a 16. Information Security Incident management
In this video, we will cover an understanding of control. Sit A 16
The controls it contains
what these controls mean
and some example evidence that you can use in order to related to your s mess
Control, said a 16 information security incident Management
concepts of one control area.
This control area is a 16.1 management of information security incidents and improvements.
This consists of seven controls.
Let's take a look at those controls
Responsibilities and procedures.
It is important to establish
responsibilities and procedures
with regards to incident management
to ensure a quick, effective and orderly response to information security incidents.
Your evidence for this will most likely be your incident response procedure.
The second control is a 16.1 point two
reporting information security events.
It is important to establish
through which information security events can be reported.
detection off information security events through monitoring tools such as a security operation center,
it seems solution and so forth.
It is important that these incidents and events
are reported as quickly as possible.
This lessens the window in which an incident or event is active
and can also help to reduce the potential spread
or damage caused by the incident.
reporting information security weaknesses
your employees and any contractors which make use of your organization's information systems and services
must understand that they are required to note and report any observed or suspected information security weaknesses.
These are the people working with the controls and systems on a day to day basis,
so they're often your first line to detect when something is not going as it should.
Make sure that they understand why they need thio, identify and report instances like this,
and also ensure that they know and understand how, when and to whom to report these incidents to
assessment off and decision on information security events.
So when you detect something anomalous on your network
or something that is
not going as you expected to go, this is generally classified as an event.
Each of these events need to be assessed against pre defined criteria
to decide whether or not they need to be classified as information security incidents
not every security event will be classified as a security incident,
having some sort of guidance around how to triage and analyze events and determine whether or not they're classifies. Incidents
must be established and documented and made available to the relevant incident management and monitoring teams
to ensure that consistency is applied throughout your security event. Analysis of process
response to information security incidents.
When an event is classified as an incident,
it is important that this incident is appropriately responded. Thio
in is quickly a time as possible.
Not all incidents can be responded thio in the same way.
And it is therefore important that your organization
creates and documents and distributes what is known as an information security incident playbook.
This is a piece of documentation
that list specific response steps
which are tailored to various incidents.
These incidents can include
ransomware server failure, suspected attack, denial of service attack.
Whatever the case is,
quick to read, quick to access generally a one page document
that your teams can follow and be informed off what to perform during a security incident.
learning from information security incidents,
There is a lot of knowledge that can be gained from analyzing and resolving information security. Instance,
should be retained and used to reduce the likelihood or impact of future incidents occurring.
Often this learning will identify the root cause of what allowed a specific incident to happen.
And once the root causes identified, it is possible to fix the root of the problem
Only when the root of a problem is fixed
more sure that the incident won't occur again in the future.
Of course, there's always the possibility of been occurring again,
but addressing the root cause greatly reduces the likelihood of it occurring again.
collection off evidence
your organization needs to define what procedures
should be followed for the identification,
acquisition and preservation of information related to a security incident
which conserve as evidence.
This evidence would need to be preserved in a forensically compliant manner.
So it is important that the staff responsible for evidence collection and maintenance
are informed of these processes
and have a specified guidance documents
that can be followed to ensure that they remain compliant to your procedure?
Not necessarily. Every incident will require collection of evidence
with regards to forensic evidence,
so your organization will need to determine
for which incidents is evidence collection required.
Which incidents require further forensic investigation
and which incidents require a bare minimum off showing that the incident has been resolved
and maintaining proof that it was resolved.
Other information or documented information pertaining to this area
includes your incident management roles, responsibilities and objectives,
plus any policies, procedures and guidelines.
For example, your routine and emergency contact points.
You would also need to maintain records or evidence relating thio events and incidents that have been reported
as evidence of compliance.
in this video, we covered the one control area that makes up control set a 16
information security incident management
we covered the seven controls, have it in this control area,
examine what these controls mean
and looked at a few examples of evidence that can be used to support your orders.