Incident Management
Sometimes the stars are aligned so poorly that they only thing that might work is sacrificing a chicken. Since most of us are not in the habit of doing that, we will be confronted with situations were things turn for the worse. When the proverbial excrements hit the fan, it is important to know what your role is. Do we need to play an active role, or do we need to step back and let the professionals handle the situation? The answer is probably somewhere in the middle.
When organizations create the position of an information security
officer, it is often unclear what his responsibilities are. More than
likely, information security policy is one of them. Policy is
something that most of us understand, at least to a certain extent.
Another responsibility that is often assigned to the information
security officer is incident management.
Incident management is harder to understand. For example, before an
incident can be managed, it needs to be clear when an event turns into
an incident. Hopefully, the information security officer has an
incident response plan in place, or at least thought about the incident
management process ahead of time.
When an incident occurs, people are involved and guilt often manifests
itself. If a machine gets hacked, a system administrator often takes it
as a personal affront. When information gets disclosed, the finger
probably points into the direction of the information security
officer's policies.
When an organization suffers from a hardware failure, things are often
not so clear-cut. Is a hardware failure a security incident?
Some will argue that it is. Information security is often defined as
being the aggregation of Availability, Integrity and Confidentiality of
information and/or information systems. Hardware failure most often
leads to an interruption of availability, and in that case, should be
considered a security incident, and all security incidents must be
managed.
However, how much value can an information security officer who is
typically trained in mitigating vulnerabilities, detecting deliberate
attacks, and containing the effects of a compromised machines provide
in such an incident?
In my opinion, he can prove a lot of value.
Draw the parallel to the way that, for example, police departments work.
The police dispatcher is an incident manager. The dispatch process is
geared to incident response. It collects report (911 calls, etc.),
assesses the credibility of each report and assesses the potential
impact, assigns a priority to the event, determines which units to
deploy, and how to deploy them. Then, the dispatcher sits back, records
in which way his units respond. Then, he waits to see if additional
resources need to be brought in to contain the problem.
This is exactly what any incident manager should do.
In case of hardware failure, he should be notified so he can help to
assess the potential impact of the outage. Next, he can play a
facilitating role. The incident manager can preserve a time line, he
can contact senior management and customer services to inform them of
the effects of the outage, and reassure them that the problem is being addressed.
The incident manager can also attempt to activate temporary workarounds in case a service gets interrupted.
In addition, if the restoration team need anything, such as additional
hardware, extra people, pizza or coffee, he can make that happen. At
worst, he can just be there to be supportive of the people doing the
recovery, or give them an ear to vent to.
By taking this approach, the restoration team can do what it is good
at, without having to worry about the rest. The incident manager can do
just that; manage the incident so that service can be restored and all
processes can resume.
When organizations create the position of an information security
officer, it is often unclear what his responsibilities are. More than
likely, information security policy is one of them. Policy is
something that most of us understand, at least to a certain extent.
Another responsibility that is often assigned to the information
security officer is incident management.
Incident management is harder to understand. For example, before an
incident can be managed, it needs to be clear when an event turns into
an incident. Hopefully, the information security officer has an
incident response plan in place, or at least thought about the incident
management process ahead of time.
When an incident occurs, people are involved and guilt often manifests
itself. If a machine gets hacked, a system administrator often takes it
as a personal affront. When information gets disclosed, the finger
probably points into the direction of the information security
officer's policies.
When an organization suffers from a hardware failure, things are often
not so clear-cut. Is a hardware failure a security incident?
Some will argue that it is. Information security is often defined as
being the aggregation of Availability, Integrity and Confidentiality of
information and/or information systems. Hardware failure most often
leads to an interruption of availability, and in that case, should be
considered a security incident, and all security incidents must be
managed.
However, how much value can an information security officer who is
typically trained in mitigating vulnerabilities, detecting deliberate
attacks, and containing the effects of a compromised machines provide
in such an incident?
In my opinion, he can prove a lot of value.
Draw the parallel to the way that, for example, police departments work.
The police dispatcher is an incident manager. The dispatch process is
geared to incident response. It collects report (911 calls, etc.),
assesses the credibility of each report and assesses the potential
impact, assigns a priority to the event, determines which units to
deploy, and how to deploy them. Then, the dispatcher sits back, records
in which way his units respond. Then, he waits to see if additional
resources need to be brought in to contain the problem.
This is exactly what any incident manager should do.
In case of hardware failure, he should be notified so he can help to
assess the potential impact of the outage. Next, he can play a
facilitating role. The incident manager can preserve a time line, he
can contact senior management and customer services to inform them of
the effects of the outage, and reassure them that the problem is being addressed.
The incident manager can also attempt to activate temporary workarounds in case a service gets interrupted.
In addition, if the restoration team need anything, such as additional
hardware, extra people, pizza or coffee, he can make that happen. At
worst, he can just be there to be supportive of the people doing the
recovery, or give them an ear to vent to.
By taking this approach, the restoration team can do what it is good
at, without having to worry about the rest. The incident manager can do
just that; manage the incident so that service can be restored and all
processes can resume.