SB.4.001 Incident response procedure
The organisation has processes for IT incidents in place. IT incidents are evaluated if they are potential security incidents.
(Potential) Security incidents are treated according to a documented and standardised procedure. This procedure differentiates based on the risk involved and includes appropriate escalation, risk treatment steps, evaluating the relationship to other reports/alarms and root-cause analysis.
Security Incidents are evaluated (either aggregated or individually, based on the severity) and appropriate measures are taken to prevent future occurances of the incidents.
Information on security incidents is handled on a need-to-know basis.
Security incidents involving Personally Identifiable Information (PII) are also considered a possible data breach and handled accordingly.
IT security incident handling needs mandate to take preventive measures to stop a security incident from causing (more) damage.
The security incident process has 6 phases:
- Preparation: information needed to handle security incidents is available to security incident handlers and they are trained in handling these incidents
- Identification: incidents that happen are detected, classified, registered and handled
- Containment: the impact of the security incident is minimized
- Eradication: the cause of the incident is stopped
- Recovery: service is returned to normal
- Lessons learned: the incident is evaluated and improvements are recorded
More information on computer security incident handling teams can be found in Guide to setting up a Computer Security Incident Response Team (CSIRT):