Join Mike Chapple for an in-depth discussion in this video The manager's role in incident response, part of CISM Cert Prep: 4 Information Security Incident Management.
- [Instructor] Information Security Managers play an important role in the Incident Response process. Throughout this course, we'll discuss many of the nitty-gritty details of responding to an Information Security Incident. We'll cover the process of identifying an incident, the ways that you can contain damage, mitigate the effects of an incident and recover your organizations operations. Unless you're part of a very small team, Information Security Managers won't likely be performing many of these actions hands-on, but be responsible for leading the response efforts.
Incidents throw an organization into chaos. You often find yourself in an environment where technical issues are occurring, customers are demanding status reports, law enforcement is knocking on the door and there may even be media reports containing accurate and inaccurate information. During the early hours of an incident, there are more questions than answers and everyone in the organization is looking to the Information Security Manager to provide those answers. From the CEO to the Help Desk Team, everyone is reaching out, leading to a busy phone and a full inbox.
As a Security Manager, your most important role, at this point, is to create order in the midst of the chaos and shield your team from it's effects. You need to absorb the brunt of the onslaught from outside your team and let the Incident Responders get their work done. It's extremely important that you don't add to the chaos yourself, by interrupting the response effort. You've spent a lot of time and energy, selecting a strong team and providing them with the training that they need to respond to an incident, and this is the time to trust in them and let them do their thing.
Of course, you're still the leader. You should keep in close touch with the Technical Leads on the Incident Response Effort. They'll look to you for important decisions and guidance during Response. You'll need to continue to wear the dual hats of an Information Security Manager. You need to help the organization achieve its Security Objectives, but you also need to balance those with the realities of the Business Environment. There's no time where this balance is more important than during a Security Incident Response Effort. Another important role of the Information Security Manager, is to ensure that the Incident Response Effort is functioning hand-in-hand with the organizations Business Continuity and Disaster Recovery processes.
I cover those processes in the CISM Information Risk Management Course.
- Creating an incident response team
- Classifying incidents
- Building an incident response program
- Identifying symptoms of incidents
- Conducting forensic investigations
- Logging and monitoring