This chapter covers incident management and disaster recovery concepts from the perspective of physical and operational security domains. Concepts related to incident management controls, business continuity planning process, and disaster recovery planning are covered with relevant examples and illustrations:
Observe the preceding diagram. Incidents may cause disruption to business processes and activities. In turn, an unattended incident may also lead to disaster. A suitable business continuity planning process with disaster recovery planning will ensure continuity in business operations.
In this chapter, we will cover the following topics:
An incident is an event that could possibly violate information security. The violation may breach confidentiality, integrity, and the availability requirements of information assets. Primarily, incidents happen due to weaknesses in the systems and operational processes and procedures.
When a systematic and procedural way of managing incidents is established in an organization, then it is called incident management.
Incident management consists of incident reporting and response to such reports.
Incident reporting refers to the mechanism of reporting suspected weaknesses and incidents to the management by employees, contractors, and third-party users.
The following are some of the examples of incidents:
The objective of information security incident management is to manage incidents in an effective manner to mitigate the risks by timely actions.
The goals of incident management are as follows:
Incident management involves actions that are predominantly corrective in nature. For example, fire fighting is a corrective exercise. However, certain preventive actions are taken to control the onset of an incident. The following are some of the security controls, systems, and actions that can help in managing incidents.
As this name implies, Intrusion Detection Systems (IDS) are detective controls that detect unauthorized intrusions to the premises, such as data centers or computer networks.
In physical, operational, and network security, vulnerability assessment and penetration testing are periodically conducted to identify the weaknesses in the access control mechanisms and test the possibility of unauthorized intrusion.
Computer applications contain vulnerabilities, in other words, errors. These applications are generally executable files and are produced by different software vendors. The vulnerabilities that are identified after the final release of such applications are periodically fixed by these vendors by releasing software code containing the patches. Patch management refers to applying patches to the existing applications or the patching of computers in a systematic way. Applying the patches to the test system before applying them to production systems, and creating rollback mechanisms if the applied patch affects the existing applications are considered to be patch management controls. Patch management has to be validated as a part of the compliance-monitoring activity.
An improper configuration of IT systems may lead to systems compromise, affecting the confidentiality and integrity of the systems. Configuration errors will also affect the availability. Configuration management refers to maintaining the right configuration of systems and documenting and managing the changes to the systems.