1051 NW 14th St., Suite 165
(UM mail routing R-26)
Miami, FL 33136

Receptionist: 305-243-6475
Hours: 830am - 500pm, M-F

Help Desk: 305-243-5999
Hours: 24/7

General fax: 305-243-6417
Admin. fax: 305-243-2622

Rust (1963). Electron micrograph of an oxide scale, sometimes called rust, on a single crystal of iron. Source: General Motors and Nationl Museum of American History.

Related content

Information security incident management

Objective • Information security events and discovered weaknesses should be communicated in a manner that allows appropriate corrective actions to be taken promptly, and a consistent and effective approach should be applied to the subsequent management and remediation.

Reporting information security events • All employees, contractors and third party users should be required to note and report any observed or suspected security events through appropriate channels as quickly as possible. This could include:

establishment of formal event reporting processes and procedures, setting out actions to be taken and points of contact;
awareness on the part of all employees, contractors and third-party users of the event-reporting processes, including the requirement to report security events and weaknesses;
awareness of the requirement to report as quickly as possible, with sufficient detail to allow a timely response; and
suitable feedback processes to ensure that persons who report events are appropriately notified of results.

Reporting information security weaknesses • All employees, contractors and third party users should be required to note and report any observed or suspected security weaknesses in systems or services through appropriate channels as quickly as possible. This could include:

easy, accessible channels for reporting, the availability of which is clearly communicated to employees, contractors and third parties;
reasonable awareness on the part of employees, contractors and third parties of common signs and symptoms of security weaknesses;
reporting requirement extends to malfunctions or other anomalous events that may indicate a security weakness;
awareness on the part of employees, contractors and third parties that they should report, but not attempt to test, a suspected security weakness, since this might be interpreted as a potential misuse.

Responsibilities and procedures for security incident response • Management responsibilities and procedures should be clearly established, to ensure a quick, effective and orderly response to information security incidents. This could include:

processes to ensure routine use of data from the ongoing monitoring of systems to detect events and incidents;
procedures specifically designed to respond to different types and severities of incident, including appropriate analysis and identification of causes, containment, communication with those actually or potentially affected by the incident, reporting of the incident to appropriate authorities, and planning and implementation of corrective action to prevent reoccurrence as appropriate;
collection and use of audit trails and similar evidence as part of the incident management process, and appropriate management of this evidence for use in subsequent legal or disciplinary proceedings; and
formal processes for recovery and remediation, including appropriate documentation of actions taken.

Investigation of incidents • Where disciplinary or legal action may be part of the follow-up to an information security incident, any investigation should be initiated and conducted in a manner that follows documented procedures and conforms to accepted practices. This could include:

specifying what persons or classes of person may request an investigation, and on what basis;
specifying the necessary documentation and approvals to initiate an investigation, and the documentation required as the investigation proceeds;
specifying what persons or classes of person may participate in an investigation process, including collection of evidence; and
procedures for securing and maintaining the integrity of all investigatory records.

Collection of evidence • Where an investigation has been initiated as part of possible disciplinary or legal action, evidence should be collected, retained and presented in a manner that follows documented procedures and conforms to accepted practices. This could include procedures for:

securing and maintaining the integrity of copies of electronic records or other data on computer devices or media that are relevant to the incident;
securing and maintaining the integrity of copies of paper and other types of records, including "originals" if such exist; and
observing appropriate procedures to assure "chain of custody" for any evidence collected.

Learning from information security incidents • There should be mechanisms in place to enable the types, volumes and estimated costs of information security incidents to be quantified and monitored. This could include:

periodic summary reports on incident types, volumes and costs; and
detailed reports on particular incidents.

SOURCES: ISO-27001/27002:2005 sects. 13.1 – 13.2.