The eCrime portal will include an incident management capability that will enable rapid information exchange between members as part of a 24-hour response system. By streamlining the flow of information it will be possible for members to work together to more effecitvely combat eCrime.

One of the challenges to be faced in building an effective incident management capability is understanding the broader scope of incident management work. It is no longer enough to just “handle” events and incidents in a technical security context. Twenty years ago, many organizations relegated this responsibility to their IT or Security department—it was a “technical” issue to be solved, and these teams typically handled incidents in isolation. Back then there was limited sharing of knowledge about incidents or communication about the results to stakeholders across the enterprise to identify broader risk to the mission, reputation, brand, etc. But those days are gone, and today enterprises must be able to incorporate security into every aspect of their operations.

Since incidents can have far-reaching consequences and implications affecting the internal protection (confidentiality, availability, integrity) of critical data and assets, privacy information, supply chain contacts, and beyond, incident management actions can involve many groups within the enterprise—board room and C-level managers3 who handle governance, budget, and strategic issues; IT, CSIRT, and security staff who coordinate and implement incident response actions; groups such as human resources, privacy officers, risk, audit, legal, and public relations staff who might be brought in to handle aspects of an incident related to their areas of expertise; and others. External groups may also be involved, including regulatory bodies, law enforcement, and possibly other computer response security organizations.

For computer security incident response to occur in an effective and successful way, all the tasks and processes being performed must be viewed from an enterprise perspective. This means identifying the interactions and communications that need to occur, how tasks are done and how the processes relate, how information is exchanged, and how actions are coordinated—no matter who is performing the work.

Focusing only on the response part of the process, for example, misses key actions that if not done in a timely, consistent, and quality-driven manner will impact the overall response, possibly delaying actions due to the confusion of roles and responsibilities, ownership of data and systems, and authority. Response can also be delayed or ineffective if communications are not clear, if appropriate contacts are not known, or if the quality of information provided is inadequate, incomplete, or inaccurate. Any impact on the response timeliness and quality can cause further damage to critical assets and data during an incident.

Incident Management Process Model

Incident management, then, can be seen as an abstract, enterprise-wide capability, potentially involving every business unit within the organization. It can be viewed as a subset of the organization’s broader security, risk, and IT management activities and functions. It can often cross into general security and IT management tasks and practices. Because of the large amount of staff inside and outside an organization who might be involved, it is important that a plan exists for how these pieces interact with each other so that incidents are handled in a smooth and timely manner.

To be successful, this plan should

  • integrate into existing processes and organizational structures so that it enables rather than hinders critical business functions
  • strengthen and improve the capability of the constituency, where required, to effectively manage security events and thereby keep intact the availability, integrity, and confidentiality of an organization’s systems and critical assets
  • support, complement, and link to any existing business continuity or disaster recovery plans where and when appropriate
  • support, complement, and provide input into existing business and IT policies that impact the security of an organization’s infrastructure
  • implement a command and control structure, clearly defining roles and responsibilities, as well as accountability for decisions and actions
  • be part of an overall strategy to protect and secure critical business functions and assets
  • include the establishment of processes for
  • detection and triage
  • categorization and prioritization
  • notification and communication
  • analysis and response
  • collaboration and coordination
  • maintenance and tracking of records

Building an Incident Management Capability

In developing an incident management capability, an organization must determine who is currently performing incident management and related tasks and identify who will be part of the incident management team. Identifying people across the enterprise who must work together to analyze and resolve incidents and then assigning them specific roles and responsibilities is one of the most critical tasks that can be done in building and improving a capability.

Getting management buy-in and consensus within the organization is always the first recommendation for implementing a formalized process. This establishes a foundation that is needed for success. If possible, have executive management establish a policy and corresponding procedures that define the incident management process and key participants. This policy and set of procedures must then be announced, taught, and enforced.

The purpose of each group within the capability and their roles and responsibilities should be defined and documented. Corresponding workflows that illustrate how an incident flows through the incident management process, including detection, reporting, triage, analysis, response, and closure, should be completed.

Incident reporting forms, guidelines, and procedures should be created and distributed to all organizational employees, including becoming part of employee orientation programs and annual security training. If employees do not know how and what to report, computer security events and incidents might occur that are not detected in a timely manner.

Postmortems on all key incidents should be done to determine ways to improve infrastructure protection strategies and response policies, procedures, and processes. Mock incident exercises should be conducted at least on an annual basis to test that everyone knows what to do, how to report, and how to respond.

Incident management, just like other key security management functions, must be shown to be important to the organization.