Imagine that your system is under attack and your customers are unable to access your system because of this disruption in service. What do you do next and how do you respond? This is where incident management comes into play. An effective incident management process and incident response plan help return your system to normal operations. Auditors will evaluate your controls in place to address incidents when they occur.
What is the Purpose of Incident Management?
The purpose of incident management is to return the service organization’s services to the user entities back to normal operations as quickly as possible, after an event, to minimize the impact of the event on the service organization’s achievement of its service commitments and system requirements.
- Events are bound to occur, and no service organization is immune from events occurring that need to be addressed promptly to return to normal operations.
- Events can lead to the loss of, or disruption to, operations, services, or functions and result in a service organization’s failure to achieve its service commitments or system requirements.
- Events may arise from actual or attempted unauthorized access to impair or potentially impair the availability, integrity, or confidentiality of information or systems, unauthorized disclosure, theft, corruption, or destruction of information or damage to systems.
- Events may include everything from a security breach to a denial of service attack.
Incident management includes those activities that identify, document, analyze, and address events to prevent future events from recurring. If an event is not managed appropriately and timely, it may escalate into a bigger problem, crisis, or disaster.
Ineffective incident management may result in a greater loss of or longer disruption to business operations or services, adversely impacting information security, information systems, employees, customers, or other critical business functions of the service organization.
Incident Management Process Tips
Implementing a repeatable process to manage incidents can assist a service organization in achieving its objectives. How resilient a service organization is in their response to incidents aligns with how prepared they are for the inevitable to occur and how organized they are in their response plan to ensure minimal loss or damage.
Preventing an event from occurring is always the best type of control to implement. However, quickly detecting when an event does occur and effectively and efficiently addressing it is also necessary because of the difficulty assessing all potential risk scenarios in our ever-changing dynamic information technology landscape.
A service organization needs to implement a strong incident management process that includes the following items:
- Identification of an incident
- Documenting and tracking the incident
- Classifying and prioritizing the incident based upon impact and urgency
- Assigning the incident to appropriate incident response team members
- Diagnosing and responding to the incident
- Resolving the incident and restoring operations
- Closing the incident
- Analyzing post-recovery lessons learned
An incident can come from anywhere, including various internal and external communication channels such as email, phone, application, and/or infrastructure monitoring alerts, or through your customer support team member.
Documenting the incident in an incident management tool or ticketing system helps to track the incident from initial setup through to resolution and provides a means for monitoring the status of the incident at any time throughout its life cycle.
Having a standardized approach to classifying incidents based upon the severity of the adverse impact on the business and urgency needed to resolve the incident will help to focus limited resources on significant incidents requiring immediate attention. Incidents that may harm the service organization’s ability to meet service level agreements should take precedence over incidents having a lower impact on the service organization’s service commitments or system requirements.
Assigning the incident to appropriate incident response team members gets the incident quickly in front of individuals who have the role and responsibility to address the incident efficiently and effectively. Escalating the incident further up the chain of command depends upon the facts and circumstances of the incident impact and urgency.
Responding to an incident entails thoroughly investigating the incident and diagnosing the problem so that it may be adequately contained and resolved to ensure prompt restoration of normal operations. This step may include a root cause analysis of the problem so that the problem may not only be fixed for the current incident but also to prevent future similar incidents from occurring.
Upon resolution of the incident and restoration back to normal operations, the incident may be closed. In some cases, depending upon the results of the root cause analysis, a longer-term fix may be warranted that is implemented further down the road.
An analysis of the post-recovery lessons learned is a good way to identify areas needing tweaking to smooth out the process and determine areas requiring improvement or training needs.
Incident Response Plan Tips
A well-documented incident response plan that is communicated to appropriate personnel helps guide actions needed when an incident occurs.
Some items to be sure to include in an incident response plan include the following:
- Identification of incident response team members
- Defined roles and responsibilities for each incident response team member
- Incident classification matrix based upon impact/urgency
- Protocols for reporting and communicating to internal/external parties as appropriate
- Strategies for responding to various types of incidents
- Periodic table-top test of the plan or simulation of an event
- Refinement of incident response plan based upon test results or lessons learned
It is important that the incident response plan is communicated and readily accessible to appropriate personnel so that roles and responsibilities are known and understood. Internal and external communication protocols should be outlined in advance of an incident for timely notification as required. Documenting strategies for certain risk scenarios based upon their classification can help to jump-start an immediate response to an incident that occurs.
The best service organizations continually evaluate, test, and refine their incident response plan and shift their approach to incident management to incorporate lessons learned so that they may be more responsive and adept at resolving incidents as they occur thereby minimizing any potential loss or disruption. Rapid recovery to normal operations equates to lower downtime, cost and productivity savings, and higher customer confidence.
Executing a well thought out incident management process along with an incident response plan is a value-added differentiator in the competitive service organization environment.
Where do SOC 2 Auditors Focus When Auditing Incident Management?
The trust services common criteria and related areas of focus are applicable to all service organizations undergoing a SOC 2 examination. This includes the evaluation of security events to determine the impact on the service organization’s service commitments or system requirements and the action needed to prevent or remediate adverse impacts. Response to the security incident including the execution of a defined incident response plan to understand, contain, remediate, and communicate as appropriate. Additionally, the service organization must identify, develop, and implement activities to recover from security incidents.
Auditors will focus on the controls in place providing reasonable assurance that incidents are identified, tracked, investigated, and resolved in a timely manner. Controls that in aggregate help to meet the required objectives may include but are not limited to the following:
- An established Incident Management Policy & Procedure including an Incident Response Plan that has been communicated to appropriate personnel
- Clearly defined incident management roles and responsibilities
- Documented incident classification protocols and priority based upon the severity of the impact and urgency
- Utilization of a tracking mechanism (e.g., a ticketing system) to document and track the status of incidents from identification to resolution and closure
- Established incident reporting and communication protocols and procedures
- Established procedures to contain the incident and to execute corrective actions for remediation of the incident
- Documented remediation plans and corrective actions
- Root cause analysis to prevent recurrence of the incident.
- Timely resolution of incidents and restoration to normal operations
- Reviewing and updating of the Incident Response Plan at least annually based upon lessons learned
- Testing of the Incident Response Plan at least annually if no security events occur during the year and revision of the plan based upon test results.
Events happen. Service organizations need to make the best use of their limited available time and resources to address inevitable events that occur by considering trends, patterns, and underlying problems or root causes.
Utilizing an incident management tool and addressing incidents in a methodical manner will help reduce chaos.
Incident management is an important tool in any service organization’s arsenal that helps to achieve its service commitments and system requirements resulting in maintaining normal operations and retaining satisfied customers.
Please contact us at Linford & Company if you would like more information regarding SOC reports. Our team of IT audit professionals complete Type I and Type II, SOC 1 audit reports (f. SAS 70 / SSAE 16), and SOC 2 audit reports on behalf of service organizations everywhere. We are available to answer any questions you may have to effectively address your audit needs and assist you in achieving your objectives.
Becky McCarty (CPA, CISA, CRISC, CIA, CFE) specializes in SOC 1 and SOC 2 examinations for Linford & Co., LLP. She completed her Master’s degree in Information Systems in 1996, started working with KPMG in 1999, and joined Linford & Co., LLP in 2018. She works closely with clients so that the examinations are performed efficiently and with minimal disruption while ensuring performance in accordance with professional guidance. She enjoys helping clients successfully achieve the requirements for their SOC audit reports based on their applicable trust services criteria.