Answering to incidents

Karate1

An incident is an event that prevents you to reach your objectives. Its causes are multiple :

  • we have neglected to follow ‘our’ rules
  • our rules are inadequate
  • some rules lack in our set
  • our risk management is insufficient.

Whatever we do, something will happen because:

  • we cannot foresee everything
  • our security solutions will never be totally watertight
  • permanently activating some security solutions is not always justified.

Our information hence regularly face events. What should we do? How to react?

I only have one advise: Get prepared!

The Response Chain came with a first part of the answer. Let’s see more completely what we ought to do.

Process

Preparation

Most often, when the event occurs, we are stressed and our instinctive reaction is not always the best one.

Based on our experience, let’s create a file with the ‘good response’ – why not gather information on what to do precisely? – we can apply when needed. Of course, this should be done for all events!

Detection

As long as we feel something is happening we can react. It is obvious.

Our ‘permanent’ solutions should contain indicators, signals or alarms aimed to activate our reaction.

Evaluation

All events are not as important. We should evaluate their weight (= the danger they represent). Hence, our security management determines measurement criteria and scales.

This depends on the value of what is exposed and the violence of the event. If w simplify, we face:

  • an event to which we will scarcely react
  • an incident to which we should react before it runs beyond control
  • a catastrophe when the consequences exceed our repair capabilities.

We can then decide in which timeframe we will respond and the resources we will give.

escudos-romanos-f29

Response

As in case of fire, sickness, computer virus (these are only a few examples) there are two steps and two needs:

Containment

We isolate the incident to prevent it to spread and become uncontrollable – we close doors and windows and nothing goes in or out anymore.

We can also isolate what is subject of the incident – we take the paper basket away, the patient is put in quarantine, etc. – as to void they contaminate who or what is about them.

Fighting

We fight the incident to make it inoffensive or to stop it – ‘we put up the fire’ while reducing the damage as much as we can.

The resources

According to the nature of the incident we will use our own resources – that had been foreseen and maintained (such as the fire extinguishers) – or we will call dedicates teams who have the adequate skills and resources (the fire brigade).

The traces

We will need tracks of

  • what has been destroyed (e.g. for the insurance) or damaged to repair or replace
  • what happened (for the insurance or the investigators) to search and sue the suspect.

You can find plenty of examples in the police TV series (‘CSI’ or others).

Repair

As long as the response is not completed, it is worthless – and even impossible in some cases – to repair and resuming normal life..

Repair has two objectives:

Restoration

It means go back to normal operations after having cleaned everything up and repaired what needs to.

It is what you do when you recover a file from your backups, when you restart a program or bring your car in a garage to be repaired.

Pay attention, this step can require time!

Compensation

Here, we seek for recovering our losses by calling the insurances or filing a complaint against the suspect.

Learning the lesson

We should always consider the lessons of the incidents:

  • our permanent protection was not strong enough => review of risk management
  • our detection was not sufficient => fine tune our alarms
  • our response was inadequate => review or resources and our reaction – make sure we are better prepared next time
  • our damages are irrecoverable => review our backups, our insurances, our log of tracks.

If we do not learn from the events, we should not be surprised that the incidents will come over and over again… and our insurance company (or our friends) will close their doors.

 

Don’t hesitate to search the Internet to learn more about this topic.

These mong you who want to go further may read the standard ISO/IEC 27035-1. Verify if your national standardization institution has translated the document in you language.

See you soon, safer with your information

Jean-Luc

Leave a Reply

Your email address will not be published. Required fields are marked *