ISO 27001:2022 A 6.8 Information security event reporting

Information security event reporting can be defined as the process of documenting incidents, breaches and other events related to cyber threats that occur within an organisation for the purposes of analyzing them for future prevention and detection. Information security events should be reported through appropriate management channels as quickly as possible. In addition to recording these events, it’s also important to analyse them in order to develop strategies for preventing future incidents from happening. Information security event reporting is important because without it, you won’t have any way of knowing if your network has been hacked or if there are any other potential threats facing your organisation. Without this knowledge, you won’t know how to prevent future attacks from occurring again—or even if there have been previous attacks that need addressing. Information security events are a critical part of any organisation’s response to an incident. The speed with which you can respond to an incident is often critical for both protecting your business and limiting the impact on customers and other stakeholders.

Control

The organization should provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.

Purpose

To support timely, consistent and effective reporting of information security events that can be identified by personnel.

ISO 27002 Implementation Guidance

All personnel and users should be made aware of their responsibility to report information security vents as quickly as possible in order to prevent or minimize the effect of information security incidents. They should also be aware of the procedure for reporting information security events and the point of contact to which the events should be reported. The reporting mechanism should be as easy, accessible and available as possible. Information security events include incidents, breaches and vulnerabilities. Situations to be considered for information security event reporting include:
a) ineffective information security controls;
b) breach of information confidentiality, integrity or availability expectations;
c) human errors;
d) non-compliance with the information security policy, topic-specific policies or applicable standards;
e) breaches of physical security measures;
f) system changes that have not gone through the change management process;
g) malfunctions or other anomalous system behavior of software or hardware;
h) access violations;
i) vulnerabilities;
j) suspected malware infection.
Personnel and users should be advised not to attempt to prove suspected information security vulnerabilities. Testing vulnerabilities can be interpreted as a potential misuse of the system and can also cause damage to the information system or service, and it can corrupt or obscure digital evidence. Ultimately, this can result in legal liability for the individual performing the testing.

Designing an effective means of the detection of incidents is also essential, using both trained users and trained system administrators, and various technical controls. All members of the community should be trained and comfortable regarding

  • procedures for reporting failures, weaknesses, and suspected incidents
  • methods to recognize and detect problems with security protections
  • how to escalate reporting appropriately

In addition, technical controls must be implemented for the automated detection of security events, coupled with as near real-time reporting as possible, to investigate and initiate immediate responses to problems. For new IT systems, often the best time to develop automated detection of security events is when the preventive security controls are being developed and implemented. The most fundamental approaches to detecting intrusions are to monitor server logs for signs of unauthorized access, to monitor firewall or router logs for abnormal events, and to monitor network performance for spikes in traffic. Since intruders can alter or destroy local logs, a best practice is to take the precaution of sending logs to a remote log server. This includes a combination of host-level and network-level detections, which when used together provide the most powerful system for detecting problems.The purpose of Information Security Event Reporting is to support timely, consistent and effective reporting of information security events that can be identified by personnel. This is to ensure that information security events are reported in a timely manner and that the information is recorded accurately to support incident response activities and other security management responsibilities.

Information security event reporting is the process of documenting and logging information security events that occur in an organisation. It recommends that organisations need to have an information security event reporting program, which will facilitate the process of receiving, assessing and responding to reports of incidents which have a potential impact on information security for the purposes of detecting incidents and mitigating adverse effects. This control is designed to:

  • Support timely, consistent and effective reporting of information security events that can be identified by personnel.
  • Proactively detect unauthorised access or misuse of information systems.
  • Facilitate incident response planning.
  • Provide a foundation for continuous monitoring activities.
  • Regular review of incidents and trends in order to identify problems before they become major incidents (for example, by monitoring the number of incidents or the time required for each incident)

The following are some of the basic requirements for Control 6.8:

All personnel and users should be made aware of their responsibility to report information security events as quickly as possible in order to prevent or minimize the effect of information security incidents. The organisation shall have a documented point of contact for reporting information security incidents to appropriate parties. The reporting mechanism should be as easy, accessible and available as possible. The organisation shall maintain documentation of information security events, including incident reports, event logs, change requests, problem reports and system documentation.
Situations to be considered for information security event reporting include:

  • Ineffective information security controls.
  • Breach of information confidentiality, integrity or availability expectations.
  • Human errors.
  • Non-compliance with the information security policy, topic-specific policies or applicable standards.
  • Breaches of physical security measures.
  • System changes that have not gone through the change management process.
  • Malfunctions or other anomalous system behaviour of software or hardware.
  • Access violations.
  • Vulnerabilities.
  • Suspected malware infection.

It is also important to point out here that it is not the place of the personnel reporting to test the vulnerability or effectiveness of the information security event. This can lead to legal liabilities for the employee and so should be left for qualified personnel to handle.

Even if an organization installs a network intrusion detection system or other monitoring systems, the resulting alerts can quickly overload personnel. An effective approach is to use analysis tools to help manage intrusion detection systems and summarize the data. Even when log summarization is used, maintaining and monitoring intrusion detection systems can require resources and technical skills that are beyond some organization’s means. A less expensive alternative to developing your own IDS capabilities is to collaborate with other higher education institutions, helping each other deploy intrusion detection systems and even having a single person monitoring all systems, or to contract for the service with your ISP. Two major weaknesses of network IDS are that they cannot detect attacks in encrypted traffic and they cannot determine what is occurring within a targeted compromised host. Host-based intrusion detection systems (HIDS) can address both of these issues and can be used to monitor systems processes, file system changes, and log files for suspicious activities. Many commercial endpoint security offerings now include HIDS functionality, and servers can utilize open source monitoring tools. Communicating security alerts through an interface that system administrators use to monitor the status and performance of their systems increases the likelihood that they will notice problems quickly.


Leave a Reply