To handle incidents your organisation must establish clear procedures for handling these, and in order to support the handling of incidents your organisation must also implement logging and monitoring of irregularities in network and information systems so that incidents can be detected in the first place. Log data must also be protected against manipulation and safeguarded from unauthorised access to ensure the integrity of such data.
Incident Handling
Your organisation must make sure it can handle incidents to make sure the organisation can react in a proper way when incidents occur. The goal of this security measure is to reduce the damage to network and information systems and to critical services, so the impact of the incident is kept as low as possible. After an incident happens, your organisation should be able to restore to its normal operations.
Requirements
Proper incident handling requires your organisation to prepare and implement contingency procedures that make it possible to identify, detect, analyse, and respond to incidents. These procedures must also support the recovery of secure and stable operations, as well as ensure that your organisation can meet its reporting obligations to the national Computer Security Incident Response Team (CSIRT) in the case of major incidents.
Your organisation must have the necessary skills available, either internally or through agreements with third parties, to make sure that incidents can be properly handled.
To support this capability, your organisation should also:
- define roles, responsibilities, and procedures for preventing, detecting, analysing, containing, responding to, recovering from, documenting, and reporting major incidents as quickly as possible. This can also include communication plans for internal and external communication and emergency communication systems.
- have a procedure that allows employees, suppliers, and customers to report suspicious incidents internally in a simple and accessible way, so there are no barriers to using it.
- respond to incidents in a timely manner and in line with the organisation’s incident handling procedures.
- carry out a review after a major incident to identify the root cause and draw lessons that can reduce the risk and impact of similar incidents in the future.
Your organisation should also test its incident response procedures at planned intervals to ensure that they work as intended.
Documentation
Compliance with Incident handling requirements can be documented by having a procedure, and this should be updated at planned intervals and whenever there are significant changes to the organisation’s business objectives or to its threat landscape. The procedures must be documented and approved by the relevant management.
Logging and Monitoring
The purpose of logging and monitoring is to ensure that your organisation can detect incidents that may put data at risk and respond appropriately, so the negative effects of the incident are reduced as much as possible. Logs are also used to investigate incidents afterwards.
Requirements
Your organisation must have processes and use tools to monitor, log, and respond to activities in your networks and information systems. Without this you would not be able to detect and respond to potential incidents.
Monitoring should ideally be automated, and depending on your organisation’s capabilities, it should be carried out in real time or at regular intervals.
Your organisation must maintain, document, and review log files, but your specific approach can depend on the technological level of your organisation and a risk-based approach. Your logs could include the following:
- incoming and outgoing network traffic,
- creation, modification, or deletion of users and changes to permissions,
- access to systems and applications,
- privileged access to systems and applications,
- activities performed by privileged accounts,
- access to and changes in critical configuration and backup files,
- event logs and logs from security tools such as antivirus, intrusion detection systems, or firewalls,
- usage and performance of system resources,
- access and usage of the organisation’s network equipment and components,
- physical access to the organisation’s facilities, such as access control systems,
- environmental events that may negatively affect the organisation’s networks and information systems, such as flood alarms.
Log files may be reviewed manually or automatically to detect unusual or unwanted patterns. For this reason, the organisation should define thresholds for when action must be taken and if these thresholds are exceeded, the system may automatically trigger an alert. The staff responsible hereof must ensure that an appropriate response is carried out.
Your organisation should store and back up log files for a predefined period depending on your risk profile, and this log data must be protected against manipulation and unauthorised access.
Your measures should be able to detect network-based attacks, such as abnormal traffic patterns or distributed denial of service attacks.
Your systems should be synchronised to use the same time sources so logs from different systems can be compared when investigating incidents.
Finally, you should keep a list of all assets that are logged. The systems used for monitoring and logging may be duplicated to ensure the security and continuity of the services provided. The cybersecurity of monitoring and logging systems should also be monitored, and it should be done independently from the systems they monitor.
Documentation
You should review the procedures for logging and monitoring at planned intervals and when changes occur. The same goes for your list of assets or events being logged. All procedures should be reviewed at planned intervals and whenever changes occur, and the documentation should be kept to show that these reviews take place at the scheduled times.
