Computer security and data privacy are often poorly considered issues, experts urge more awareness of cyber threats.
Computer security and data privacy are often poorly considered issues until incidents occur and unfortunately sometimes even the very seriousness of the events, understood as virtual happenings, is not adequately perceived. An injection of digital culture is needed to increase awareness of the cyber threat in all its forms.
While the 27035 standard covers system and network security incidents, it can also apply to incidents involving other forms of information such as documents, intellectual property, personal and business information. In this regard, both standards, the NIS Directive (EU) 2016/1148 and the GDPR Regulation (EU) 2016/679 define the correct protocol to be followed in the management of information in a complementary way.
It’s not possible to guarantee only security without having privacy or only privacy without guaranteeing security.
It’s not acceptable that a computer attack on the security of an information system could also lead to a breach of sensitive data.
Computer incidents commonly involve the exploitation of unknown (or poorly managed) vulnerabilities, and in some cases they are due to the superficiality of handling digital information in its various forms. Therefore, an adequate management of vulnerabilities and custody of information must represent the main objectives to be pursued through preventive and possibly corrective actions.
The Computer Security Incident Response Team
The RFC 2350 standard provides for the training of the CSIRT (Computer Security Incident Response Team), the team that performs, coordinates and supports the management of security incidents. The CSIRT must offer support through actions of awareness, prevention and coordination of the response to computer incidents, with the following main objectives:
- Provide timely information about potential cyber threats;
- increase security awareness and culture;
- cooperate with other similar institutions;
- facilitating the response to cyber incidents;
Once reports of incidents or threats have been received, the CSIRT evaluates their possible impact and informs stakeholders and, if necessary, coordinates them until the incident is resolved.
The CSIRT must disseminate the information necessary to counteract the incident and restore the state of normality as quickly as possible in cooperation with the community involved and must act primarily as an information gathering center that is promptly sorted within its community to facilitate its solution.
CSIRT – The Coordination
The coordination of the incident is managed through the following actions:
- Identify the organizations involved;
- Activate contacts with those directly involved to analyze the incident and identify actions to be taken;
- Facilitating contacts with other organizations that can provide support in resolving the incident;
- Promptly inform all those potentially involved within your community;
- Prepare reports to be sent to other affected teams or organizations;
CSIRT – Services
The CSIRT to its community which can be a company, a company or an entire country system must offer proactive and responsive services:
Proactive:
- dissemination of information aimed at increasing security;
- dissemination of guidelines and standards for proper management and prevention of cyber incidents;
- security training and awareness-raising and training campaigns aimed at users to increase awareness of cyber security issues;
- exchange of information;
Reactive:
- alerting and warning;
- coordination and exchange of information for the solution of incidents.
The process of managing a computer incident
Standard 27035 also outlines the basic rules of the process of managing a computer incident (security/privacy) and provides steps that can be summarized as follows:
1. The Incident Management Preparation phase;
2. The Identification and Assessment phase to understand the extent and impact of the incident through monitoring and reporting;
3. The Incident Response phase by containing, removing and attempting to resolve the problem or at least mitigate its consequences;
4. The Learning phase to learn lessons for the future.
Considerations
Data protection and IT security is an issue that must involve the entire organization. The management of indexes must be understood as a process of continuous improvement ensuring:
- a synergy of protection measures with management processes;
- a definition of the roles to be assigned;
- a training of the actors involved in the management;
- a regulatory update;
- a preservation of the activities carried out in the management of incidents.
About the author: Salvatore Lombardo
IT officer, ICT expert, Clusit member
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Computer security)
[adrotate banner=”5″]
[adrotate banner=”13″]
Share On
