A16 Information Security Incident Management

00:02

Listen 11.12

00:05

a 16. Information Security Incident management

00:12

In this video, we will cover an understanding of control. Sit A 16

00:17

The controls it contains

00:20

what these controls mean

00:23

and some example evidence that you can use in order to related to your s mess

00:32

Control, said a 16 information security incident Management

00:37

concepts of one control area.

00:41

This control area is a 16.1 management of information security incidents and improvements.

00:50

This consists of seven controls.

00:53

Let's take a look at those controls

00:56

a 16.1 point one

00:59

Responsibilities and procedures.

01:03

It is important to establish

01:07

responsibilities and procedures

01:08

with regards to incident management

01:11

to ensure a quick, effective and orderly response to information security incidents.

01:21

Your evidence for this will most likely be your incident response procedure.

01:30

The second control is a 16.1 point two

01:34

reporting information security events.

01:41

It is important to establish

01:42

appropriate channels

01:46

through which information security events can be reported.

01:52

This includes

01:53

detection off information security events through monitoring tools such as a security operation center,

02:01

it seems solution and so forth.

02:06

It is important that these incidents and events

02:08

are reported as quickly as possible.

02:15

This lessens the window in which an incident or event is active

02:20

and can also help to reduce the potential spread

02:23

or damage caused by the incident.

02:29

A 16.1 point three

02:32

reporting information security weaknesses

02:38

your employees and any contractors which make use of your organization's information systems and services

02:46

must understand that they are required to note and report any observed or suspected information security weaknesses.

02:57

These are the people working with the controls and systems on a day to day basis,

03:01

so they're often your first line to detect when something is not going as it should.

03:07

Make sure that they understand why they need thio, identify and report instances like this,

03:15

and also ensure that they know and understand how, when and to whom to report these incidents to

03:23

a 16.1 point full

03:28

assessment off and decision on information security events.

03:37

So when you detect something anomalous on your network

03:43

or something that is

03:45

not going as you expected to go, this is generally classified as an event.

03:52

Each of these events need to be assessed against pre defined criteria

03:58

to decide whether or not they need to be classified as information security incidents

04:03

not every security event will be classified as a security incident,

04:13

having some sort of guidance around how to triage and analyze events and determine whether or not they're classifies. Incidents

04:21

must be established and documented and made available to the relevant incident management and monitoring teams

04:29

to ensure that consistency is applied throughout your security event. Analysis of process

04:36

A 16.1 point five

04:41

response to information security incidents.

04:46

When an event is classified as an incident,

04:49

it is important that this incident is appropriately responded. Thio

04:54

in is quickly a time as possible.

04:59

Not all incidents can be responded thio in the same way.

05:02

And it is therefore important that your organization

05:06

creates and documents and distributes what is known as an information security incident playbook.

05:15

This is a piece of documentation

05:18

that list specific response steps

05:21

which are tailored to various incidents.

05:25

These incidents can include

05:28

ransomware server failure, suspected attack, denial of service attack.

05:33

Whatever the case is,

05:35

these playbooks are

05:38

summarized steps

05:41

quick to read, quick to access generally a one page document

05:45

that your teams can follow and be informed off what to perform during a security incident.

05:53

A 16.1 point six

05:56

learning from information security incidents,

06:01

There is a lot of knowledge that can be gained from analyzing and resolving information security. Instance,

06:09

This knowledge

06:10

should be retained and used to reduce the likelihood or impact of future incidents occurring.

06:17

Often this learning will identify the root cause of what allowed a specific incident to happen.

06:25

And once the root causes identified, it is possible to fix the root of the problem

06:32

Only when the root of a problem is fixed

06:34

can you be

06:36

more sure that the incident won't occur again in the future.

06:41

Of course, there's always the possibility of been occurring again,

06:45

but addressing the root cause greatly reduces the likelihood of it occurring again.

06:51

A 16.1 point seven

06:56

collection off evidence

07:00

your organization needs to define what procedures

07:03

should be followed for the identification,

07:06

collection,

07:08

acquisition and preservation of information related to a security incident

07:14

which conserve as evidence.

07:16

This evidence would need to be preserved in a forensically compliant manner.

07:21

So it is important that the staff responsible for evidence collection and maintenance

07:27

are informed of these processes

07:30

and have a specified guidance documents

07:32

that can be followed to ensure that they remain compliant to your procedure?

07:40

Not necessarily. Every incident will require collection of evidence

07:46

with regards to forensic evidence,

07:48

so your organization will need to determine

07:51

for which incidents is evidence collection required.

07:57

Which incidents require further forensic investigation

08:01

and which incidents require a bare minimum off showing that the incident has been resolved

08:09

and maintaining proof that it was resolved.

08:16

Other information or documented information pertaining to this area

08:20

includes your incident management roles, responsibilities and objectives,

08:26

plus any policies, procedures and guidelines.

08:28

For example, your routine and emergency contact points.

08:33

You would also need to maintain records or evidence relating thio events and incidents that have been reported

08:41

logged,

08:41

analyzed,

08:43

possibly escalated,

08:45

addressed

08:46

and resolved

08:46

as evidence of compliance.

08:54

To summarize

08:56

in this video, we covered the one control area that makes up control set a 16

09:01

information security incident management

09:05

we covered the seven controls, have it in this control area,

09:09

examine what these controls mean