incidents occur?
There are many reasons why security incidents occur, but here are a few very common ones:
Social Engineering: Social Engineering is a very common attack style used by many cyber attackers. Social Engineering is a widespread technique because attackers need to follow a few simple steps to get into the target system. Let’s say they can get into the target’s system just by creating a convincing malicious email. Or just by physically standing beside the target when they are entering their passwords. And if we are not careful enough when clicking email links and entering passwords in public places, this may be the biggest reason why incidents occur.
Too many permissions: If you don’t limit who can have access to what in your organization, you’re giving the hacker the most valuable gift. Because if you give too many irrelevant permissions to all the employees and users, a hacker can easily mask himself as one of your users and exploit your organization’s information.
Malware: Malware, both direct and indirect, is becoming more popular. Malware is defined as harmful software installed without the user’s knowledge and allows a hacker to exploit a system and maybe other linked systems.
So, be aware of visiting websites that aren’t what they appear to be or receiving emails from someone you don’t know, since these are common ways for malware to propagate.
Insider threats: “Keep your friends close and your enemies closer” is an apt motto these days. Rogue employees, disgruntled contractors, or simply those not bright enough to know better already have access to your data. What would keep them from stealing it, modifying it, or copying it? I think nothing. So, be aware of who you are dealing with, act quickly when something goes wrong, and make sure that every procedure and process is backed up with training.
We can now take a closer look at the definition of Security Incident Management.
Security Incident Management: The process of recognizing, monitoring, documenting, and evaluating security risks or occurrences in real-time is known as security incident management. It aims to provide a thorough and comprehensive analysis of any security vulnerabilities that may arise in an IT system. An active threat, an attempted incursion, a successful penetration, and a data leak are all examples of security incidents.
Information Security Incident Management process
As the volume and sophistication of cyber threats rise, organizations must adopt practices that will help them identify, respond to, and mitigate cyber incidents, become more resilient, and protect themselves from future attacks.
Managing security incidents uses appliances, software systems, and human investigators. In general, security incidents are managed by alerting the incident response team about the incident. After investigating the incident, incident responders will assess the damage and develop a mitigation plan.
A multifaceted strategy for security incident management must be implemented to ensure the IT environment is truly secure. According to ISO/IEC Standard 27035, a security incident should be managed by following a five-step process: