Information Security Incident Management

MISSM @ University of Luxembourg


You may ask - why is effective incident management important?

Why is a good CERT, so important?

Why is it, in fact, essential for any organisation?

The answer is simple: when there is a fire, it must be extinguished. Anyone who has ever been in a fire wants to prevent it next time. It is the same with security incidents. Some time may pass without an incident - but they happen and will happen. Trend reports5 show that incidents are not becoming fewer. On the contrary - they are becoming more advanced and targeted. Although some targets will be more popular than others, there are no safe hide-outs. For instance, even smaller schools in countries with languages spoken by small populations are being targeted these days. Banks, big networks, government and military entities are ‘popular’ targets. ‘Hacktivism’ has also emerged, where political or idealistic goals are used to justify what others would describe as cybercrime. Isolation does not help. Incidents can occur even if ample security measures are in place to shield an organisation from external threats via the internet. You should know that it has been reported that a substantial percentage of all incidents taking place has an internal source rather than an external one.

You may ask - isn’t incident management purely an IT issue?

Can it be dealt with by capable computer people only?

No, it is not just IT. Incidents threaten the organisation as a whole. The organisation’s primary business process, all its other processes and reputation - they are all in jeopardy when incidents strike. Incident management seeks to prevent such incidents from happening. And when they do happen, to contain and resolve them, and use the lessons learnt for the next time. Therefore incident management serves the primary process and the organisation as a whole. The IT department may implement it, but it directly concerns the management of the organisation.

Thus, incident management is an important tool of overall governance and to have it, in whatever form or shape, is a necessity. This fact is recognised and supported in the ISO 27000 security standards7 and in frameworks such as ITIL and COBIT.

Course material and slides

  • Part 1 - Information Security Incident Management

    A general overview of how incident management integrates into the CISO’s daily business and highlight the aspects not detailed enough in 27002 based information security policies to achieve an efficient incident management process.

  • Part 2 - Incident Resolution Cycle and Luxembourg Ecosystem

    Deep dive into the incident resolution process and overview of the Luxembourg cybersecurity ecosystem. Knowing your ecosystem is key when it comes to rapid reaction in case of an incident or crisis.

References and further reading

ISO/IEC 27002 is a popular, internationally-recognized standard of good practice for information security. ISO/IEC 27002 traces its history back more than 30 years to the precursors of BS 7799.

The purpose of this Recommendation is to analyse, structure and suggest a method for establishing an incident management organization within a telecommunication organization involved in the provision of international telecommunications, where the flow and structure of an incident are focused. The flow and the handling are useful in determining whether an event is to be classified as an event, an incident, a security incident or a crisis. The flow also covers the critical first decisions that have to be made.

Computer crime follows in the wake of the heavily increased use of computers in international telecommunications. Over the last years, computer crime has literally exploded, as confirmed by several international and national surveys. In the majority of countries, there are no exact figures on the number of computer break-ins or security incidents, especially those related to international telecommunications.

Most telecommunication organizations or companies do not have any specialized organization for handling Information and Communication Networks (ICN) security incidents (although they may have a general crisis team for handling crises of any type). When an ICN security incident occurs it is handled ad hoc, i.e., the person who detects an ICN security incident takes the responsibility to handle it as best as (s)he can. In some organizations the tendency is to forget and cover up ICN security incidents as they may affect production, availability and revenues.

Often, when an ICN security incident is detected, the person who detects it does not know who to report it to. This may result in the system or network’s administrator deploying a workaround or quick fix just to get rid of the problem. They do not have the delegated authority, time or expertise to correct the system so that the ICN security incident does not recur. These are the main reasons why it is better to have a trained unit or group that can handle security incidents in a prompt and correct manner. Furthermore, many of the issues may be in areas as diverse as media relations, legal, law enforcement, market share, or financial.

When reporting or handling an incident, the use of different taxonomies leads to misunderstanding. This may, in turn, result in an ICN security incident getting neither the proper attention, nor the prompt handling, that is needed in order to stop, contain and prevent the incident from recurring. This may lead to serious consequences for the affected organization (victim).

To be able to succeed in incident handling and incident reporting, it is necessary to have an understanding of how incidents are detected, handled and resolved. By establishing a general structure for incidents (i.e., physical, administrative or organizational, and logical incidents) it is possible to obtain a general picture of the structure and flow of an incident. A uniform terminology is the base for a common understanding of words and terms.

  • ENISA CERT ressources

    • How to set up a CERT?

    A step-by-step explanation on how to plan, kick-off and establish your own CERT. We even provide you with an easy to use project plan!

    • How to run a CERT?

    A basic collection of good practice on how to operate a CERT, especially in the crucial first year.

    • Exercises for CERTs

    An easy-to-use collection of exercises for CERTs in various areas.

    • Baseline capabilities of national / governmental CERTs

    Recommendations for a basic set of capabilities of CERTs with responsibilities for CIIP and international cooperation.

    • How CERTs manage security incidents?

    Good practices, practical information and guidelines for the management of network and information security incidents with an emphasis on incident handling.

    • How to improve detection of network security incidents?

    This report lists 30 external sources and 12 categories of internal tools and mechanisms along with the relevant recommendations which can be used to improve the detection of network security incidents.

    • Legal aspects of information exchange between CERTs

    A study into the legal and regulatory aspects of information sharing and cross-border collaboration of national/governmental CERTs in Europe.

    • Common tools for CERTs

    An overview of tools in use by the European CERT community (TF-CSIRT).

    • Supporting fight against cybercrime

    A study with the aim to improve the capability of CERTs, with a focus on the national/governmental CERTs (n/g CERTs), to address the network and information security (NIS) aspects of cybercrime.