A16 Information Security Incident Management

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:02
Listen 11.12
00:05
a 16. Information Security Incident management
00:12
In this video, we will cover an understanding of control. Sit A 16
00:17
The controls it contains
00:20
what these controls mean
00:23
and some example evidence that you can use in order to related to your s mess
00:32
Control, said a 16 information security incident Management
00:37
concepts of one control area.
00:41
This control area is a 16.1 management of information security incidents and improvements.
00:50
This consists of seven controls.
00:53
Let's take a look at those controls
00:56
a 16.1 point one
00:59
Responsibilities and procedures.
01:03
It is important to establish
01:07
responsibilities and procedures
01:08
with regards to incident management
01:11
to ensure a quick, effective and orderly response to information security incidents.
01:21
Your evidence for this will most likely be your incident response procedure.
01:30
The second control is a 16.1 point two
01:34
reporting information security events.
01:41
It is important to establish
01:42
appropriate channels
01:46
through which information security events can be reported.
01:52
This includes
01:53
detection off information security events through monitoring tools such as a security operation center,
02:01
it seems solution and so forth.
02:06
It is important that these incidents and events
02:08
are reported as quickly as possible.
02:15
This lessens the window in which an incident or event is active
02:20
and can also help to reduce the potential spread
02:23
or damage caused by the incident.
02:29
A 16.1 point three
02:32
reporting information security weaknesses
02:38
your employees and any contractors which make use of your organization's information systems and services
02:46
must understand that they are required to note and report any observed or suspected information security weaknesses.
02:57
These are the people working with the controls and systems on a day to day basis,
03:01
so they're often your first line to detect when something is not going as it should.
03:07
Make sure that they understand why they need thio, identify and report instances like this,
03:15
and also ensure that they know and understand how, when and to whom to report these incidents to
03:23
a 16.1 point full
03:28
assessment off and decision on information security events.
03:37
So when you detect something anomalous on your network
03:43
or something that is
03:45
not going as you expected to go, this is generally classified as an event.
03:52
Each of these events need to be assessed against pre defined criteria
03:58
to decide whether or not they need to be classified as information security incidents
04:03
not every security event will be classified as a security incident,
04:13
having some sort of guidance around how to triage and analyze events and determine whether or not they're classifies. Incidents
04:21
must be established and documented and made available to the relevant incident management and monitoring teams
04:29
to ensure that consistency is applied throughout your security event. Analysis of process
04:36
A 16.1 point five
04:41
response to information security incidents.
04:46
When an event is classified as an incident,
04:49
it is important that this incident is appropriately responded. Thio
04:54
in is quickly a time as possible.
04:59
Not all incidents can be responded thio in the same way.
05:02
And it is therefore important that your organization
05:06
creates and documents and distributes what is known as an information security incident playbook.
05:15
This is a piece of documentation
05:18
that list specific response steps
05:21
which are tailored to various incidents.
05:25
These incidents can include
05:28
ransomware server failure, suspected attack, denial of service attack.
05:33
Whatever the case is,
05:35
these playbooks are
05:38
summarized steps
05:41
quick to read, quick to access generally a one page document
05:45
that your teams can follow and be informed off what to perform during a security incident.
05:53
A 16.1 point six
05:56
learning from information security incidents,
06:01
There is a lot of knowledge that can be gained from analyzing and resolving information security. Instance,
06:09
This knowledge
06:10
should be retained and used to reduce the likelihood or impact of future incidents occurring.
06:17
Often this learning will identify the root cause of what allowed a specific incident to happen.
06:25
And once the root causes identified, it is possible to fix the root of the problem
06:32
Only when the root of a problem is fixed
06:34
can you be
06:36
more sure that the incident won't occur again in the future.
06:41
Of course, there's always the possibility of been occurring again,
06:45
but addressing the root cause greatly reduces the likelihood of it occurring again.
06:51
A 16.1 point seven
06:56
collection off evidence
07:00
your organization needs to define what procedures
07:03
should be followed for the identification,
07:06
collection,
07:08
acquisition and preservation of information related to a security incident
07:14
which conserve as evidence.
07:16
This evidence would need to be preserved in a forensically compliant manner.
07:21
So it is important that the staff responsible for evidence collection and maintenance
07:27
are informed of these processes
07:30
and have a specified guidance documents
07:32
that can be followed to ensure that they remain compliant to your procedure?
07:40
Not necessarily. Every incident will require collection of evidence
07:46
with regards to forensic evidence,
07:48
so your organization will need to determine
07:51
for which incidents is evidence collection required.
07:57
Which incidents require further forensic investigation
08:01
and which incidents require a bare minimum off showing that the incident has been resolved
08:09
and maintaining proof that it was resolved.
08:16
Other information or documented information pertaining to this area
08:20
includes your incident management roles, responsibilities and objectives,
08:26
plus any policies, procedures and guidelines.
08:28
For example, your routine and emergency contact points.
08:33
You would also need to maintain records or evidence relating thio events and incidents that have been reported
08:41
logged,
08:41
analyzed,
08:43
possibly escalated,
08:45
addressed
08:46
and resolved
08:46
as evidence of compliance.
08:54
To summarize
08:56
in this video, we covered the one control area that makes up control set a 16
09:01
information security incident management
09:05
we covered the seven controls, have it in this control area,
09:09
examine what these controls mean
09:11
and looked at a few examples of evidence that can be used to support your orders.
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By