Every enterprise has a specific set of rules and policies concerning how it manages client and employee data, access control, and privacy to help prevent and mitigate cybersecurity incidents. A cybersecurity incident occurs when an unauthorized system breach threatens the integrity and security of a company’s system. Cybersecurity incident management refers to how an enterprise responds to the incident to minimize its impact and prevent further breaches. It also defines the roles and responsibilities of each individual in the security and management teams in the event of a cyber attack.
Why is Cybersecurity Incident Management Important?
Ontario is home to around 450,000 businesses. Today, virtually every organization utilizes technology to operate efficiently and manage administrative tasks. However, the wider adoption of technology has also made it possible for a variety of cybersecurity attacks. These attacks not only breach security but also tarnish the reputation of a business and adversely affect revenue. A cybersecurity incident management team intervenes once a breach occurs and helps the security team recover from the attack.
When a breach occurs, the majority of firms are completely unaware. The average breach response time is about 197 days, giving an attacker plenty of time to move freely within the organization’s network. An accessible incident management team is essential for every business to help with surveillance, shorten response times, minimize damages, and prevent future attacks.
Abiding By The Ontario’s Rules
When a company formulates a cybersecurity incident management plan, aligning it with the applicable cybersecurity laws is critical. The government of Ontario mandates all businesses to follow the guidelines prescribed in the Government of Ontario Information Technology Standards (GO-ITS). Specifically, incident response management is required to comply with the requirements set by GO-ITS 37.
GO-ITS 37 Incident Management Standards
GO-ITS 37 establishes a set of 16 principles to ensure that the incident response procedure results in desired outcomes. These are the fundamental guidelines to provide a direction to develop an effective incident response procedure. You can read the detailed explanation of these guidelines on the official website of the Ontario government.
The government of Ontario mandates the following safeguards:
These controls include a procedure to cover various security incidents, contingency plans, audit trails, evidence collection, recovery and unambiguous communication between the affected parties.
Maintain a detailed document to record how the team initiates and executes the incident response. Response methods must be practiced and reviewed to verify the efficacy of the cybersecurity incident management plan.
Deter Future Intrusions
Examine suspicious or persistent intrusion attempts to determine if a compromise has occurred. These measures, taken to deter future breaches, involve limiting or denying access. Also, changing access methods, such as enabling two-factor authentication, mitigates malicious attempts to a large extent.
Disconnecting a breached system from the network will prevent the compromise of the entire network. Shutting down systems will prevent the loss of volatile data that may contain vital forensic information. The security team should manage the admin functions.
Incident Response Team
According to the Government of Ontario’s regulations, the following set of people must be in the cybersecurity incident management team of any enterprise:
Process Owner: Oversees the entire process and ensures that it is followed by the organization and is responsible for approving process plans changes.
Incident Manager: Responsible for the execution of the incident management process and is accountable for incident lifecycles.
Incident Analyst: Reports to the incident management and provides the team with technical expertise to resolve incidents.
Situation Manager: Responsible for resolving escalated incidents.
Queue Manager: Ensures all the incident tickets in a queue are assigned to relevant teams and actions are being taken to resolve them.
Service Desk Manager: Ensures appropriate staffing is in place to manage all incidents.
Service Desk Team Lead: Reports to the service desk manager and works directly with the service desk team to ensure the effectiveness of the diagnostics of the incident.
Service Desk Agent: Point of contact for the customers during the incident. Also creates records of new incidents and updates the records of the existing ones.
ITS Incident Advisor: Provides a bridge for communications between the incident manager and partner organizations, like telecom and third-party providers.
Communication Coordinator: Ensures communications concerning operations in the process and is responsible for providing status updates and information to personnel.
All organizations should be prepared for a potential cybersecurity incident. The GO-ITS standards provide a practical set of guidelines for an effective cybersecurity incident management plan. Packetlabs can help you comply with GO-ITS by providing a cybersecurity maturity assessment that can become a roadmap to your incident management plan.