New awareness module on incident management

We have just released June's security awareness module about managing information security incidents a few days early to give customers the option to run the materials from June 1st, if they wish.

Information security incidents are security incidents affecting the ccnfidentiality, integrity and/or availability of information assets - IT systems, IT services, data and other forms of information. Despite our best endeavors, it is inevitable that information security incidents will occur from time to time even if we have implemented the very best preventive security controls money can buy. Paradoxically, highly secure organizations are arguably in greater need of professional incident management processes than those with weaker security controls since they have fewer incidents to ‘practice’ on, and those that occur tend to be both unanticipated and serious.

The new awareness module describes the processes necessary to investigate, resolve and learn from all sorts of information security incidents, using incidents reported in the news to emphasize the variety of incidents and approaches. We share good practices from ITIL and standards such as ISO/IEC 27002 and NIST SP800-61.

The awareness materials emphasize the need to identify and respond to incidents promptly and efficiently in order to contain and resolve them with minimal impacts on the organization. Without a suitable management process in place, incidents may take longer to be recognized and resolved, hence additional unnecessary and avoidable losses may be incurred. Furthermore, learning the hard lessons from incidents, plus softer lessons from near-misses, improves the organization's security controls: this is an important part of the process often neglected by those with immature incident management or information security programs.

For ordinary employees, the awareness presentations, procedures, guidelines etc. stress the need to report information security incidents and near misses to the appropriate contact point (typically the IT Help Desk or Service Desk) as soon as practicable, and explain what happens next. We want everyone to be crystal clear about what they are expected to do.

We provide a template business case for managers, explaining the business value of an Incident Management Team and structured Incident Management Process. We'd like management to appreciate the business value of a professional approach to incident management, plus the personal value in terms of reduced stress.

IT professionals are also appraised of the reasons for managing information security incidents more professionally, and given pragmatic hints on what this actually means for them, and for the organization.