The Data Security Incident Management Process: Policies, Teams, and Communication

Once a security incident occurs, it’s management’s responsibility to minimize loss and destruction. According to NIST SP 800-61,

“An incident can be thought of as a violation or eminent threat of violation of computer security policies, acceptable use policies, or standard security practices” (Grance, Kent, & Kim, 2004, p.2-1).

An eminent threat is defined as a reasonable belief, based on available information, that an incident is about to occur.

When responding to an incident, the first consideration is protection of human life. The second is the restoration of information processing services that were lost or damaged. The final consideration is mitigation of weaknesses that might have been exploited during the incident. An Incident Management program that effectively addresses these areas produces the following benefits for your organization:

1. The business impact of each incident is minimized
2. The safety of your employees and data is enhanced
3. Corporate liability due to lack of due diligence is mitigated
4. Regulatory requirements are met
5. Your organization’s public image is protected by a fast, professional response

Managing incidents consists of a set of institutionalized policies and processes, which are the product of the steps depicted in Figure 1: preparation, detection and analysis, containment/eradication/recovery, and post-incident activity.

 Before an incident occurs, it’s important to do everything you reasonably can to prepare yourself for a quick and effective response. The steps leading to the proper preparation of your organization include:

1. Developing an data loss incident management policy
2. Forming and training incident response teams
3. Developing a communication plan

The first step in any data security activity is the creation of a policy that clearly states your objectives. You should include:

1. A statement of management commitment to an effective incident management capability
2. Purpose
3. The business and security objectives to be met
4. A statement defining how your organization defines a data loss incident
5. An incident management and response organization structure

The organization structure section of the policy is very important. Employees responsible for incident response must clearly understand their roles and the roles of other teams with which they will have to interface. The lack of a clearly defined organization structure can create confusion, resulting in each phase of a response taking longer than necessary. This almost always results in a more severe impact on your business. Some things to consider when planning your incident management teams include:

1. The role of each team.
2. Clearly defined responsibilities assigned to each team.
3. Levels of authority – The chain of command, leading up to a single recovery manager, should be easy to follow. Further, the incident response teams should be given sufficient authority to make decisions necessary to shut down or confiscate systems to protect your information assets.
4. Prioritization of incidents – Various types of incidents will occur in your organization. Each type might require a unique response with specific reporting requirements.
5. An explanation of reporting requirements. What is each team’s responsibility for reporting, what should be included in the reports, and to whom are the reports submitted?

This policy forms the foundation for the next two steps in data security incident management preparation.