![]() A.16.1.5 Response to Information Security Incidents GDPR and the Data Protection Act 2018 means that some information security incidents relating to personal data need to be reported to the Supervisory Authority too, so your controls should also tie in these considerations to meet regulatory requirements and avoid duplication or gaps in work. Consideration of exactly who needs to be made aware of the incident, internally, customers, suppliers, regulators can take place in this part of the lifecycle too. Ideally it will have minimum impact to other users of the services. This action must aim to minimise any compromise of the availability, integrity or confidentiality of information and prevent against further incidents. ![]() Once a security event has been reported and subsequently logged, it will then need to be assessed in order to determine the best course of action to take. Information security events must be assessed and then it can be decided if they should be classified as information security incidents, events of weaknesses. This control simply builds on incidents and events but might be treated slightly differently once reported (see A.16.1.4) It is essential for employees to be aware of the fact that when discovering a security weakness, they must not attempt to prove that weakness, as testing it may be interpreted as a misuse of the system, whilst also risking damaging the system and its stored information, causing security incidents! A.16.1.4 Assessment of & Decision on Information Security Events A.16.1.3 Reporting Information Security Weaknesses The auditor will want to see and will be sampling for evidence of awareness of what constitutes a weakness, event or incident amongst general staff, and the awareness of incident reporting procedures and responsibilities. Some of the possible reasons for reporting a security incident include ineffective security controls assumed breaches of information integrity or confidentiality, or availability issues e.g. If an information security event occurs or is thought to have occurred, it must be reported immediately to the nominated information security administrator and that needs to be documented accordingly. In order to do this well they will need to have awareness of exactly what constitutes an information security weakness, event or incident so be clear about that, based on the simple example above. suppliers) need to be made aware of their obligations to report security incidents and you should cover that off as part of your general awareness and training. Your auditor will expect to see all of these formal, documented procedures in place, and evidence that they are working.Ī.16.1.2 Reporting Information Security EventsĪ good control here ensures that information security incidents and events can be reported through suitable management channels as soon as possible.Įmployees and associated interested parties (e.g. ![]() Those procedures are pretty easy to develop because the remainder of this Annex A control spells them out. ![]() The procedures for incident, event and weakness response planning will need to be clearly defined in advance of an incident occurring and been approved by your leadership. A weakness is also a common risk management or improvement opportunity. In simple terms an incident is where some form of loss has occurred around confidentiality, integrity or availability.Īn example is where a window was left open and a thief stole an important file sitting on the desk… Following that thread, an event is where the window was left open but nobody stole the file. A weakness is that the window is easily broken or old and could be an obvious place for break-in. A good control describes how management establish responsibilities and procedures in order to ensure a quick, effective and orderly response to address weaknesses, events and security incidents. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |