In the fields of computer security and information technology, computer security incident management involves the monitoring and detection of security events on a computer or computer network, and the execution of proper responses to those events. Computer security incident management is a specialized form of incident management, the primary purpose of which is the development of a well understood and predictable response to damaging events and computer intrusions.[1]
Incident management requires a process and a response team which follows this process. In the United States, This definition of computer security incident management follows the standards and definitions described in the National Incident Management System (NIMS). The incident coordinator manages the response to an emergency security incident. In a Natural Disaster or other event requiring response from Emergency services, the incident coordinator would act as a liaison to the emergency services incident manager.[2]
Incident response plans
An incident response plan (IRP) is a group of policies that dictate an organizations reaction to a cyber attack. Once an security breach has been identified, for example by network intrusion detection system (NIDS) or host-based intrusion detection system (HIDS) (if configured to do so), the plan is initiated.[3] It is important to note that there can be legal implications to a data breach. Knowing local and federal laws is critical.[4] Every plan is unique to the needs of the organization, and it can involve skill sets that are not part of an IT team.[5] For example, a lawyer may be included in the response plan to help navigate legal implications to a data breach.[citation needed]
As mentioned above every plan is unique but most plans will include the following:[6]
Preparation
Good preparation includes the development of an incident response team (IRT).[7] Skills need to be used by this team would be, penetration testing, computer forensics, network security, etc.[8] This team should also keep track of trends in cybersecurity and modern attack strategies.[9] A training program for end users is important as well as most modern attack strategies target users on the network.[6]
Identification
This part of the incident response plan identifies if there was a security event.[10] When an end user reports information or an admin notices irregularities, an investigation is launched. An incident log is a crucial part of this step.[citation needed] All of the members of the team should be updating this log to ensure that information flows as fast as possible.[11] If it has been identified that a security breach has occurred the next step should be activated.[12]
Containment
In this phase, the IRT works to isolate the areas that the breach took place to limit the scope of the security event.[13] During this phase it is important to preserve information forensically so it can be analyzed later in the process.[14] Containment could be as simple as physically containing a server room or as complex as segmenting a network to not allow the spread of a virus.[15]
Eradication
This is where the threat that was identified is removed from the affected systems.[16] This could include deleting malicious files, terminating compromised accounts, or deleting other components.[17][18] Some events do not require this step, however it is important to fully understand the event before moving to this step.[19] This will help to ensure that the threat is completely removed.[15]
Recovery
This stage is where the systems are restored back to original operation.[20] This stage could include the recovery of data, changing user access information, or updating firewall rules or policies to prevent a breach in the future.[21][22] Without executing this step, the system could still be vulnerable to future security threats.[15]
Lessons learned
In this step information that has been gathered during this process is used to make future decisions on security.[23] This step is crucial to the ensure that future events are prevented. Using this information to further train admins is critical to the process.[24] This step can also be used to process information that is distributed from other entities who have experienced a security event.[25]
^"ISO 17799|ISO/IEC 17799:2005(E)". Information technology - Security techniques - Code of practice for information security management. ISO copyright office. 2005-06-15. pp. 90–94.
^"Why Choice Matters So Much and What Can be Done to Preserve It". The Manipulation of Choice. Palgrave Macmillan. 2013. doi:10.1057/9781137313577.0010 (inactive 2024-11-11). ISBN978-1-137-31357-7.{{cite book}}: CS1 maint: DOI inactive as of November 2024 (link)
^Penfold, David (2000), "Selecting, Copying, Moving and Deleting Files and Directories", ECDL Module 2: Using the Computer and Managing Files, London: Springer London, pp. 86–94, doi:10.1007/978-1-4471-0491-9_6 (inactive 3 December 2024), ISBN978-1-85233-443-7{{citation}}: CS1 maint: DOI inactive as of December 2024 (link)
^Gumus, Onur (2018). ASP. NET Core 2 Fundamentals : Build Cross-Platform Apps and Dynamic Web Services with This Server-side Web Application Framework. Packt Publishing Ltd. ISBN978-1-78953-355-2. OCLC1051139482.
^"Where Are Films Restored, Where Do They Come From and Who Restores Them?", Film Restoration, Palgrave Macmillan, 2013, doi:10.1057/9781137328724.0006 (inactive 2024-11-11), ISBN978-1-137-32872-4{{citation}}: CS1 maint: DOI inactive as of November 2024 (link)
^Boeckman, Philip; Greenwald, David J.; Von Bismarck, Nilufer (2013). Twelfth annual institute on securities regulation in Europe : overcoming deal-making challenges in the current markets. Practising Law Institute. ISBN978-1-4024-1932-4. OCLC825824220.