Things to watch

The whole process of information security incident reporting and management is often poorly managed. There is often a poor response plan and the ability to escalate incidents if they are not resolved in an agreed time (if one has been defined). Often Auditees do not know what sorts of incidents they should report to whom and why. The usual answer given is either the Line Manager or the Help Desk. This may be right in a number of cases but the Auditor will determine whether this answer is a guess or as a result of understanding the incident reporting and management process. Often the definition of an incident to be reported is unclear or not defined - is yours?

The Auditor will typically follow one or more incidents that they discover or some chosen at random to follow through from reporting (or discovery if it has not been reported) through to the closing of the incident and what lessons can be learned from it. The Auditor will also determine if effective action has been taken by changing processes or implementing new controls to reduce recurring incidents. The Auditor will also determine the number of incidents reported over a period of time and compare this against industry averages to get an indication of underreporting.

Where appropriate the Auditor will evaluate the efficiency (or not) of the process of learning from incidents.

An Introduction To Information, Network and Internet Security
Things to watch The whole process of information security incident reporting and management is often poorly managed. There is often a poor response plan and the ability to escalate incidents if they are not resolved in an agreed time (if one has been defined). Often Auditees do not know what sorts of incidents they should report to whom and why. The usual answer given is either the Line Manager or the Help Desk. This may be right in a number of cases but the Auditor will determine whether this answer is a guess or as a result of understanding the incident reporting and management process. Often the definition of an incident to be reported is unclear or not defined - is yours? The Auditor will typically follow one or more incidents that they discover or some chosen at random to follow through from reporting (or discovery if it has not been reported) through to the closing of the incident and what lessons can be learned from it. The Auditor will also determine if effective action has been taken by changing processes or implementing new controls to reduce recurring incidents. The Auditor will also determine the number of incidents reported over a period of time and compare this against industry averages to get an indication of underreporting. Where appropriate the Auditor will evaluate the efficiency (or not) of the process of learning from incidents.	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security