Incident Management
Manage information security-related incidents and near incidents. Establish incident response teams to identify and limit exposure, and to coordinate with regulatory bodies as appropriate. Undertake forensic analysis of incident-related data leading to an understanding of their underlying causes and business impact.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Incident Management at each level of maturity.
- 2Basic
- Practices
- Define approaches for detecting and closing a limited number of incident types (such as virus infections, denial of service attacks, or known caller scams).
- Log and track all such security-related incidents to closure.
- Outcomes
- Specified security incidents can be handled effectively.
- Actions from security incident treatment get addressed.
- Metrics
- # of incidents detected per time period.
- $ impact of incidents.
- % of incidents addressed and closed.
- Practice
- Undertake basic forensic analysis of incident-related data.
- Outcome
- The causes of some major incidents are beginning to be understood.
- Metrics
- % of incidents/near incidents for which an underlying cause is identified.
- $ impact of incidents.
- 3Intermediate
- Practice
- Standardize approaches for emulating, detecting, prioritizing, tracking, and closing most IT security incidents (such as virus infection, spam, phishing, unusual real-time usage patterns, user or system profile variations, or data access violations) and prioritize the management of incidents based on the urgency to restore services.
- Outcomes
- Most security incidents can be addressed effectively.
- Business recovery priorities are facilitated in recovery and incident management.
- Metrics
- # of incidents detected per time period.
- $ impact of incidents.
- % of incidents prioritized, addressed, and closed.
- Practices
- Undertake forensic analysis of incident-related data to classify most incidents and near incidents, diagnose their underlying cause, and assess their impact.
- Share these insights with regulatory bodies and internal and external stakeholder groups.
- Outcome
- The classification, underlying cause, and impact of most incidents and near incidents are understood.
- Metrics
- % of incidents/near incidents for which an underlying cause is identified.
- $ impact of incidents.
- # of insights shared with other organizations.
- # of insights gleaned from other organizations.
- 4Advanced
- Practice
- Adopt advanced approaches to incident management and undertake root cause analysis of all recurring incidents to identify corrective actions.
- Outcomes
- All security incidents can be handled effectively and serious incidents are prevented or mitigated in the future.
- Recurring issues are eliminated or mitigated.
- Metrics
- # of incidents detected per time period.
- $ impact of incidents.
- % of incidents addressed and closed.
- # of recurring issues stopped.
- Practices
- Undertake forensic analysis of incident-related data to classify all incidents and near incidents, diagnose their underlying cause, assess their impact, and identify corrective measures.
- Share these insights with relevant stakeholders and glean insights from the incident experiences of other organizations.
- Outcomes
- The classification, underlying cause, and impact of all incidents and near incidents are understood and corrective measures are identified.
- Lessons can be learnt from the experiences of other organizations.
- Metrics
- % of incidents/near incidents for which an underlying cause is identified.
- $ impact of incidents.
- # of insights shared with other organizations.
- # of insights gleaned from other organizations.
- 5Optimized
- Practices
- Continually review and improve incident management processes in consultation with relevant business ecosystem partners.
- Reflect the latest recommendations from security agencies, vendors, and emerging research within the approaches to incident management.
- Outcome
- Potential business disruptions are avoided or their impact is minimized as a result of consultation and advance warning from business ecosystem partners.
- Metrics
- # of incidents detected per time period.
- $ impact of incidents.
- % of incidents addressed and closed.
- # of unforeseen or unanticipated major incidents.
- Practice
- Continually review and improve the forensic analysis process in consultation with relevant business ecosystem partners.
- Outcome
- The forensic analysis process is kept effective and relevant.
- Metrics
- Frequency of forensic analysis review cycle.
- # of revisions to the forensics analysis process per time period.
- % of incidents/near incidents for which an underlying cause is identified.
- $ impact of incidents.