In the series of articles titled “Incident Response Life Cycle in NIST and ISO standards” I review incident response life cycle, as defined and described in NIST and ISO standards related to incident management.
I introduced these standards in the first article in this series.
ISO/IEC 27035 is a multi-part standard. Its first part introduces incident management principles. Its second part, ISO/IEC 27035-2, gives detailed guidelines for incident management preparation and planning. It is formally named “Information technology – Security techniques – Information security incident management – Part 2: Guidelines to plan and prepare for incident response”.
In this article, I continue a short review of ISO/IEC 27035-2, which I started here. In the previous article, I reviewed the standard’s recommendations on standardizing forms and procedures and on trust issues and IRT (Incident Response Team) types. In this article, I will discuss the standard’s guidelines on awareness, training, and incident management plan testing.
Users awareness and training
The effectiveness of incident response and management is directly related to security awareness of users. As ISO/IEC 27035-2 states, incident management involves not only technical means but also people. That’s why effective security awareness program directly supports incident management.
There’s a difference between awareness and training. Both of them are important and they work in concert. Security awareness is, in short, understanding importance of security for the organization (and understanding the relationship between this importance and the user’s job – an organization needs to clearly explain to each user of its IT systems that by taking care of these systems security, users also take care of themselves). But security awareness will not help if users are not trained in security procedures (because even if a user realizes that he has to report a security event/incident, such awareness is of no use if he doesn’t know how to do it). So security awareness gives users motivation to comply with security procedures and security training gives them knowledge on how to comply with them.
The standard lists several related factors that influence the operational efficiency of information security incident management:
- an obligation to notify;
- quality (contents) of notification;
- ease of notification;
- the speed of notification.
As you can see, some of them are related to user awareness and some of them to user training.
Each organization should have cybersecurity awareness program. Incident-related awareness should be a part of such program. Every employee should be made aware of the importance of incident reporting and should be trained in relevant procedures. The standard helps by listing items that should be included in the awareness briefings. It also recommends that incident handling matters are included in personnel orientation program.
It is recommended not to activate the incident management plan unless all employees are trained on how to participate in it. Otherwise, a false sense of security could be created for the organization’s management (because an incident management plan, no matter how elaborate, will not work without users).
Incident management plan testing
The standard recommends regular testing of the incident management plan. It recommends that attacks, failures or faults should be simulated for this purpose. The tests should involve both Incident Response Team and regular users and also, if possible, external parties involved in the execution of the incident management plan. Detailed scenarios should be created for such tests.
Learning from plan testing and from real incidents
Both incident management plan tests and real incidents should be used to improve the incident management policies and procedures and organization’s cybersecurity in general. ISO/IEC 27035-2 lists three areas of improvement here:
- cybersecurity risk management;
- cybersecurity procedures and technical solutions;
- incident management.
As for cybersecurity risk management, new vulnerability or threat areas or scenarios can be identified, which directly influences risk analysis results. Such new information should be immediately passed to the team/department responsible for information security management.
As for cybersecurity procedures and technical solutions, the need for new or improved cybersecurity tools or procedures can be identified. These can also include needs related to user training and awareness. The Incident Response Team should not concentrate on technical conclusions only, as these are of the same importance as improvements in procedures or user training. It is also very important to prioritize these needs and to relate them to the organization’s budget. Sometimes it will not be possible to immediately implement even the high priority changes because of budget constraints.
As for incident management policy or plan, needs for changes or improvements can be identified. These should be implemented as soon as possible, to avoid the same issues when next incident happens. The IRT, together with other internal stakeholders, should answer questions on procedures effectiveness, whether they worked as intended, whether they helped in time-effective incident detection and eradication, whether all needed internal communication worked effectively etc. Any such identified conclusions should be documented and fed back to incident management process (remember – this is cyclic approach all the time).
It is also important to understand that learning from single incidents is not enough. The Incident Response Team should also look for patterns in incidents and draw relevant conclusions.
The standard re-iterates the importance of regular vulnerability testing. Although vulnerability testing of relevant system/s affected by an incident should be a part of the incident management plan, it should not be a substitute for regular, planned and systematic vulnerability assessments.
It is worth noting that security automation software can be used to automate vulnerability testing.
In next article, I will discuss ISO/IEC 27035-2 guidelines on incident classification and legal/regulatory aspects.