Skip the navigation

Incident management in the age of compliance

The basics of doing what the laws tell you to do

By Anton Chuvakin
May 16, 2007 12:00 PM ET

Computerworld - Security incidents can wreak catastrophic results on organizations. Such incidents may involve hacking, malware outbreaks, economic espionage, intellectual property theft or loss, network access abuse, theft of IT resources, and many more problems.  Recent regulatory mandates directly affect how organizations should deal with such occurrences.

The well-known security maxim "prevention-detection-response" covers three components, all crucially important for an organization’s security posture.  "Prevention" seems favored by many as the primary component with "detection" following close behind.  However, "response" has a unique characteristic lacking in the other two components: It is impossible to avoid.  While it is not uncommon for an organization to have weak prevention and nearly nonexistent detection capabilities, response will always be necessary, since organizations are forced into response mode when they are attacked.

In light of this, being prepared for incidents via an incident response plan is likely to be one of the most cost-effective security measures an organization takes.  Timely and effective incident response is directly responsible for decreasing the incident-induced losses.  It can also help to prevent expensive and hard-to-repair reputation damage, which often occurs following a publicly disclosed security incident.

Incident response is fraught with many possible pitfalls, and organizations are known to commit glaring mistakes while trying to set up and execute their security incident response (IR), as I discussed in an April 2005 Computerworld article on the five mistakes of incident response.  The SANS Institute, which offers research and information security training and certification, has put forth a basic methodology to help give structure to the otherwise chaotic incident response workflow.  The six steps of the SANS methodology are clearly defined, easy to follow, and most important, work in the high-stress post-incident environments for which they were designed. More broadly, Mary K. Pratt has a discussion of basic areas of concern to address when putting a response plan together.

However, some recent government regulations and standards put forth by industry groups have explicitly highlighted the importance of having a repeatable incident response plan to guarantee security of key data; they even mandate specific details on how incident response should be performed.  Thus, some aspects of IR planning and procedures have, as a direct result of these regulations, moved from the "should" category to the "must" category.  Examples of such laws and standards include the Federal Information Security Management Act, the Payment Card Industry Data Security Standard, and Health Insurance Portability and Accountability Act (HIPAA).  Let’s review how these mandates affect incident response.

FISMA

The Federal Information Security Management Act, which was created to strengthen government computer and network security, requires federal agencies to set up incident response capabilities in keeping with the guidelines put forth by the National Institute of Standards and Technology



Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!