Information Security Incident Management
- A Methodology
by Neil Hare Brown MSc
British Standards Institution, 2007
~£50 from BSI
Purpose and scope
The central purpose of the book is to provide guidance on best practices in information security incident management as a professional discipline for large, relatively formalized organizations.
The main sources cited in the book are ISO/IEC 27002 (Code of Practice for Information Security Management), ISO/IEC TR 18044 (Information Security Incident Management), RFC2196 (Site security Handbook, 1997) and its 1991 predecessor RFC1244.
Content and structure
The A5-sized book’s 118 pages contain approximately 30,000 words with very little padding or unnecessary content in six main chapters:
Understanding information security incident management - a good overview of the topic continues from and expands upon the brief introduction.
Incident response requirements - this chapter is quite ambitious for its 8½ pages, attempting to describe policies, types of incidents and the continuous improvement aspects of the full process.
Responsibility and authority - defining an appropriate management structure for incidents is an integral part of defining the processes.
Formulating an incident response process - sound advice for anyone tasked with designing or reviewing an information security incident management process.
The six steps of information security incident response - explains how to design, plan, document and test a process.
Summary - this half page summarizes the book literally.
The appendices are rather brief:
A generic typology for incidents;
A succinct glossary;
A half-page bulleted list of incidents;
Four example forms used for recording incidents and tracing forensic evidence;
A page of good references, cited with notes throughout the text.
About the author
Neil has extensive experience of information security incident management and forensics, stretching back 25 years to his time with the Metropolitan Police in London. His government and large company background shines throughout the book. Neil has an MSc in information security from Holloway, part of London University, and is currently researching for a PhD.
The book’s utility and value
On the upside, the incident management process as described is disciplined, rigorous and comprehensive. At the same time, the advice is reasonably pragmatic: a practitioner should be able to apply the advice without too much trouble, other than the effort required to persuade senior management to implement such a comprehensive process.
On the downside, being so comprehensive seems likely to make the process bureaucratic and expensive on resources. There are no obvious concessions or short cuts in the book for smaller organizations, and little effort to describe the commercial value of such an approach to private sector organizations.
This small book is packed with advice to those responsible for managing information security incident management functions, and for those working in such functions. The comprehensive process is well suited to organizations with numerous incidents to manage and hence the need for a structured, comprehensive process.
Buy this book if you are designing or reviewing information security incident management processes, perhaps as part of implementing ISO/IEC 27002, and if you work in a government or large commercial organization that needs such a comprehensive, well-structured incident management process.