An incident is an event that prevents you to reach your objectives. Its causes are multiple :
- we have neglected to follow ‘our’ rules
- our rules are inadequate
- some rules lack in our set
- our risk management is insufficient.
Whatever we do, something will happen because:
- we cannot foresee everything
- our security solutions will never be totally watertight
- permanently activating some security solutions is not always justified.
Our information hence regularly face events. What should we do? How to react?
I only have one advise: Get prepared!
The Response Chain came with a first part of the answer. Let’s see more completely what we ought to do.
Most often, when the event occurs, we are stressed and our instinctive reaction is not always the best one.
Based on our experience, let’s create a file with the ‘good response’ – why not gather information on what to do precisely? – we can apply when needed. Of course, this should be done for all events!
As long as we feel something is happening we can react. It is obvious.
Our ‘permanent’ solutions should contain indicators, signals or alarms aimed to activate our reaction.
All events are not as important. We should evaluate their weight (= the danger they represent). Hence, our security management determines measurement criteria and scales.
This depends on the value of what is exposed and the violence of the event. If w simplify, we face:
- an event to which we will scarcely react
- an incident to which we should react before it runs beyond control
- a catastrophe when the consequences exceed our repair capabilities.
We can then decide in which timeframe we will respond and the resources we will give.
As in case of fire, sickness, computer virus (these are only a few examples) there are two steps and two needs:
We isolate the incident to prevent it to spread and become uncontrollable – we close doors and windows and nothing goes in or out anymore.
We can also isolate what is subject of the incident – we take the paper basket away, the patient is put in quarantine, etc. – as to void they contaminate who or what is about them.
We fight the incident to make it inoffensive or to stop it – ‘we put up the fire’ while reducing the damage as much as we can.
According to the nature of the incident we will use our own resources – that had been foreseen and maintained (such as the fire extinguishers) – or we will call dedicates teams who have the adequate skills and resources (the fire brigade).
We will need tracks of
- what has been destroyed (e.g. for the insurance) or damaged to repair or replace
- what happened (for the insurance or the investigators) to search and sue the suspect.
You can find plenty of examples in the police TV series (‘CSI’ or others).
As long as the response is not completed, it is worthless – and even impossible in some cases – to repair and resuming normal life..
Repair has two objectives:
It means go back to normal operations after having cleaned everything up and repaired what needs to.
It is what you do when you recover a file from your backups, when you restart a program or bring your car in a garage to be repaired.
Pay attention, this step can require time!
Here, we seek for recovering our losses by calling the insurances or filing a complaint against the suspect.
Learning the lesson
We should always consider the lessons of the incidents:
- our permanent protection was not strong enough => review of risk management
- our detection was not sufficient => fine tune our alarms
- our response was inadequate => review or resources and our reaction – make sure we are better prepared next time
- our damages are irrecoverable => review our backups, our insurances, our log of tracks.
If we do not learn from the events, we should not be surprised that the incidents will come over and over again… and our insurance company (or our friends) will close their doors.
Don’t hesitate to search the Internet to learn more about this topic.
These mong you who want to go further may read the standard ISO/IEC 27035-1. Verify if your national standardization institution has translated the document in you language.
See you soon, safer with your information