There is an intriguing move underway to replace the often part-time security incident response teams or committees tasked with reacting to security incidents with a number of key dedicated full-time individuals and a more full-fledged function for the business.
This is likely occurring as a result of the growing realisation that security is now a core business function. The tendency may still be to assess the need as basic business risk management and federate it across the business, allowing security issues to be dealt with where they occur.
This often presents an obstacle to forming a security incident response function (SIRF), even when the need for the function is accepted at board level. However, a federated approach limits much of the SIRF's potential within the organisation. In practice, the part-time teams, today, may only meet once a year to run through procedures during an internal test.
Largely understood for its reactive role - an incident-handling service triggered by an event or request, such as a report of a suspected compromise or an alert from a monitored system - it is the more proactive functions that make up the core component of SIRF daily work. This often includes direct inspection and assistance in securing business systems across the organisation, particularly in anticipation of known, but also unspecified threats.
Further, the security quality management and reporting of this function augments the architectural quality management and reporting functions across the business, providing essential insight for the overall security of the business services while identifying risks, threats, and system weaknesses ahead of a threat materialising.
With a view to delivering quality assurance, consistency and governance across all security matters raised by customers, suppliers or staff, a structured incident handling service is required, that:
• Will ensure that the quality of the information is maintained and defines how artefacts (including communications) are handled.
• Is supported by a separate call handling function; directly to the SIRF, primarily via the security officer role and not via the normal support function.
• Follows service delivery best practice managing the secure communication of information.
It must deliver in four functional areas:
1. Triage provides a single point of interaction and the focal point for all incoming information for the service while also being the channel through which all outgoing information is passed; in order to reduce unintended disclosure. The triage function is a bidirectional analysis of information in to and out from the IHS.
2. Handling provides the systematic support, guidance and processing related to suspect or confirmed security incidents, threats, and breaches.
3. Feedback provides the secure distribution of artefacts and status to all relevant parties.
4. Disclosure - a channel for disclosure on non-evidential or sensitive information to a wider audience than the impacted parties.
To accomplish this, the SIRF must operate in a framework that extends from security officer control into all areas of the business; from the front-reception right in to the board. It must also have a concise and non-ambiguous charter giving it an over-reaching policy driven remit; measurable quality objectives; and clear independence from the business units - to avoid the conflicts of interest that all too often prevent essential measures from being taken. Headed by the chief security officer, this function requires a dedicated team and should ideally report directly to the chair of the board.
David Gregg is an IT security manager working in the Democratic Republic of Congo
Security Zone is a regular series in Computer Weekly covering all aspects of IT security management. Each article is written by a member of the International Information Systems Security Certification Consortium (ISC)².