Incidents Happen: The basics of information security (part 1 of 3)
Incidents are a part of working life – but how you deal with them makes all the difference. Explore this with NQA Regional Assessor Michael Harper from an information security perspective, focusing on IT.
This series is a simplified version of incidents. As every incident and organisation are different, your approach should be risk-based and fit your organisation.
Welcome to ‘Incidents Happen’: a 3-part blog series brought to you by NQA.
While this series focuses on information security, the principles apply to any context. A machine tool not behaving as expected, a release of waste, an accident at work… incidents like these can occur anywhere and at any time.
In Part 1 of the series, we cover:
Definitions and examples of incidents, events and weaknesses.
Effective incident reporting process tips for you to consider.
Once you have read Part 1, we will apply it in practice with a real-life scenario (Part 2).
What is an event?
An event is any obvious occurrence that relates to the:
Management of the IT infrastructure OR;
Delivery of an IT service.
For example: receiving a phishing email sent to your work email address.
An event is something that doesn’t necessarily impact information security.
What is an incident?
In the world of information security, an incident is:
An interruption to a service OR;
A reduction in the quality of a service.
For example: falling for a phishing email sent to your work email address.
An incident is something that happens that almost certainly has an impact.
What is a weakness?
Weaknesses are linked to incidents. They present an opening, or the potential, for an incident to occur.
For example: a poorly defined procedure or a poorly configured system.
In terms of your organisation...
When did you last conduct a penetration test on your IT and physical infrastructure?
Do you regularly review who can access your systems, including social media?
How do team members log onto your systems (e.g. VPN, multi-factor authentication and/or hard-to-guess passwords)?
Do you have visibility of, and do you have control over, what leaves your network (e.g. external hard drive usage, printing paper versions)?
Spend a moment thinking about your organisation. Do any weaknesses come to mind?
Incident management in ISO 27001
Before we go any further, it’s vital to understand something about ISO 27001.
ISO 27001 is the global gold standard for information security management systems.
It doesn’t define incidents, events or weaknesses but calls for a procedure to report, assess, respond and learn from them.
Think of ISO 27001 as the blueprint for helping you deal with and stop future incidents.
The power of incident reporting
It’s crucial to report every incident, event and weakness to keep your organisation safe.
For this to happen, you need a reporting process that:
Applies to everyone in the organisation;
Is publicised as far and wide as possible AND;
Is easy to follow and quick to complete.
Top tip #1
Team members may not report incidents if they think they could get in trouble or don’t see making a report worthwhile.
Suggestion: Give team members the option to report anonymously.
Top tip #2
People tend to think of incidents purely as confidentiality breaches. They might not see corrupted files or network outages as incidents – even though they are.
Suggestion: Emphasise the ISO 27001 triad of ‘confidentiality, integrity and availability’.
Top tip #3
Incident reports should be submitted as soon as possible, with enough detail for the initial triage. Make sure no confidential information is included.
Suggestion: Keep the report brief and don't forget the reporter’s contact details.
Final thoughts from NQA
Technology is evolving, with new and more sophisticated information security threats emerging daily.
Get your teams information security-savvy in both principle and practice. Develop their awareness of how to make a report, and then run an exercise to put their understanding to the test.
The next part in our ‘Incidents Happen’ series introduces a scenario to demonstrate reporting in reality. We also discuss how incidents aren’t always down to innocent error – but can sometimes be with malicious intent.
Take your learning to the next level with a real-life incident scenario in Part 2.
Get your business up to speed with ISO 27001 (Information Management)
Sign up for our mailing list to receive the latest on ISO 27001 – plus industry updates, expert content and more 👇