What makes a security incident?
The last couple of days, I have been having some discussion with colleagues about questions, such as "What is an incident?" and "When is an incident a security incident?"
We came up with the following set of rules-of-thumb:
1. If you know or suspect that the incident was caused intentionally, it is a security incident.
2. If you know or suspect that the incident affects your counter measures or security control systems, it is a security incident.
3. If you know or suspect that the incident constitutes a breach of compliance (e.g., a criminal act or a breache of corporate security policy, standards, guidelines or procedures), it is a security incident.
4. And finally, since the customer is always right, when a customer or other relevant party requests that the incident be handled as a security incident, it is to be treated as such.
While these guidelines can be useful in narrowing the focus of an incident to a security incident, it still has not answered the question what an incident really is.
We came up with the following set of rules-of-thumb:
1. If you know or suspect that the incident was caused intentionally, it is a security incident.
2. If you know or suspect that the incident affects your counter measures or security control systems, it is a security incident.
3. If you know or suspect that the incident constitutes a breach of compliance (e.g., a criminal act or a breache of corporate security policy, standards, guidelines or procedures), it is a security incident.
4. And finally, since the customer is always right, when a customer or other relevant party requests that the incident be handled as a security incident, it is to be treated as such.
While these guidelines can be useful in narrowing the focus of an incident to a security incident, it still has not answered the question what an incident really is.