IVI Framework Viewer

Incident Management

D3

Manage information security-related incidents and near incidents. Establish incident response teams to identify and limit exposure, and to coordinate with regulatory bodies as appropriate. Undertake forensic analysis of incident-related data leading to an understanding of their underlying causes and business impact.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Incident Management at each level of maturity.

2Basic
  • Practices
    • Define approaches for detecting and closing a limited number of incident types (such as virus infections, denial of service attacks, or known caller scams).
    • Log and track all such security-related incidents to closure.
    Outcomes
    • Specified security incidents can be handled effectively.
    • Actions from security incident treatment get addressed.
    Metrics
    • # of incidents detected per time period.
    • $ impact of incidents.
    • % of incidents addressed and closed.
  • Practice
    Undertake basic forensic analysis of incident-related data.
    Outcome
    The causes of some major incidents are beginning to be understood.
    Metrics
    • % of incidents/near incidents for which an underlying cause is identified.
    • $ impact of incidents.
3Intermediate
  • Practice
    Standardize approaches for emulating, detecting, prioritizing, tracking, and closing most IT security incidents (such as virus infection, spam, phishing, unusual real-time usage patterns, user or system profile variations, or data access violations) and prioritize the management of incidents based on the urgency to restore services.
    Outcomes
    • Most security incidents can be addressed effectively.
    • Business recovery priorities are facilitated in recovery and incident management.
    Metrics
    • # of incidents detected per time period.
    • $ impact of incidents.
    • % of incidents prioritized, addressed, and closed.
  • Practices
    • Undertake forensic analysis of incident-related data to classify most incidents and near incidents, diagnose their underlying cause, and assess their impact.
    • Share these insights with regulatory bodies and internal and external stakeholder groups.
    Outcome
    The classification, underlying cause, and impact of most incidents and near incidents are understood.
    Metrics
    • % of incidents/near incidents for which an underlying cause is identified.
    • $ impact of incidents.
    • # of insights shared with other organizations.
    • # of insights gleaned from other organizations.
4Advanced
  • Practice
    Adopt advanced approaches to incident management and undertake root cause analysis of all recurring incidents to identify corrective actions.
    Outcomes
    • All security incidents can be handled effectively and serious incidents are prevented or mitigated in the future.
    • Recurring issues are eliminated or mitigated.
    Metrics
    • # of incidents detected per time period.
    • $ impact of incidents.
    • % of incidents addressed and closed.
    • # of recurring issues stopped.
  • Practices
    • Undertake forensic analysis of incident-related data to classify all incidents and near incidents, diagnose their underlying cause, assess their impact, and identify corrective measures.
    • Share these insights with relevant stakeholders and glean insights from the incident experiences of other organizations.
    Outcomes
    • The classification, underlying cause, and impact of all incidents and near incidents are understood and corrective measures are identified.
    • Lessons can be learnt from the experiences of other organizations.
    Metrics
    • % of incidents/near incidents for which an underlying cause is identified.
    • $ impact of incidents.
    • # of insights shared with other organizations.
    • # of insights gleaned from other organizations.
5Optimized
  • Practices
    • Continually review and improve incident management processes in consultation with relevant business ecosystem partners.
    • Reflect the latest recommendations from security agencies, vendors, and emerging research within the approaches to incident management.
    Outcome
    Potential business disruptions are avoided or their impact is minimized as a result of consultation and advance warning from business ecosystem partners.
    Metrics
    • # of incidents detected per time period.
    • $ impact of incidents.
    • % of incidents addressed and closed.
    • # of unforeseen or unanticipated major incidents.
  • Practice
    Continually review and improve the forensic analysis process in consultation with relevant business ecosystem partners.
    Outcome
    The forensic analysis process is kept effective and relevant.
    Metrics
    • Frequency of forensic analysis review cycle.
    • # of revisions to the forensics analysis process per time period.
    • % of incidents/near incidents for which an underlying cause is identified.
    • $ impact of incidents.