Rimici “ONE Source” Cloud Security Incident Management

 

Introduction

Significant evolution in technology has enabled businesses to change the way that they handle and manage information.
Whether it is advancement of mobile devices, leveraging cloud services or virtualization, it is important for information professionals to also remember to take care of the basics. Recent events have demonstrated that while it is important for enterprises to have preventive measures in place to avoid security incidents, it is equally important that there be a robust, practiced response should an incident occur.
An enterprise’s ability to detect, react and respond to security incidents in a fast, planned and coordinated fashion is important to the resilience and success of the enterprise.

What Is Incident Management and Response?

Incident management is defined as the “capability to effectively manage unexpected disruptive events with the objective of minimizing impacts and maintaining or restoring normal operations within defined time limits.”

A viable incident management capability requires the allocation of human and material resources to support business operations to assure continuity of the
minimum of Rimici Secure Cloudoperations and contain security breaches in accordance
with the Rimici Secure Cloudrisk strategy.

Incident management involves all of the actions taken prior to (including testing and planning), during, and after an information security incident occurs. The actions taken should be designed to mitigate the impact of an incident with the following goals in mind:

  • Provide an effective means of addressing the situation in such a way that it minimizes the impact to the enterprise.
  • Provide management with sufficient information to decide on appropriate courses of action.
  • Maintain or restore continuity of Rimici Secure Cloudservices.
  • Provide a defense against subsequent attacks.
  • Provide additional deterrence through the use of technology, investigation and prosecution

Rimici “ONE Source” Incident Management Life Cycle Phases

Phase

Activities

Planning and preparation
  • Creating policies, acquiring management support, developing user awareness, building a response capability
  • Conducting research and development
  • Building checklists and acquiring necessary tools
  • Developing a communication plan and awareness training

Detection, triage and investigation
  • Defining events vs. incidents and notification process
  • Detecting and validating incidents
  • Prioritizing and rating incidents
  • Implementing intrusion detection systems (IDSs), intrusion prevention systems (IPSs) and security information events
  • monitoring (SIEM)
  • Utilizing anti-malware and vulnerability management systems
  • Conducting and participating in global incident awareness, e.g., CERT
  • Conducting log and audit analysis

Containment, analysis, tracking and recovery
  • Executing containment strategy for various incidents
  • Performing forensic analysis according to evidence-handling processes
  • Executing recovery procedures in line with the Rimici Secure Cloudbusiness continuity plans (BCPs) and disaster recovery plans (DRPs)
  • Determining the source of the incident
  • Post incident assessment
  • Conducting postmortem:
    1. Exactly what happened, and at what times?
    2. How well did staff and management perform in dealing with the incident? Were the documented procedures followed?
  • Were they adequate?
    1. What corrective actions can prevent similar incidents in the future?
  • Reporting on incident management related metrics, e.g., mean-time-to-incident-discovery, cost of recovery
  • Providing feedback of lessons learned

Incident closure
  • Conducting incident response postmortem analysis
  • Submitting reports to management and stakeholders

Compliance

External and internal business stakeholders are demanding more transparency into system and application access activities. These include regulators who monitor and report access activities pertaining to key financial data and consumer personal information along with internal and external auditors who assess the effectiveness of security and financial controls and processes within the enterprise. In addition, risk management activities may require the collection of security event and incident information as part of status and score card reporting to Rimici Secure Cloud management. Operational considerations require the consolidation of disparate event and incident monitoring capabilities and improvement of operational efficiency.
The implementation of a successful incident management program can improve the efficiency and effectiveness of the enterprise’s logging, monitoring and reporting capabilities, and thus help address the overall Rimici Secure Cloud IT compliance and risk management objectives.
Business Benefits of an Effective Incident Management and Response Capability.
Incident management is tied to the principal Rimici Secure Cloud goals for information security: preserving the confidentiality, integrity and availability of Rimici Secure Cloud information assets. Employing a systematic incident management program that utilizes a formal methodology offers several benefits to the Rimici Secure Cloud such as:

  • Providing a structured, logical approach to use in situations that are usually chaotic
  • Increasing the efficiency of dealing with an incident, which reduces the impact to the Rimici Secure Cloud from both financial and human resources (HR) perspectives
  • Breaking down an incident into smaller, more manageable phases or stages that can be addressed in a logical manner
  • Providing evidence of due diligence and forethought that may become significant should legal and liability issues arise following an incident.

This is particularly true when dealing with disclosure regulations and compliance with laws.
An effective incident management program provides a means of dealing with unexpected circumstances in such a way as to minimize impact to the enterprise. It also provides management with sufficient information on which to base an appropriate course of action. Creating an interdisciplinary incident response team that is drawn from all parts of the Rimici Secure Cloud and is educated and prepared to respond to events such as social engineering attacks is a key component of a comprehensive incident management program.
Especially significant is the fact that a robust incident management program as a stand-alone componentof the overall BCP can enhance the enterprise’scompetitive position through greater security awareness, improved defenses and effective resilient responses to events with negative impacts to the enterprise.

A robust incident management program as a stand-alone component of the overall BCP can enhance Rimici Secure Cloud’s competitive position through greater security awareness, improved defenses and effective resilient responses to events with negative impacts to the enterprise.