CHAPTER 13: Detecting and responding to information security incidents
Section 01 Reporting Information Security Incidents
Section 02 Investigating Information Security Incidents
Section 03 Corrective Activity
Section 04 Other Information security Incident Issues
Policy 130101 Reporting Information Security Incidents
POLICY STATEMENT
“All suspected Information Security incidents must be reported promptly to the appointed Information Security Officer.”
Policy 130102 Reporting IS Incidents to Outside Authorities
POLICY STATEMENT
“Information Security incidents must be reported to outside authorities whenever this is required to comply with legal requirements or regulations. This may only be done by authorized persons.”
Policy 130103 Reporting Information Security Breaches
POLICY STATEMENT
“Any Information Security breaches must be reported without any delay to the appointed Information Security Officer to speed the identification of any damage caused, any restoration and repair and to facilitate the gathering of any associated evidence.”
Policy 130104 Notifying Information Security Weaknesses
POLICY STATEMENT
“All identified or suspected Information Security weaknesses are to be notified immediately to the Information Security Officer.”
Policy 130105 Witnessing an Information Security Breach
POLICY STATEMENT
“Persons witnessing Information Security incidents or breaches should report them to the Information Security Officer without delay.”
Policy 130106 Being Alert for Fraudulent Activities
POLICY STATEMENT
“Employees are expected to remain vigilant for possible fraudulent activities.”
Section 02: Investigating Information Security Incidents
Policy 130201 Investigating the Cause and Impact of IS Incidents
POLICY STATEMENT
“Information Security incidents must be properly investigated by suitably trained and qualified personnel.”
Policy 130202 Collecting Evidence of an Information Security Breach
POLICY STATEMENT
“Evidence relating to an Information Security breach must be properly collected and forwarded to the Information Security Officer.”
Policy 130203 Recording Information Security Breaches
POLICY STATEMENT
“Evidence relating to a suspected Information Security breach must be formerly recorded and processed.”
Policy 130204 Responding to Information Security Incidents
POLICY STATEMENT
“The Information Security Officer must respond rapidly but calmly to all Information Security incidents, liaising and coordinating with colleagues to both gather information and offer advice.”
Section 03: Corrective Activity
Policy 130301 Establishing Remedies to Information Security Breaches
POLICY STATEMENT
“A database of Information Security threats and remedies should be created and maintained. The database should be studied regularly with the anecdotal evidence used to help reduce the risk and frequency of Information Security incidents in the organization.”
Section 04: Other Information Security Incident Issues
Policy 130401 Ensuring the Integrity of IS Incident Investigations
POLICY STATEMENT
“The use of information systems must be monitored regularly with all unexpected events recorded and investigated. Such systems must also be periodically audited with the combined results and history strengthening the integrity of any subsequent investigations.”
Policy 130402 Analyzing IS Incidents Resulting from System Failures
POLICY STATEMENT
“Information Security incidents arising from system failures are to be investigated by competent technicians.”
Policy 130403 Breaching Confidentiality
POLICY STATEMENT
“Breaches of confidentiality must be reported to the Information Security Officer as soon as possible.”
Policy 130404 Establishing Dual Control / Segregation of Duties
POLICY STATEMENT
“During the investigation of Information Security incidents, dual control and the segregation of duties are to be included in procedures to strengthen the integrity of information and data.”
Policy 130405 Using Information Security Incident Check Lists
POLICY STATEMENT
“Staff shall be supported by management in any reasonable request for assistance together with practical tools, such as security incident checklists, etc., in order to respond effectively to an Information Security incident.”
Policy 130406 Detecting Electronic Eavesdropping and Espionage Activities
POLICY STATEMENT
“Where a risk assessment has identified an abnormal high risk from the threat of electronic eavesdropping and / or espionage activities, all employees will be alerted and reminded of the specific threats and the specific safeguards to be employed.”
Monitoring Confidentiality of Information Security Incidents
POLICY STATEMENT
“Information relating to Information Security incidents may only be released by authorized persons.”