CISOaaS
7. The management of security incidents
Roberto Perelli
September 12, 2022
4:06 pm
? it is not a question of IF but of WHEN ?.
Gestione degli incidenti di sicurezza

First, in the management of security incidents?it is not a question of SELF But say WHEN?:

it is an inflated maxim, but it should serve to focus attention and resources to manage events that have a probability of occurrence close to certainty.


According to, ?do no harm?:

also in the management of security incidents it is good practice to apply this fundamental principle of medicine because there are many possibilities of worsening the negative consequences of a security incident without sufficient preparation to deal with it.



Preparation pays off:

- Preparing for security incidents can reduce damage to the Company, accident costs and management difficulties.

- major IT security incidents must be part of corporate risk management.


Coordination is key:

management requires the collaboration and coordination of technicians, operational, communication and legal functions.


Stay calm and in control:

When dealing with a security incident, overreacting can be just as damaging as underreacting.


The management of security incidents is an important element of the Security Program that the Fractional CISO organizes in the company;

depending on the size and complexity, some specific functions may be managed internally or delegated to an external professional partner (Managed Security Service Provider or MSSP)


The fundamental elements for the management of Security Incidents are:


- Updated inventories of information, technology, processes to identify the? assets? most important and critical ones that it is a priority to protect

? If you protect your paper clips and diamonds with equal vigor, you will soon have more paper clips and fewer diamonds.?


- Security Cyber Incident Management Policy defines which events are considered incidents, establishes the organizational structure for incident response, defines roles and responsibilities, and lists the requirements for reporting incidents.


- Information Security Incident Management Plan is a roadmap for implementing the incident response program, indicates both short and long term goals for the program, including measurement metrics, requirements and how often incident managers should be trained .


- Reference framework for the management of Security Incidents Standard such as NIST SP.800-61 or SANS-GIAC or customized according to the characteristics of the organization.


- Security Incident Management Team.

In the absence of a permanent organizational structure (such as a CSIRT, an internal SOC or MSSP) an Incident Management Team must be defined ready to be activated without notice consisting of trained people with clearly defined roles and responsibilities that represent the company functions : Management, IT security, IT operations, Communications internal and external, Legal (DPO if present), Human resources.


- Incident Response Procedures.

Procedures based on policy It is on incident response plan, report the detailed steps to respond to an incident and cover all stages of the process for the most important types of security incidents such as:

-> restore a compromised account;

-> recovery of a compromised host;

-> segregation and isolation of network parts.

Including secure recovery of endpoints, servers and equipment configurations.


- Emergency approval process for handling rapid changes during an emergency / incident (e.g. authority to judge / approve rapid change proposals and arrangements to acquire specialist support services).


- Critical information backup system tested and separated from operating environments.


The different areas that the Fractional CISO coordinates and supervises:


Integration:

- with business and leadership priorities

- with IT operations or IT security (internal team and / or professional partners)


Culture and continuous learning processes:

- regular exercises of the Security Incident Management Team

- integration of post-mortem analyzes after the security incident


Documentation:

- accessibility and usability for all interested parties

- detailed technical (or automation) recovery instructions for IT

- Escalation for serious incidents:

- Access to technical expertise on security systems and critical business systems

- Access to operational, communication and legal experience through teams of internal specialists and / or partnerships with external bodies

Category: Fractional CISO? Instructions for Use