ISO 27001:2022 A 6.8 Information security event reporting

Uncategorized 5 Minutes

Information security event reporting can be defined as the process of documenting incidents, breaches and other events related to cyber threats that occur within an organisation for the purposes of analyzing them for future prevention and detection. Information security events should be reported through appropriate management channels as quickly as possible. In addition to recording these events, it’s also important to analyse them in order to develop strategies for preventing future incidents from happening. Information security event reporting is important because without it, you won’t have any way of knowing if your network has been hacked or if there are any other potential threats facing your organisation. Without this knowledge, you won’t know how to prevent future attacks from occurring again—or even if there have been previous attacks that need addressing. Information security events are a critical part of any organisation’s response to an incident. The speed with which you can respond to an incident is often critical for both protecting your business and limiting the impact on customers and other stakeholders.

Control

The organization should provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.

Purpose

To support timely, consistent and effective reporting of information security events that can be identified by personnel.

ISO 27002 Implementation Guidance

All personnel and users should be made aware of their responsibility to report information security vents as quickly as possible in order to prevent or minimize the effect of information security incidents. They should also be aware of the procedure for reporting information security events and the point of contact to which the events should be reported. The reporting mechanism should be as easy, accessible and available as possible. Information security events include incidents, breaches and vulnerabilities. Situations to be considered for information security event reporting include:
a) ineffective information security controls;
b) breach of information confidentiality, integrity or availability expectations;
c) human errors;
d) non-compliance with the information security policy, topic-specific policies or applicable standards;
e) breaches of physical security measures;
f) system changes that have not gone through the change management process;
g) malfunctions or other anomalous system behavior of software or hardware;
h) access violations;
i) vulnerabilities;
j) suspected malware infection.
Personnel and users should be advised not to attempt to prove suspected information security vulnerabilities. Testing vulnerabilities can be interpreted as a potential misuse of the system and can also cause damage to the information system or service, and it can corrupt or obscure digital evidence. Ultimately, this can result in legal liability for the individual performing the testing.

Designing an effective means of the detection of incidents is also essential, using both trained users and trained system administrators, and various technical controls. All members of the community should be trained and comfortable regarding

  • procedures for reporting failures, weaknesses, and suspected incidents
  • methods to recognize and detect problems with security protections
  • how to escalate reporting appropriately

In addition, technical controls must be implemented for the automated detection of security events, coupled with as near real-time reporting as possible, to investigate and initiate immediate responses to problems. For new IT systems, often the best time to develop automated detection of security events is when the preventive security controls are being developed and implemented. The most fundamental approaches to detecting intrusions are to monitor server logs for signs of unauthorized access, to monitor firewall or router logs for abnormal events, and to monitor network performance for spikes in traffic. Since intruders can alter or destroy local logs, a best practice is to take the precaution of sending logs to a remote log server. This includes a combination of host-level and network-level detections, which when used together provide the most powerful system for detecting problems.The purpose of Information Security Event Reporting is to support timely, consistent and effective reporting of information security events that can be identified by personnel. This is to ensure that information security events are reported in a timely manner and that the information is recorded accurately to support incident response activities and other security management responsibilities.

Information security event reporting is the process of documenting and logging information security events that occur in an organisation. It recommends that organisations need to have an information security event reporting program, which will facilitate the process of receiving, assessing and responding to reports of incidents which have a potential impact on information security for the purposes of detecting incidents and mitigating adverse effects. This control is designed to:

  • Support timely, consistent and effective reporting of information security events that can be identified by personnel.
  • Proactively detect unauthorised access or misuse of information systems.
  • Facilitate incident response planning.
  • Provide a foundation for continuous monitoring activities.
  • Regular review of incidents and trends in order to identify problems before they become major incidents (for example, by monitoring the number of incidents or the time required for each incident)

The following are some of the basic requirements for Control 6.8:

All personnel and users should be made aware of their responsibility to report information security events as quickly as possible in order to prevent or minimize the effect of information security incidents. The organisation shall have a documented point of contact for reporting information security incidents to appropriate parties. The reporting mechanism should be as easy, accessible and available as possible. The organisation shall maintain documentation of information security events, including incident reports, event logs, change requests, problem reports and system documentation.
Situations to be considered for information security event reporting include:

  • Ineffective information security controls.
  • Breach of information confidentiality, integrity or availability expectations.
  • Human errors.
  • Non-compliance with the information security policy, topic-specific policies or applicable standards.
  • Breaches of physical security measures.
  • System changes that have not gone through the change management process.
  • Malfunctions or other anomalous system behaviour of software or hardware.
  • Access violations.
  • Vulnerabilities.
  • Suspected malware infection.

It is also important to point out here that it is not the place of the personnel reporting to test the vulnerability or effectiveness of the information security event. This can lead to legal liabilities for the employee and so should be left for qualified personnel to handle.

Even if an organization installs a network intrusion detection system or other monitoring systems, the resulting alerts can quickly overload personnel. An effective approach is to use analysis tools to help manage intrusion detection systems and summarize the data. Even when log summarization is used, maintaining and monitoring intrusion detection systems can require resources and technical skills that are beyond some organization’s means. A less expensive alternative to developing your own IDS capabilities is to collaborate with other higher education institutions, helping each other deploy intrusion detection systems and even having a single person monitoring all systems, or to contract for the service with your ISP. Two major weaknesses of network IDS are that they cannot detect attacks in encrypted traffic and they cannot determine what is occurring within a targeted compromised host. Host-based intrusion detection systems (HIDS) can address both of these issues and can be used to monitor systems processes, file system changes, and log files for suspicious activities. Many commercial endpoint security offerings now include HIDS functionality, and servers can utilize open source monitoring tools. Communicating security alerts through an interface that system administrators use to monitor the status and performance of their systems increases the likelihood that they will notice problems quickly.


Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply