SECURITY INCIDENT MANAGEMENT POLICY
SECURITY INCIDENT MANAGEMENT POLICY

Read this article for a simple introduction to cybersecurity policies.

Cyber security policies are guidelines defined by management to define acceptable conducts to ensure confidentiality, integrity and availability of information systems and assets. One of the most important cybersecurity policy, which every organisation must define and document, is the Incident Management Policy, and considering that every organisation will face cyber incidents, not owning an incident management policy could easily be synonymous to dining with the devil.

NIST defines a security incident as an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

The Incident Management Policy, as the name implies, is there to help organisations deal with security incidents. It's the policy established by management to provide guidelines on how the organisation will handle cybersecurity incidents. This policy does not, however, apply to the security team alone as incident management is the business of all employees of an organisation. For example, since incident management is a multi-step process that runs from incident detection to incident closure (depending on the organisation), a non-IT staff may be involved in the incident detection, escalation and closure stages of the incident management process.

Coming up with Incident Management Guidelines

To define adequate incident management policies, an organisation must consider the key phases of incident management while drafting guidelines. These phases (as defined by NIST) are:

Preparation Phase: To have a successful incident management program, the organisation must be adequately prepared. This phase largely involves tasks like identifying critical assets, performing risk assessments and business impact analysis, training for security teams and general staff, etc and would see an organisation's security team ready to respond to security incidents.

Incident Detection and Analysis Phase: Organisations must determine how they intend to detect security incidents and the analysis method that would allow a good understanding of the conditions surrounding the incident. This analysis would help in determining incident severity and in assigning priority to identified incidents.

Incident Containment, Eradication and Recovery Phase: This phase centres on how to isolate systems affected by the incident and ensure that they do not infect other systems, how the cause of the incidents would be removed from the affected systems and how affected systems can be returned to their normal operations. How quickly an organisation navigates this phase is directly linked to their cybersecurity operational resilience.

Post-Incident Activities: Organisations must document all details of an incident and perform extensive root cause analyses to understand the cause of the incident, and improve their processes to prevent further occurrence.

Sample Incident Management Policy Guidelines

The following are sample incident management policies that can be found in modern organisations (organisations would typically modify policy statements to suit their reality):

  • "All security-related events shall be logged and retained for a minimum of one year. Relevant logs shall be forwarded to the SIEM in the security operations centre"
  • "Incident Management shall be the responsibility of every member of the organisation"
  • "All employees and third parties shall undergo awareness training to ensure that they are aware of their incident management responsibilities"
  • "A Security Incident Response Team (SIRT) shall be constituted to champion all enterprise incident management activities. The responsibilities of this SIRT shall be clearly defined in the incident management procedures document."
  • "All incidents shall be classified based on their criticality, and incidents response activities shall be triaged to ensure that the most critical incidents are closed first."

Organisations are advised to continuously review and update their incident management policies to reflect their current threat landscape and ensure that they aren't applying old fixes to modern problems.





byOkereke, Onyekachi Fortune.