Information Security Incident Management
Table of Contents
MISSM @ University of Luxembourg
You may ask - why is effective incident management important?
Why is a good CERT, so important?
Why is it, in fact, essential for any organisation?
The answer is simple: when there is a fire, it must be extinguished. Anyone who has ever been in a fire wants to prevent it next time. It is the same with security incidents. Some time may pass without an incident - but they happen and will happen. Trend reports show that incidents are not becoming fewer. On the contrary - they are becoming more advanced and targeted. Although some targets will be more popular than others, there are no safe hide-outs. For instance, even smaller schools in countries with languages spoken by small populations are being targeted these days. Banks, big networks, government and military entities are ‘popular’ targets. ‘Hacktivism’ has also emerged, where political or idealistic goals are used to justify what others would describe as cybercrime. Isolation does not help. Incidents can occur even if ample security measures are in place to shield an organisation from external threats via the internet. You should know that it has been reported that a substantial percentage of all incidents taking place has an internal source rather than an external one.
You may ask - isn’t incident management purely an IT issue?
Can it be dealt with by capable computer people only?
No, it is not just IT. Incidents threaten the organisation as a whole. The organisation’s primary business process, all its other processes and reputation - they are all in jeopardy when incidents strike. Incident management seeks to prevent such incidents from happening. And when they do happen, to contain and resolve them, and use the lessons learnt for the next time. Therefore incident management serves the primary process and the organisation as a whole. The IT department may implement it, but it directly concerns the management of the organisation.
Thus, incident management is an important tool of overall governance and to have it, in whatever form or shape, is a necessity. This fact is recognised and supported in the ISO 27000 security standards7 and in frameworks such as ITIL and COBIT.
Course material and slides
|Part 1 - Information Security Incident Management||A general overview of how incident management integrates into the CISO’s daily business and highlight the aspects not detailed enough in 27002-based information security policies to achieve an efficient incident management process. Further, the latest (2022) changes in 27001 and 27002 are addressed, especially those relevant to incident management.|
|Part 2 - Incident Resolution Cycle and Luxembourg Ecosystem||Deep dive into the incident resolution process and overview of the Luxembourg cybersecurity ecosystem. Knowing your ecosystem is key when it comes to rapid reaction in case of an incident or crisis.|
References and further reading
|ISO/IEC 27002:2022||ISO/IEC 27002 is a popular, internationally-recognized standard of good practice for information security.ISO/IEC 27002 traces its history back more than 30 years to the precursors of BS 7799. The latest 2022 version provides an interesting mechanism to organise controls better and address information security in a very pragmatic way.|
|ITU-T E.409||The purpose of this Recommendation is to analyse, structure and suggest a method for establishing an incident management organization within a telecommunication organization involved in the provision of international telecommunications, where the flow and structure of an incident are focused. The flow and the handling are useful in determining whether an event is to be classified as an event, an incident, a security incident or a crisis. The flow also covers the critical first decisions that have to be made.|
|ENISA CERT ressources|
|CYBERSECURITY Luxembourg references:||*
OECD Guidelines for the Security of Information Systems and Networks - TOWARDS A CULTURE OF SECURITY
* National Cybersecurity Strategy IV
* Legal Frameworks in Cybersecurity
* Cyber Emergency Response Plan
* National Cybersecurity Portal
* Luxembourg House of Cybersecurity - LHC
* National Cybersecurity Competence Centre - NC3
* Computer Incident Response Centre Luxembourg - CIRCL
* European Cybersecurity Competence Centre - ECCC