twitter facebook rss

Fast Incident Response Expected

Posted by on October 8, 2016.

From time to time, I like to compare and contrast the nascent Information Security profession with more traditional and established occupations. For example when I had lunch with a police officer friend and gave it some food for thought.

I had such occasion the other day in a breakout session on the topic of Incident Response. The presenter did a great job covering the subject matter and asked an obvious question. He said, “We all know we need to practice incident response more, so why do so many of us rarely do it?” His voice was full of reproach. Fifty thoughts quickly flowed through my stream of consciousness. So as to not pass out and stay focused on the presentation, I quickly jotted down “Fire Department” and returned to the presentation.

A Fire Department is a quintessential incident response profession. The history of organized firefighting began in ancient Rome while under the rule of Augustus. In the early US, private fire brigades competed against one another to be the first to respond to a fire because insurance companies paid brigades to save buildings. On January 27, 1678 the first fire engine company went into service and in 1736 Benjamin Franklin established the Union Fire Company in Philadelphia.

A Firefighter is focused solely on incident response. Incident response for this profession is not one additional duty – it is the only duty. When a Firefighter is not responding to an incident he/she is maintaining the equipment, at the grocery store or training. Training to respond to an incident is the only way to get proficient. I concede a not so subtle difference between a Firefighter and an Information Security professional is the latter is not putting their life on the line when responding to an incident, only their career.

On the other hand, let us look at what any good security office should be covering in their scope of duties. ISO 27002 will do nicely for this purpose:

  1. Information Security Policies
  2. Organization of Information Security
  3. Human Resource Security
  4. Asset Management
  5. Access Control
  6. Cryptography
  7. Physical and environmental security
  8. Operation Security- procedures and responsibilities, Protection from malware, Backup, Logging and monitoring, Control of operational software, Technical vulnerability management and Information systems audit coordination
  9. Communication security – Network security management and Information transfer
  10. System acquisition, development and maintenance – Security requirements of information systems, Security in development and support processes and Test data
  11. Supplier relationships – Information security in supplier relationships and Supplier service delivery management
  12. Information security incident management – Management of information security incidents and improvements
  13. Information security aspects of business continuity management – Information security continuity and Redundancies
  14. Compliance – Compliance with legal and contractual requirements and Information security reviews

Therefore, of the fourteen areas ISO 27002 defines as coverage for an Information Security Office, only one deals with incident response. Interesting, is it not? Of course the modern Firefighter does not only deal with fires but also emergency medical calls. In fact that is their top business. Yet, there is an interesting contrast in that type of incident response too. When responding to a medical call, the main job is to stabilize and get the patient to a hospital where a trauma unit takes over. The Information Security professional has the patient from start to finish (whenever that is), and they have to keep running the hospital while working on the patient.

Moral of the compare and contrast? If you do not have enough bandwidth to practice incident response often, you had better get a firm on retainer. The other nugget of wisdom? Information Security people are asked to be experts in many different areas and rarely given the time or resources to become such. We also have to buy our own groceries and on our own time!

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Martin Zinaich | Tags: