This chapter covers incident management and disaster recovery concepts from the perspective of physical and operational security domains. Concepts related to incident management controls, business continuity planning process, and disaster recovery planning are covered with relevant examples and illustrations:
Observe the preceding diagram. Incidents may cause disruption to business processes and activities. In turn, an unattended incident may also lead to disaster. A suitable business continuity planning process with disaster recovery planning will ensure continuity in business operations.
In this chapter, we will cover the following topics:
- Foundational concepts on incident management
- Preventative measures
- Patch and vulnerability management
- Change management principles
- Disaster recovery and business continuity exercises
An incident is an event that could possibly violate information security. The violation may breach confidentiality, integrity, and the availability requirements of information assets. Primarily, incidents happen due to weaknesses in the systems and operational processes and procedures.
When a systematic and procedural way of managing incidents is established in an organization, then it is called incident management.
Incident management consists of incident reporting and response to such reports.
Incident reporting refers to the mechanism of reporting suspected weaknesses and incidents to the management by employees, contractors, and third-party users.
The following are some of the examples of incidents:
- Access violation is a type of incident where an unauthorized entity either tries to gain access to the system and/or successfully gains access.
- The malfunction of hardware and software could possibly affect the availability of the systems. It is also possible that data could be corrupted, compromising integrity.
- Human errors such as wrong inputs to the system, improper configuration, and the violation of established procedures could compromise security.
- Uncontrolled system changes could affect system security in a manner that prevents the system from being restored to its previous secure state, and/or the other users of the system are unaware of the changes.
- Noncompliance with policies and procedures is an incident that could compromise the established secure practices.
- A physical security breach is an incident that could compromise information security controls.
The objective of information security incident management is to manage incidents in an effective manner to mitigate the risks by timely actions.
The goals of incident management are as follows:
- Establishing, implementing, and maintaining suitable procedures for reporting information security-related incidents and weaknesses by employees, third-party contractors, and outsourced entities
- Establishing, implementing, and maintaining escalation procedures related to information security incidents
- Establishing the designated points of contact for reporting information security incidents and weaknesses
- Periodically conducting awareness programs for employees, third-party contractors, and outsourced service providers about information security incidents, weaknesses, and reporting procedures
- Ensuring that the reported incidents are properly dealt with and corrective actions are taken
- Establishing procedures to percolate the lessons learned from incidents into the awareness programs and management procedures
Incident management involves actions that are predominantly corrective in nature. For example, fire fighting is a corrective exercise. However, certain preventive actions are taken to control the onset of an incident. The following are some of the security controls, systems, and actions that can help in managing incidents.
As this name implies, Intrusion Detection Systems (IDS) are detective controls that detect unauthorized intrusions to the premises, such as data centers or computer networks.
In physical, operational, and network security, vulnerability assessment and penetration testing are periodically conducted to identify the weaknesses in the access control mechanisms and test the possibility of unauthorized intrusion.
Computer applications contain vulnerabilities, in other words, errors. These applications are generally executable files and are produced by different software vendors. The vulnerabilities that are identified after the final release of such applications are periodically fixed by these vendors by releasing software code containing the patches. Patch management refers to applying patches to the existing applications or the patching of computers in a systematic way. Applying the patches to the test system before applying them to production systems, and creating rollback mechanisms if the applied patch affects the existing applications are considered to be patch management controls. Patch management has to be validated as a part of the compliance-monitoring activity.
An improper configuration of IT systems may lead to systems compromise, affecting the confidentiality and integrity of the systems. Configuration errors will also affect the availability. Configuration management refers to maintaining the right configuration of systems and documenting and managing the changes to the systems.