Search in ISMS Guides

Google
 

Tuesday, July 24, 2007

10. Information security incident management (ISO)

Reporting information security events and weaknesses

This category aims to ensure information security events and weaknesses associated with the organization's information and information system assets are communicated in a manner to allow appropriate corrective actions to be taken.

Reporting information security events • Information security events should be reported through appropriate management channels as quickly as possible. Control includes:

  • establishment of formal event reporting process(es) and procedure(s), setting out actions to be taken and points of contact;
  • awareness on the part of all employees, contractors and third-party users of the event-reporting process(es), including the requirement to report security events and weaknesses;
  • awareness of the requirement to report as quickly as possible, with sufficient detail to allow a timely response;
  • awareness of the prohibition on adverse action for reports made in good faith; and
  • suitable feedback processes to ensure that those reporting events are appropriately notified of results.

Authorities: ISO-27002:2005 13.1.1.; HIPAA 164.308(a)(6)

Reporting security weaknesses • All employees, contractors and third party users should be required to note and report any observed or suspected security weaknesses in systems or services as soon as possible. Controls include:

  • easy, accessible channels for reporting, the availability of which is clearly communicated to employees, contractors and third parties;
  • reasonable awareness on the part of employees, contractors and third parties of common signs and symptoms of security events;
  • reporting requirement extends to malfunctions or other anomalous events that might indicate a security weakness;
  • awareness on the part of employees, contractors and third parties that they should report, but not attempt to test, a suspected security vulnerability unless they have appropriate technical skills and an immediate response is required, since this might be interpreted as a potential misuse.

Authorities: ISO-27002:2005 13.1.2.; HIPAA 164.308(a)(6)

Management of information security incidents and improvements

This category aims to ensure a consistent and effective approach is applied to the management of information security events and incidents.

Responsibilities and procedures • Management responsibilities and procedures should be established to ensure a quick, effective and orderly response to information security incidents. Control includes:

  • processes to ensure routine use of data from the ongoing monitoring of systems to detect events and incidents;
  • procedures specifically designed to respond to different types and severities of incident, including appropriate analysis and identification of causes, containment, communication with those actually or potentially affected by the incident, reporting of the incident to appropriate authorities, planning and implementation of corrective action to prevent reoccurrence as appropriate;
  • collection and use of audit trails and similar evidence as part of the incident management and investigation process, and appropriate management of this evidence for use in subsequent legal or disciplinary proceedings;
  • formal controls for recovery and remediation, including appropriate documentation of actions taken.

Authorities: ISO-27002:2005 13.2.1.; HIPAA 164.308(a)(6)

Learning from information security incidents • There should be mechanisms in place to enable the types, volumes and costs of information security incidents to be quantified and monitored. Control includes:

  • routine sharing of data on information security incidents among the parties responsible for receiving reports and managing investigations;
  • periodic reports summarizing the data derived from this sharing.

Authorities: ISO-27002:2005 13.2.2.; HIPAA 164.308(a)(1)(ii)(D); HIPAA 164.308(a)(6)

Investigation of incidents • Where disciplinary or legal action may be part of the follow-up to an information security incident, any investigation should be initiated in a manner that follows documented procedures and conforms to accepted practices. Control includes:

  • specifying what persons or classes of person may request an investigation, and on what basis;
  • specifying what persons or classes of person may initiate an investigation process, including collection of evidence;
  • specifying the necessary documentation to initiate an investigation, and the documentation required as the investigation proceeds;
  • procedures for securing and maintaining the integrity of investigatory records; and
  • observing appropriate procedures to assure "chain of custody" for any information collected.

Authorities: ISO-27002:2005 13.2.3. (adapted); HIPAA 164.308(a)(6)

Collection of evidence • Where an investigation has been initiated as part of possible disciplinary or legal action, evidence should be collected, retained and presented in a manner that follows documented procedures and conforms to accepted practices. Control includes:

  • specifying who may initiate an investigation, and on what basis;
  • specifying the necessary documentation to initiate an investigation, and the documentation required as the investigation proceeds;
  • securing and maintaining the integrity of copies of paper records, including "originals" if such exist;
  • securing and maintaining the integrity of copies of electronic records or other data on computer media relevant to the incident; and
  • observing appropriate procedures to assure "chain of custody" for any information collected.

Authorities: ISO-27002:2005 13.2.3.; HIPAA 164.308(a)(6)

Article By : http://privacy.med.miami.edu

No comments: