What should we do if there’s a security incident in our organization? What steps need to be taken and in what order? Do I have the obligation to report it to an authority? Can I get help? No matter how many security measures your business has, or how well implemented they are, there will always be the risk of a threat materializing. For this reason, it is imperative to have an action plan that sets the guidelines to be followed in the event of a security incident.
Security incidents are situations that may cause great harm in our surroundings (information systems, people, businesses...). Therefore, it is important to first, be able to prevent them, and second, detect and adequately respond to them.
Detection must be based on the deployment of surveillance systems and their proper use, while the appropriate response to security incidents first involves the clear identification of any incident, its escalation to the appropriate managing groups in each case, and its containment, removal and recovery.
The latest version of the “Spanish National Guidelines for Reporting and Managing Cyber Incidents”, which provides all entities, public or private, and the general public, with the outline and detailed guidance on to whom and how they should report a cybersecurity incident within their area, has been updated to clarify and improve the following points:
- A uniform classification/taxonomy of cyber incidents.
- The notification impacts and thresholds, as well as the closing times of a cyber incident without response, depending on its hazard or impact level.
- The allocation of metrics and indicators of reference, recommended to measure the level of implementation and efficiency of each organization’s incident management process.
In addition to this update, INCIBE-CERT has published the Appendix “Cyber incident management procedure for the private sector and citizenry”, which seeks to support in these tasks, as well as to gather the mechanisms, references and channels for their reporting to the INCIBE Security Incident Response Center (INCIBE-CERT) where appropriate.
Information security incident management is an ordered set of actions focused on preventing the occurrence of cyber incidents as far as possible, and, should they occur, restoring operation levels as soon as possible.
The Appendix begins with an overview of each of the most common phases in this process, which are:
- Preparation: in this phase before the cyber incident, the aim is for the entire entity to be prepared for any possible event. To this end, anticipation and prior training are key, always bearing three fundamental pillars in mind: people, procedures and technology.
- Identification: understanding the normal state of daily operations, the organization is able to identify anomalies that require detailed analysis. If the event is ultimately ruled out, it returns to the preparation phase.
- Containment: time is crucial when a cyber incident occurs, given that the reputation or continuity of the business is at stake. In this phase the goal is to contain the problem, preventing the attacker from doing more harm, for example, compromising additional devices or disclosing more information. The situation is subsequently studied and the cyber incident is classified. It is also important to log and document what happened with the help of management and ticketing tools, in addition to carrying out procedures for taking and preserving evidence for their subsequent analysis.
- Mitigation: necessary mitigation measures, which will depend on the type of cyber incident, are taken. In some cases, it may be necessary to request assistance from external entities, such as providers of mitigation services for this type of attack or a national CSIRT such as INCIBE-CERT, which can assist in analyzing and defining the mitigation strategy.
- Recovery: the purpose of this phase is to return the level of operation to normal and for the affected business areas to resume their activity. Monitoring should also be carried out during production, looking for possible suspicious activities.
- Post-incident actions: once the cyber incident is under control and activity has returned to normal, we turn to the lessons learned, the purpose of which is to learn from what happened so that appropriate action can be taken to prevent similar situations from repeating.
- Incident management phases -
It also covers the procedure and the mechanisms for reporting cyber incidents to the CSIRT of reference, which can be done by the affected entity, citizens, SMEs, private-law entities or institutions affiliated with RedIRIS to INCIBE-CERT or vice versa, in order to benefit from the response service, regardless of whether it finally resolves the cyber incident on its own. There are 3 phases:
- Opening: when a notification is received, the INCIBE-CERT technical team will carry out an initial analysis in order to determine the scope of action.
- Prioritization: each cyber incident will be assigned a priority depending on the dangerousness and potential impact of the same.
- Resolution: once a solution has been reached involving the closure of the incident, by both the affected party and INCIBE-CERT, this will be reported to the actors involved.
- INCIBE-CERT, National CSIRT -
Lastly, the document also provides a help section for calculating the impact, with additional criteria to those included in the National Guidelines, in order to make it easier for citizens, companies and entities affiliated with RedIRIS to calculate the impact of a security incident.
Note that our free and public incident response services makes our technological and coordination capabilities available to you, which makes it possible to offer operational support in the face of cyber threats or in the event of cyber incidents.
This attachment is available together with the National Guidelines for Reporting and Managing Cyber Incidents at the following link: