I. Background of Security Incident Management(cont'd)

  1. Incident Reporting

    Incident reporting phase aims at establishing an effective and efficient mechanism to detect and report security incidents. The mechanism includes utilising human resources, such as setting up a security incident response team led by an information security officer, and receiving queries and reports from users' awareness of possible security incidents in the University's systems.

     

  2. Impact Assessment

    An assessment should be carried out for each reported incident to determine the scope and impact to the University. For example, an incident can be assessed to have high, medium or low impact to the University according the amount of monetary loss, duration of service interruption or scale of reputation damage. A brief investigation of the root cause should also be performed to enable effective planning of incident resolution.

    The purpose of performing impact assessment is to maximise the processing efficiency and effectiveness, at the same time minimise the incremental resources invested in dealing with the information security incidents.

     

  3. Incident Escalation and Resolution

    Significant security incidents identified during the impact assessment require to be escalated to the senior management for their knowledge or their participation to resolve the security problems caused by the incident.

    The incidents resolution involves allocating work to security incident response team members and other relevant users or departments, managing the communication between different parties and the executing the resolution plan.

     

  4. Incident Monitoring

    Security incidents with different natures indicate different timelines, resources needs and resolutions. Therefore, the status of the handling process of each incident should be closely monitored to ensure that tailor made resolution is delivered within reasonable timeline and resource constraints.

     

  5. Post Incident Review

    In a sophisticated security incident management process, the security incident response team should exercise due diligence to investigate the root cause of each security incident, and learn from these experiences to avoid recurring incidents in the future through implementing necessary mitigating controls.

     

 
Reference:
http://www.ogcio.gov.hk/eng/prodev/download/g54_pub.pdf
JUCC Newsletter - Security Incident Management