New incidents should be reviewed monthly.
Incident handling is based on Fuglar's incident response version 6. All suspected incidents are reported in a service task and any response and documentation related to the incident should be documented on the service task. When responding to an incident these steps should be followed:
-
Within 1 week of the incident evidence relating to the incident should be collected and documented. Evidence might include but are not limited to:
- Server logs
- Backup reports
- Firewall logs
- Photos/scans of documents
- Photos of the scene the incident happened on
- A timetable of events leading up to and after the incident
- Statements of personnel involved in the incident
- Physical objects such as hard drives, computers, servers, etc.
All evidence should be documented on the service task created for the incident. If the evidence is physical it should be collected and stored securely by the CFO, e.g. hard drivers or computers. In the case of a suspected illegal activity related to the incident, the appropriate authorities should be contacted.
-
If the asset owner responding to the incident believes the incident is severe or could have serious consequences to information security or business continuity they should escalate it to the CTO, CEO, and CFO respectively. Alert internal and/or external stakeholders if deemed appropriate by the asset owner or management.
-
When responding to an incident all activities should be logged and documented in the service task.
-
Perform root-cause analysis on the incident and document the results in the service task.
-
If any weaknesses are found that contributed to or caused the incident a service task is created for each weakness for dealing with it. The service task should describe in as much detail as possible what the weakness is and how it should be dealt with.
-
When the incident has been dealt with the service task should be closed.