This snapshot taken on 05/09/2007, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.
Incident management is considered here to encompass:
Whereas accounting and audit are concerned with the active gathering and analysis of data, incident management relates more to addressing actual and potential security issues as they arise.
Incident management must include elements of:
ITIL
The IT Infrastructure Library (ITIL) available from OGC [External website], includes a component identifying best practice in incident management, including the analysis of incidents to prevent re–occurrence.
ISO/IEC 17799
ISO/IEC 17799 identifies incident reporting and management of key elements in an ISMS. The standard recommends that the reporting process needs to be formalised and widely publicised within the organisation, to the extent of using case studies as part of awareness training. The incident management should be based on pre-defined processes for dealing with each category of incident (in order to ensure a speedy and effective response), and there must be a supporting mechanism to ensure that appropriate lessons are learned and put into practice.
ISO/IEC TR 18044
ISO/IEC TR 18044 provides specific guidance on incident management. The standard contains: examples of information security incidents; a description of the planning and documentation required to introduce a structured approach; and a description of the information security incident management process.
The key issue identified in the standard is that any actions undertaken in response to an incident should be based on previously developed, documented and accepted procedures and processes.
Department of Trade and Industry
The DTI provide short guidance papers on their website, which set out best practice in areas including incident management.
Infrastructure Requirements
Where there is a connection to a centralised infrastructure there will usually be an obligation to report incidents so that the threat to the infrastructure can be monitored. The GSi security requirements for example include an Organisational Commitment Statement which includes the requirement to:
...ensure that my organisation will inform UNIRAS or my WARP immediately I become aware of a potential attack, an actual breach of security, any significant change to my organisation that may affect security, and unaccountable network activity. Failure to do so may result in revocation of my organisation’s access to the GSi.
UNIRAS
Incidents affecting UK Government systems may require to be reported through UNIRAS. This ensures that the information available from the scheme reflects the current position, and provides an opportunity for others to benefit from experience.
CINRAS
CINRAS exists to allow a rapid response to security incidents affecting communications (such as lost encryption key material) which could impact one or more government departments or agencies. CINRAS also assembles data on incidents, and the causes of incidents. Advice on reporting incidents via CINRAS is available from S(E)N 04/01.
An effective incident reporting mechanism must be based on three key principles:
All of these must be present if incident reporting is to play its part in ensuring IA.
The reporting mechanism must feed into an effective incident management structure, which will take local reports and other sources and apply the experience embodied in that information. Direction and policy must be clearly set out in the organisation’s security documentation.
Reports from users concerning actual and potential security problems may not always correctly identify the issue as security–related.
Prioritisation and management therefore depend upon user awareness, security training for staff in the reporting chain, and the existence of escalation mechanisms, the key issues being:
Department of Trade and Industry
The DTI sponsor research into information security breaches to help UK businesses better understand the risks that they face. The Information Security Breaches Survey takes place every two years and is the UK's leading source of information on security incidents suffered by businesses, both large and small.
The results of the security survey and a series of themed factsheets on topics based on the survey results and good practice in information security are published on the security survey website [External website].
UNIRAS
The UNIRAS scheme provides an alerting service for companies with List X sites and public sector and CNI organisations, providing email warnings and alerts on software product vulnerabilities and specific threats. There is also an annual summary paper which provides a picture of the changing threat environment in the UK, and examples demonstrating ‘lessons learned’.
ITsafe
The ITsafe [External website] scheme provides a source of non-technical plain language alerts for home users and small businesses.
Security Education News
List X Security Controllers and departmental ITSO’s will have available the regular bulletins issued by the Security Service, containing threat advice.
CPNI
CPNI can provide advice on specific threats and on early warnings and indicators, and in some cases can provide access to the HMG annual threat assessment. Where it is felt that CPNI can offer assistance, the usual route is via the DSO.
CESG
Advice on specific technical vulnerabilities and countermeasures can be obtained from CESG. As with CPNI, the recommended means of approaching CESG for advice is through the local security representative.
COSPD
The Cabinet Office Security Policy Division offers security advice through e.g. the production of S(E)N’s.
NSAC
The role of NSAC is to protect the UK from threats to national security, by delivering authoritative security advice across the CNI.
Responding to Incidents
CERT
A Computer Emergency Response Team (CERT – a trademark of Carnegie–Mellon) may be established by an organisation to deal with computer security and communications security incidents. However, this may represent a considerable investment.
As a very minimum, organisations must develop and test a generic security incident response plan, so that the objective of planning based on documented procedures can be achieved.
Best practice for incident response (as set out by the DTI) is to follow a five point plan once an event has been deemed to be a security incident:
In addition, the DTI guidelines provide information on what to do in the event that there is a requirement for forensics as part of the incident investigation:
These processes should be taken as the basis of a localised incident response plan.
WARPs
Warning, Advice and Reporting Points (WARPs) can address the needs of those organisations who cannot justify the cost in setting up a CERT. A WARP service provides three services to its members:
The WARP Toolbox [External website] has been developed to assist those considering establishing a WARP, and contains advice on the development and provision of the three WARP services. Further information is available from www.niscc.gov.uk [External website]