II Management

Security Incident Response, Reporting and Escalation

Management should design an effective and efficient mechanism of detecting security incidents by utilising human resources (e.g. information security professional, trained users, universities' IT security staffs) and various technical controls (e.g. intrusion detection software and data leakage prevention tools). In particular, the following areas should be focused on:

  • Defined personnel or team (e.g. IT Service Desk) as single contact point for handling any reported security incidents;

  • Detailed procedures for identifying and reporting failures, weaknesses, and suspected activities that may indicate the existence of security incidents;

  • Regular mechanism to recognise and detect flaws or vulnerabilities with universities' security measures, including IT internal controls, operational procedures and security tools; and
  • Defined criteria for escalating security incidents to appropriate level of management.

Online real-time incident reporting and logging systems are highly recommended to facilitate immediate incident response and investigation. Manual incident logs should be used when the incident reporting and logging systems are out of service during total system failures. Management should also consider incorporating automated security incident detection functionality when developing or implementing new information systems.

Impact Assessment

To maximise the processing efficiency and minimise the incremental resources universities invest in dealing with the security incidents, an assessment should be carried out for each incident to determine the scope and effect over universities. Key factors to be considered for the impact assessment include:

  • Whether the security incidents affect single or multiple information systems?
  • Will the university suffer from reputation damage, financial loss, service interruption or litigations?

  • Are there any inconveniences / distress / loss caused to relevant parties?

Management should establish clear instruction to assign severities for security incidents based on the impact assessment results, which is crucial in determining the next step for universities to handle the incidents.

Security Incident Monitoring

Due to the various characteristics of security incidents, it may take minutes, hours, days or even weeks to resolve them. Therefore, the status and handling stage of each incident should be closely monitored by universities and tracked throughout the whole process until the incident is closed.

Management should mobilise appropriate resources to eliminate any delay noticed in processing the security incidents and to avoid possible escalation in incident impact levels.

 
Reference:
https://wiki.internet2.edu/confluence/display/itsg2/Information+Security+Incident+Management+(ISO+13)#InformationSecurityIncidentManagement%28ISO13%29-Overview
http://www.ogcio.gov.hk/eng/prodev/download/g54_pub.pdf