RESEARCH ROADMAP
CHAPTER 2: LITERATURE REVIEW 2.1. Introduction
2.6. Information Security Incident Management (ISIM) Processes
According to Kossakowski et al. (1999) and Ahmad et al. (2012), the processes of ISIM include broadly preparing, handling and following up information security incidents. Preparation involves the priming of policies and procedures for responding to intrusions. The handling process involves the collection, analysis, communication, and awareness of information security incidents and its progress among all stakeholders. Further handling involves the application of short-term solutions, eliminating intruder access and returning the system to normal operation. Then the follow-up process deals with the identification and implementation of lessons learnt from the experience. The aim of these processes is to restore the system back to its standard operative state (Dodson, 2001). ISIM addresses various processes, planning and communication of incidents among employees of organisations (ISO, 2016). To achieve that, it requires awareness, training and equipping all stakeholders including end-users (Ahmad et al., 2021). ISIM involves the resource coordination for the management of incidents, as well as formulating and reporting the formal detection and response processes (Khando et al., 2021).
As depicted in Figure 2-2, ISIM event flow diagrams consist of the processes of plan and prepare, detection and reporting, assessment and decision, response and lessons learnt. These are discussed in detail from Section 2.6.1 to Section 2.6.5 in relation to this study.
32
Figure 2-2: An Information Security Incident Management (ISIM) Event Flow Diagram (adapted from (ISO/IEC 27035, 2016))
Although the practice differs within organisations, the following are recommended processes in the information security incident management practices (Hove et al., 2014):
• Planning and Preparation
• Detection and Reporting
• Assessment and Decision
• Response to Incidents
• Lessons Learnt
The details of the processes of ISIM are discussed in the next sections (Section 2.6.1 to Section 2.6.5).
2.6.1. Planning and Preparation
This step deals with the preparation of ISIM policy and procedure and creates a proficient team to deal with incidents. The process of planning and preparation for ISIM is often inadequate, however, ISIM requires proactive and effective forward planning (Line et al., 2016). In order for organisations to succeed in the management of incident events and vulnerabilities for operational use, an organisation must complete several fundamental activities after the necessary planning. Planning and preparation involve allocation of resources, recruitment of a skilled workforce and establishing a formal reporting scheme for incident detection and
33
response process. According to ISO/IEC (2016), some of the especially important operations that organisations should consider in the planning and preparation phase include:
• Commitment of senior management.
• Updating the ISIM policies at corporate and system, service, and network level.
• Establishing an ISIRT team for technical support.
• Briefings, training, and awareness creation sessions.
While it is vital to plan and prepare for incidents, the current strategies for this phase are poorly managed (Line et al., 2016).
2.6.2. Detection and Reporting
Information security incident detection and reporting anomalies exist in organisations in that users sometimes depend on their own tacit knowledge (Werlinger et al., 2010). The detection and reporting of incidents by users in organisations is also limited and is usually conducted by technical means and consequently end-users do not typically detect and report incidents (Ahmad et al., 2012; Metzger et al., 2011). Information security vulnerabilities can be detected by individuals directly or indirectly that trigger an alarming concern which could be either at physical, technical, or procedural levels. Detection could be, for example, directly from computerised systems, notification of system change, or other reports that appear from individuals or groups (ISO/IEC, 2016). Incidents can be detected either by automated machines or by human experts. Automatic means of information security incident event detection include: audit trail analysis, firewall, intrusion detection systems, and anti-malicious code tools (Hove et al., 2014).
Although the balance between openness and protection of incidents should be maintained, it is important to communicate the incident event to various media outlets for recognition (Manley
& McIntire, 2020). According to ISO/IEC (2016), potential information security incident event identification sources include the following: system users, executives, security managers, line managers, suppliers and customers, ICT Department, ICT help desk, service providers such as Internet Service Providers (ISPs), telecom operators, ISIRTs, media such as mass media (newspaper, television, etc.), and websites and social media channels.
34
The individual who is notified of the source of the incident through either manual or automated means is responsible for initiating the process of detection and reporting of incidents. The individual may be any member or stakeholder of the organisation who could be in either a contract or a permanent position (Varga et al., 2021). During the reporting process, the individual must follow the established organisational reporting policies, use the standard reporting forms and report in the incident event to get the attention of the respective officers such as the ISIRT, management or executives. Accordingly, it is important for all employees to be aware of the existence of such established manuals and guidelines to report the information security incident vulnerabilities (Tøndel et al., 2014). The awareness includes the detailed format of the incident reporting schemes, the person who is reporting it and other associated elements of the incident. In some instances, conventional reporting mechanisms such as fixed telephone, mobile telephone and cordless phone may not be safe. Further safeguarding should be applied when communicating confidential or secret incident information. While the detection and reporting of information security incidents will be more wide-ranging if all users are involved, it is also important to maintain confidentiality by adhering to access control privileges.
2.6.3. Assessment and Decision
The third phase of ISIM is the assessment and decision phase that deals with occurrences of incident events and their assessment and the decisions taken (ISO/IEC, 2016). The process deals with how incidents are encountered, analysed, business restoration, collection of forensic evidence if necessary and decision-making (ISO/IEC, 2005). Each information security incident is assessed to determine its severity and its impact so that it enables decision makers to determine incident classification, to distribute responsibility and take appropriate follow-up action (Line et al., 2014). Shortcomings in the practice of incident responses contribute to limited strategic concern for security protection in organisations (Ahmad et al., 2012). The assessment and decision of information security incidents is not a trivial process and requires the expertise of the ISIRT (Tøndel et al., 2014).
35 2.6.4. Response to Incidents
The fourth crucial phase of ISIM is to respond to incident vulnerabilities according to the decisions taken in the previous phase (Ani & Agbanusi, 2014; ISO/IEC, 2016). The decisions undertaken could involve conducting full scale forensic investigations, collecting further incident information, responding to information security vulnerabilities and communicating incidents (ISO/IEC, 2005). Furthermore, decisions for incidents could be right or wrong in which wrong decisions could exacerbate the occurrence of incidents (Line et al., 2016). Since the process of information security incident response is at an emerging stage, Humphreys (2008) also supports the proposal that organisations are required to introduce an integrated and coordinated approach for the management of incidents to enhance compliance towards better management of encountered incidents. This phase involves containing, investigating, and resolving incidents. Information security incident response remains challenging for organisations. The lack of established checklists and proactive response reporting to users requires further empirical studies (Tøndel et al., 2014). Depending on the decisions, the response could be done in real time, or it could be delayed, or it could involve further forensic analysis. The response phase outlines the actions to be taken to restore or prevent further consequences of escalation (Line, 2015).
2.6.5. Lessons Learnt
The fifth phase of ISIM is to learn from previous incidents – the analysis, response and the decisions undertaken (ISO/IEC, 2005). The “Lessons Learnt” phase involves making real changes to improve the process instead of focussing solely on the positive achievements (ISO/IEC, 2005). Some of the processes that organisations should consider in this phase include – undertaking further forensic analysis, documentation of “lessons learnt”, and improving ISIM processes, risk assessment and policy schemes (ISO/IEC, 2016; Tøndel et al., 2014). Although there is limited research on the link between ISIRT and organisational environments, lesson learning is an important phase of ISIM (Ahmad et al., 2012). Olav Sveen et al. (2007) indicated that the most prioritised incidents are reported to learn and build knowledge to minimise future incidents. In addition, it is a requirement for organisations to report information security incidents according to their severity to concerned users and stakeholders. For instance, it is mandatory to report high-level security incidents to multiple concerned stakeholders outside of
36
the organisations such as ISPs and media to obtain appropriate support (ISO/IEC, 2016). The lack of willingness to share incident information with external parties could be a major impediment to learning lessons from prior incidents (Hove & Tarnes, 2013; Jaatun et al., 2009).
Thus, the lack of documentation and unreported incidents has negatively impacted the shared awareness among users and the “lesson learning” phase from previous incidents.