[MUSIC]

One of the main goals of security management is to avoid security threats

from affecting the organization.

Unfortunately, regardless of our efforts, security incidents will happen eventually.

These incidents can affect the confidentiality, integrity, and

availability of assets.

If we prepare for these incidents before they happen,

we will be best prepared to act when the moment arrives.

Implementing solutions just after the incident will be costlier and

probably ineffective.

Surprisingly or not,

preparing incident response plans is also part of the security management process.

In fact, incident management is defined within the ISO/IEC 27000 series,

and specifically the 27002 standard.

There are five phases in the management of a security incident.

Reporting, investigation, assessment, corrections, and review.

Reporting consists of capturing all the possible information about

the security event.

This includes the first time the event was noticed.

The identity of the first responder.

The location or asset that was affected by the event.

A description of the event.

The impact of the event.

And of course, all the actions taken after it.

During investigation, responders analyze the assets affected by the event.

The analysis of these assets may require the use of forensic procedures.

Incidence that involve law enforcement will require a proper handling of

the evidence, of course.

The assessment phase reviews the information gathered about the event and
decides if the event should be classified as a security incident.

Security incidents are security events who have

relevant impact on the security properties of the organization assets.

When a security event is raised to security incident,

the set of planned responses are triggered.

All the decisions made during the incident assessment should be logged

in the incident report.

The corrections phase involves the implementation of

any corrective actions necessary to respond to the incident.

Enabling backup servers is an example of a correction action.

Corrective actions should also be logged in the incident report.

During the last phase of the incident management, the correction

controls applied to mitigate the security incidents are reviewed.

Additionally, this phase reviews all the other processes that were affected

by the assets involved in the event.

For instance, a risk management process may need to be updated after

a security incident to reflect the new controls imposed and

the new likelihood of such events to happen again.

In some cases, security events may put at risk

the immediate continuity of the business processes.

In these cases, the corrections phase is prioritized over the other phases.

Some organizations may develop a specific plan for these extreme scenarios.

These are called business continuity plans.

Whether we like it or not,

security incidents will happen within our organization.

Preparing for such incidents is a key factor in successfully responding and

recovering from them.

Some security incidents can put at risk the continuity of a business.

To prepare for such events, the information security team should

developed a business continuity plan that outlines the main measures to

implement to continue operations after a major incident or disaster happens.

[MUSIC]