Rapid Reaction: What is a security incident?

This is the second article in a series that aim to help organisations build and maintain their information security incident management and response capability.

In the previous article I introduced the issue of the general deficiency of effective incident management and response processes in many organisations. But what is a security incident? The short answer is: it depends! It is up to each organisation to define what kinds of events it determines to be a security incident.

ISO 27035 defines information security incident as a: “single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security”. It also defines an information security event as: “identified occurrence of a system, service or network state indicating a possible breach of information security, policy or failure of controls, or a previously unknown situation that may be security relevant”.

In simple words, any security breach can be considered a security event. It is up to you to decide the threshold (or criteria) at which an event or a series of events become an incident. For example, the regular scanning and probing of internet facing services could be considered events. However, you need to define the number of scans and probes (occurring from a certain source or on a certain service) that promotes it to be an incident. You might also decide that any scan or probe performed on internal services or networks qualifies to be an incident. Accordingly, the first step to create an effective incident handling process is to come up with your own definition of a security incident.

It is also important to clarify the ambiguity around the terms incident handling, incident response and incident management. Incident handling is an organisational capability that covers incident reporting, analysis and response. When incidents are reported or detected, they are triaged, analysed and responded to (incident response). This process is referred to as incident handling. Incident management is a group of organisational capabilities for providing an end-to-end management of security incidents and events. Incident handling is one of the capabilities of incident management which includes vulnerability handling, evidence handling, security alerts, security awareness etc.

In conclusion, I’d recommend that your organisation should at least establish an information security incident handling capability (in-house or outsourced) and create an incident handling process to outline how incidents are reported, triaged, analysed and responded to. But more importantly, the first step is to define what qualifies as a security incident for your specific organisation.

In the next episode I will provide an overview of the information security incident handling capability, as well as incident response steps.