Back to Insights

Incident Response Management Process

Cyber security 05/20/2020 - 12:49 by Ruchika Tyagi

6 Phases of Incident Response Process

What is Incident Response Management

Incident Response Management is an organized strategy for addressing and managing the aftereffects of a security breach or cyber-attack, also known as an incident involving IT, computer incident, or security. The purpose is to control the situation in a way that limits harm and reduces the time and cost of recovery.

The threat of cyberattacks is looming above all organizations. Multiple causes can result in things going wrong – besides a cyberattack, a technical misconfiguration or even a human error can cause a problem. This means every organization should take extra care to protect their IT and operate in such a way that if anything happens, they should be able to deal with it.

An Incident response plan gives you clarity on how to effectively handle a cyber-attack, whether it is malware, ransomware, or a DDoS attack, which are common attacks targeted at businesses or celebrities. An example of a Recent attack is the REvil Ransomware attack on the high profile law firm, used by Lady Gaga, Drake & Madonna. No one is immune, which is why regular assessment of incidents is important. Of course, companies have to make sure that at least one of their backups is offline.

The organization should be constantly checking on what can go wrong and how to deal with it because the response to any incident matters a great deal. That could be the difference between a minor error and a major disaster. That is a reason that fire drills are practiced. 7 Ps – which is a British Army adage for Proper Planning and Preparation Prevents Piss Poor Performance – also explains the importance of Incident Response Management.

Time is The Key

Timely response is the key to detecting any vulnerability. The longer it takes to detect an issue, the more chances for a serious incident. E.g. there may be an unpatched system or anti-malware software in your infrastructure that is not updated, Cyber criminals are waiting to exploit such loopholes.

There may be chances that the organization discovers the breach not in days but in weeks or months – generally brought to notice by the auditor. As per one study, it takes around 175 days to identify a breach – and Ponemon’s Report estimates the global average cost of a data breach to be in the range of $3.92 million.

If the organization wants to stay in control of the situation, then Incident response management is vital. It allows the company to take the necessary actions in time and avoids any disruptions.

Cyber Security Laws & Regulations

1) GDPR (General Data Protection Regulation) –

The GDPR states that all organizations must have technical and organizational measures to ensure a higher level of information security. An incident response plan should be implemented to prevent any damages when it comes to data breaches and to prevent further incidents or breaches from happening again.

Also, when it comes to a personal data breach, the cyber victim must report without further delay and not later than 72 hours after discovering the breach.

2) Networks & Information Systems (NIS) Directive –

Networks and Information Systems (NIS) legislation which has a wide range of network and information security needs across EU member states to augment IT security. This NIS directive focuses on various elements such as Incident Response, but its prime focus is on Breach notification requirements.

As per the GDPR and the NIS Regulations, Incident Response Management is a compulsory requirement. If any organization isn’t following those response measures, then it constitutes brand loss and also leads to heavy fines, i.e. 4% of global turnover or around £17.6 mil.

The Incident Response Management Process

Teceze approach to incident response is based on ISO 27001, the International Standard for Information Security. This is further broken down to ISO 27035 which defines the guidelines for incident management.

1. Identification

Risk Assessment is the first step which is conducted by connecting at a mirror port which gives a status report after having been run in the network for several weeks. Based on the score of the assessment, threats can be taken care of step by step.

2. Reviewing the Latest Version

Checking whether the existing systems like the antivirus are patched, as per the latest versions. Setting periodic updates, and also assessing physical security such as CCTV is very important. Reviewing the existing infrastructure and completing the documentation.

3. Estimating Time Involved in Resolving an Issue

This is an important process that defines priorities based on the score level and how much time will it take to recover after an incident.

This process will also help in understanding, how quickly each incident can be resolved and will help in knowing the recovery time for each activity

4. Testing Scenarios

Organizations must test different scenarios as per the standard checklist. Testing these steps has to be done every quarter, half-yearly, or annually. Doing this periodically will ensure that, the steps remain effective and that they are documented. Testing also enables the team to respond as efficiently as possible.

5. Conducting Training

Technical misconfiguration or Human error are the major reasons for the majority of security incidents.

Training plays an important role in creating awareness among the staff to avoid mistakes.

The Incident Response Management team should receive additional training on their role, related to incident notification, reporting, and scenario testing.

6. Continuous Improvement in the Process

Like other processes, incident response processes should be regularly reviewed to consider emerging threats, where the current process needs to be updated to handle them effectively.

Needless to say, the steps outlined here should be repeated on a half-yearly or annual basis or in case, there is any major change in the organization.

Are You Experiencing a Cyber Security Incident?

We have an experienced and certified team to pick up things quickly and help you respond effectively. No matter what the problem is, we can most probably help you to address the situation by optimizing your existing infrastructure and providing support, wherever required. Thus, based on the above-mentioned steps, we can help you in improving the security posture of your organization.

Incident response is vital to every organization. Teceze is helping its clients to proactively build resilience and help create a good security posture by enhancing their existing capability. This is done by monitoring solutions, training, internal security analysis, and last but not least – support from our incident response team.

Finally, Our SOC is a one-stop shop for managing cybersecurity-related incidents by identifying, investigating, remediating & more importantly reporting. Contact us to learn more about our services!

The only way to protect what you’ve worked hard to build is to be vigilant when it comes to cybersecurity. If you’d like to know more about how your business can benefit from managed services, just give us a call, we are here to help.

Incident response Management is the methodology an organization uses to respond to and manage a cyberattack or a data breach.