The organization should have an appropriate security incident management program. Consideration should be given to standards such as ISO/IEC 27035. The organization should create a security incident management program which should include, but not be limited to, the following stages:
- Plan and prepare.
- Detection and reporting.
- Assessment and decision.
- Responses.
- Lessons learnt.
Plan and prepare
The organization should establish formal security incident management policies and procedures. The policies and procedures should include, but not be limited to:
- Formation of a security incident response team which should include appropriate members based on authority of decision making, technical expertise etc.
- Categorization and classification of security events/incidents based on actual or projected adverse impacts with examples of the risks identified by the risk management process.
- Guidance and/or decision tree/flow-chart which includes time scales to determine the level of escalation required including function and/or names to whom escalation should be done.
- A standard information security event/incident database structure/system in order to be able to record, analyze and report on events/incidents.
- Procedures which test the security organization’s alertness and response. Procedures should include both announced and unannounced tests.
- Procedures which ensure that security events/incidents are properly recorded.
- Procedures for regularly analyzing security events/incidents as per the problem management process and propose changes to enable improvement plans via the change management process.
- Procedures to ensure that all contact information is regularly reviewed and updated where needed.
Detection and reporting
