In this article

Developing a strong foundation for incident response

In the last post in this series, we discussed the importance of incident response. No matter how effectively your organization invests in preventative or detective controls, there will be times when the most "fail proof" systems fall short. Innovation will always create vulnerabilities in its wake. The best response an IT security manager can have is two-fold: (a) invest in the people, process, and technology required to reduce your organization's attack surface while (b) preparing for the worst.

What you need to know in order to define an incident

Preparing for the worst begins by developing the criteria for what constitutes a security incident. Your organization can't afford to leave incident declaration to case-by-case judgment. You must establish parameters that are relevant and usable to your organization.

In order to develop this definition, you should have a solid understanding of the following:

  • Business strategy, processes and your organization's risk appetite;
  • Key dependencies of your organization, whether that be people, technology, partners, suppliers, etc.;
  • Assets likely to be targeted, whether that be infrastructure, money, intellectual property or people; and
  • Implications of a compromise to the confidentiality, integrity or availability of these assets.

When defining what constitutes a security incident – choose wisely. Based on this one definition, you may have an incident every day or once a year.

How others define an incident

Here are some examples of how organizations define a security incident. These examples are taken from organizations that have publicly posted their security incident response plans online.

  • "An Incident is an unplanned interruption to a technology service or reduction in quality of a technology service." - Yale University
  • "An IT security incident ("incident") is any activity that harms or represents a serious threat to the whole or part of […] computer, telephone and network-based resources such that there is an absence of service, inhibition of functioning systems, including unauthorized changes to hardware, firmware, software or data, unauthorized exposure, change or deletion of critical records, or a crime or natural disaster that destroys access to or control of these resources." - Washington University
  • "All events that impact or potentially impact the confidentiality, integrity, or availability of data/information, information systems, and computer assets." - Veritas
  • "An incident is the act of violating an explicit or implied security policy." - Marshall University

Next steps

Once you have an idea of what a security incident looks like to your organization, you can begin developing your incident response plan. Join us next week as we look at the most important elements found in every well-written incident response plan.

To learn more about our security practice, visit our security page. WWT can also help you gain a better understanding of where your organization stands today in responding to a data breach by requesting our Security Tabletop Exercises Workshop.