6

I'm currently looking into reporting processes in information security and I was wondering what kind of information should be reported when an IT security event or incident occurs.

The definitions of those would be (taken from ISO/IEC 27000:2016)

information security event

identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of controls, or a previously unknown situation that may be security relevant

information security incident

single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security

To give a bit of context: Think of a really large company that has about 150 locations. Most of these locations employ around 30 up to 500 employees. I would estimate the median to be at about ~120 employees. All in all we are talking about roughly 70,000 employees. Each location has it's own reporting process. This doesn't mean, that there are 150 different processes, most of them will look pretty much the same with only minor differences. I would guess that there are probably 4 types of processes out there at the moment:

  1. process type 1 (70% of all locations have this)
    • an incident occurs
    • the affected employee reports the incident to the people responsible for IT security in this specific location
    • the affected employee fills out a form that requires him to put in a very small set of information
    • the form is sent to the technical staff, that is located on-site, that then tries to fix the problem
  2. process type 2 (15% of all locations have this)
    • an incident occurs
    • the affected employee reports the incident to the technical staff or someone he/she thinks is responsible, but there is no-one responsible for IT security on-site
    • the affected employee fills out a form that requires him to put in a very small set of information
    • the form is sent to the technical staff, that is located on-site, that then tries to fix the problem
  3. process type 3 (10% of all locations have this)
    • an incident occurs
    • the affected employee reports the incident to a big central location, that manages all IT infrastructure for several locations, including this one. There is no-one responsible for IT security on-site.
    • the affected employee fills out a form that requires him to put in a very small set of information
    • the form is sent to the technical staff at the central location, that then tries to fix the problem
  4. process type 4 (5% of all locations have this)
    • an incident occurs
    • the affected employee cannot report the incident, because there is no-one responsible for IT security on-site or at the central location specifically for this site
    • the affected employee tries to come up with a solution him/herself and then contacts a third-party vendor
    • no information were put into any forms

This situation itself is problematic but this is not all. From time to time, information security incidents happen in bulk at several locations. If the incidents happen at locations, where there are also people that are responsible for IT security on-site, most of the time, these people are qualified enough to call in to the central location and warn them about a possible company-wide security threat. The central location can then react and pull in all the forms that have been filled out by affected employees. In cases like this, the right information that helps to solve/fix incidents like this are very valuable.

You can imagine, that for a company this big, basically every kind of attack is possible/probable. There are a lot of security controls in place, but it still happens.

My question is: What kind or type of information should that be in an environment like the one described?

How can I design a form in a way, that it is easy enough to fill out for non-tech-savvy personnel, but informative enough for technical staff to gain good and interesting information to fix a grave it security incident?

EDIT 1: This company has a company-wide CERT that is located at the the central location and the CERT is where the forms would be analyzed. I will edit this question again later on, to provide some more details on what exactly I have in mind.

Tom K.
  • 7,913
  • 3
  • 30
  • 53

1 Answers1

3

From a forensics point of view, all information is possibly valuable. This includes all the networks traffic, all traffic to and from the internet (including possibly TLS-encrypted connections to private web mailers), images of all thumb drives and mobile hard drives used prior to the incident.

Yet, your question aims for forms to be filled out by employees. While this might cause some argument as this is a matter of opinion, I'll try and sketch what I'd find useful.

Generally, more specific information is more useful than generic information. While not all employees might answer technical questions correctly, those who do might have valueable information to share. Thus, asking technical questions is generally a good idea.

When the analysts do identify what kind of problems are to be suspected, they might want to contact employees directly and ask specific questions. Thus, contact information should be put in the forms.

Because specific questions often lead to people leaving out important things that they deem irrelevant, a good approach would be to ask them to describe in detail what they were doing before the incident occurred, in a reasonable timeframe of maybe 15 minutes.

Additionally, you should ask about each single security policy. Is it known to the employee? Did the employee follow the policy? If now, why not and in what ways? And make sure there is no retaliation for breaking company security policies to be feared.

This has two reasons: sometimes, policies are avoided for better or easier workflow. Such cases can be reviewed and better approaches to ease the workflow can be engineered for the future. Secondly, avoiding security policies is often the problem and you want first and foremost to handle the incident, not punish employees.

Regarding the policies, after a disclaimer that none of the information will have disciplinary fallout and their boss will never know, an example question could look like: "You are now allowed to use thumb drives. Do you know that? Did you follow that? If not, please supply the thumb drive(s) you used"

Edit: while this is not within the scope of your question, those reports should be kept and assessed by a company-wide CERT, they should have all information, about all local subsidiaries. Even if the incident can be handled by the local IT-professionals after the central CERT did access the incident.

Tobi Nary
  • 14,302
  • 8
  • 43
  • 58
  • Thank you for you answer, I will comment/edit my question more in-depth later on, but on first glance especially the points made about policies (and violation of these policies) seems like good advice. – Tom K. Aug 19 '17 at 10:09
  • If you have a follow-up question, feel free to ask another question and link to this one instead of retroactively editing this question, @Tom your first edit looks like you are changing the focus of the question from the information itself to the ways information is shared and used. – Tobi Nary Aug 19 '17 at 10:18
  • I will do that. – Tom K. Aug 23 '17 at 07:48