Computer Security Incident Management - Process - Initial Incident Management Process

Initial Incident Management Process

  1. Employee, vendor, customer, partner, device or sensor reports event to Help Desk.
  2. Prior to creating the ticket, the help desk may filter the event as a false positive. Otherwise, the help desk system creates a ticket that captures the event, event source, initial event severity and event priority.
    1. The ticket system creates a unique ID for the event. IT Personnel must use the ticket to capture email, IM and other informal communication.
    2. Subsequent activities like change control, incident management reports and compliance reports must reference the ticket number.
    3. In instances where event information is “Restricted Access,” the ticket must reference the relevant documents in the secure document management system.
  3. The First Level Responder captures additional event data and performs preliminary analysis. The First Responder determines criticality of the event. At this level, it is either a Normal or an Escalation event.
    1. Normal events do not affect critical production systems or require change controls prior to the implementation of a resolution.
    2. Events that affect critical production systems or require change controls must be escalated.
    3. Organization management may request an immediate escalation without first level review – 2nd tier will create ticket.
  4. The event is ready to resolve. The resource enters the resolution and the problem category into the ticket and submits the ticket for closure.
  5. The ticket owner (employee, vendor, customer or partner) receives the resolution. They determine that the problem is resolved to their satisfaction or escalate the ticket.
  6. The escalation report is updated to show this event and the ticket is assigned a second tier resource to investigate and respond to the event.
  7. The Second Tier resource performs additional analysis and re-evaluates the criticality of the ticket. When necessary, the Second Tier resource is responsible for implementing a change control and notifying IT Management of the event.
  8. Emergency Response:
    1. Events may follow the escalation chain until it is determined that an emergency response is necessary.
    2. Top-level organization management may determine that an emergency response is necessary and invoke this process directly.

Read more about this topic:  Computer Security Incident Management, Process

Famous quotes containing the words initial, incident, management and/or process:

    No punishment has ever possessed enough power of deterrence to prevent the commission of crimes. On the contrary, whatever the punishment, once a specific crime has appeared for the first time, its reappearance is more likely than its initial emergence could ever have been.
    Hannah Arendt (1906–1975)

    “It is of the highest importance in the art of detection to be able to recognise out of a number of facts which are incidental and which are vital.... I would call your attention to the curious incident of the dog in the night-time.”
    “The dog did nothing in the night-time.”
    “That was the curious incident.”
    Sir Arthur Conan Doyle (1859–1930)

    This we take it is the grand characteristic of our age. By our skill in Mechanism, it has come to pass, that in the management of external things we excel all other ages; while in whatever respects the pure moral nature, in true dignity of soul and character, we are perhaps inferior to most civilised ages.
    Thomas Carlyle (1795–1881)

    Every modern male has, lying at the bottom of his psyche, a large, primitive being covered with hair down to his feet. Making contact with this Wild Man is the step the Eighties male or the Nineties male has yet to take. That bucketing-out process has yet to begin in our contemporary culture.
    Robert Bly (b. 1926)