SimpleRisk is a fully integrated GRC platform that can be used to meet all of your Governance, Risk Management and Compliance needs. It boasts functionality that is comprehensive enough to be utilized by some of the largest organizations on the planet while presenting a user interface that is so simple and intuitive it can be used by the least technical people in your organization.
Our SimpleRisk Core can be downloaded for free from our website, installed in minutes, and provides all of the capabilities that you need when first launching your GRC program. As your organization grows and matures its processes, our SimpleRisk Extras are licensed modules that provide enhanced functionality on par with competitors that cost orders of magnitude more and require months of professional services to install and configure. There's no need to waste all of that time and money when you can be up and running with SimpleRisk today.
What is Incident Management?
An incident is an event that could lead to the loss of, or disruption to, an organization's operations services or functions. Incident Management is the term used to describe the activities which an organization takes to identify, analyze and correct hazards to prevent a future re-occurrence. If an incident is not managed, it can escalate into an emergency, crisis or disaster. Our goal with Incident Management is to limit the potential disruption caused by such an event in order to return to business as usual, as quickly as possible. If we do not perform effective Incident Management, an incident has the potential to disrupt business operations, information security, IT systems, employees, customers and other vital business functions.
Preparing for an Incident
The NIST SP 800-61 Rev. 2 Computer Security Incident Handling Guide provides a wealth of information on incident response. Our goal with any incident should be to respond as quickly and effectively as possible. A major benefit to having an Incident Management system is that it enables organizations to follow a consistent methodology and respond in a systematic fashion, ensuring that the appropriate actions are taken. Every organization should begin by documenting an Incident Response Policy, Plan and Procedure. The Policy should cover the statement of management commitment, policy objective, scope, definitions for key terminology, organizational structure and role definition, instruction on how to prioritize incident severity, performance measures, and reporting information. The Plan is like a roadmap for implementing the incident response capability. It covers the mission, strategies and goals, internal and external communications, metrics for measuring effectiveness, and the roadmap for maturing capabilities. Procedures should be based on the policy and plan and detail the specific technical processes, techniques, checklists and forms used by the Incident Response team. All of this documentation should be published in a location where all employees have access and updated at least annually.
In addition to documenting your Policy, Plan, and Procedures, there are a number of other things that an organization will need to do to prepare for an incident. These include:
- Communications: An organization should have multiple (separate and different) communication and coordination mechanisms in case of failure of one mechanism.
- Facilities: An organization should have procedures defined for a "war room" to gather team members for centralized communication and coordination.
- Hardware: There are a number of physical resources that an organization will want to have on-hand to be prepared for handling an incident.
- Software: There are a number of software resources that an organization will want to have available, with staff appropriately trained, in order to handle an incident.
- Resources: An organization should have environment-specific documentation readily available for in-depth analysis required to handle an incident.
In SimpleRisk, we provide you with a checklist for each of these categories in order to ensure that you have taken the steps necessary so that you are ready when an incident occurs.
Identifying an Incident
For many organizations, one of the most challenging parts of the incident response process is accurately detecting and assessing possible incidents. For each incident which has been detected, we will need to identify the type, extent and magnitude of the problem. What makes this especially difficult is that most organizations have a variety of different means through which to detect incidents, with varying levels of detail and fidelity. On automated systems, the volume of potential signs of incidents is typically high, so we have to be able to analyze these events to determine the actual incidents. Even that can be difficult as deep, specialized technical knowledge and extensive experience are often necessary for proper and efficient analysis of incident-related data. Signs of an incident fall into two categories:
- Precursors: A sign that an incident may occur in the future.
- Indicator: A sign that an incident may have occurred or may be occurring now.
Since your organization likely already has a wealth of tools to identify these precursors and indicators, the incident identification capability in SimpleRisk is focused more around how we can intake this data and normalize it for more efficient analysis and reporting. Each detection is classified into the Direction, Attack Vector, what detected the incident, and when the incident was detected/began. From there, we can assign the incident to key stakeholders for response and remediation, prioritize the incidents so that the most severe issues get handled appropriately, and provide context through location and associations.
Responding to an Incident
When we identified our incident, we defined three values that will help us to prioritize our response to this incident versus any other incidents that are currently active. These values are:
- Functional Impact: Impact on the business functionality of the involved object and subject.
- Information Impact: Impact on confidentiality, integrity and/or availability of information or IT infrastructure.
- Recovery: Amount of time and resources needed for investigation and remediation.
There is a score associated with the potential responses for each of these values. Those scores are then added together in order to determine the incident priority. The higher the number, the higher the priority. We can use these values to drive other actions, as well, such as involvement with management or executives, the need to bring in members of the legal team or outside council, or the need to hire a third-party incident response firm.
Now that we've determined our incident's priority, we can focus on the actual remediation effort. This is split into three phases. In the Containment phase, we are looking to identify the systems affected by the incident, determine the scope, and determine if other systems are at risk of compromise. In the Eradication phase, we are looking at how do we eliminate the incident from our environment which may involve system patching, malware removal, and other security configuration changes. In the Recovery phase, we are trying to restore our operations to their state prior to the incident. SimpleRisk contains nine playbooks, by default, which provide suggested actions to take in each of these phases. These playbooks include common incident types such as:
- Malware Outbreak
- Data Theft
- Virus Outbreak
- Denial of Service
- Unauthorized Access
- Elevation of Privilege
- Root Access
- Improper Usage
As you respond to the the incident, SimpleRisk also provides the ability to attach evidence documenting your activities, as well as the ability to add notes to the incident to document the steps taken.
SimpleRisk was designed from the ground up to be as simple and intuitive as possible in order to enable users of varying skill levels to be effective using it. With the addition of the Incident Management Extra, SimpleRisk can now not only handle the Governance, Risk Management, and Compliance needs of organizations, but also their Incident Management needs, as well. We would welcome having an opportunity to join you on your Incident Management journey and would encourage you to schedule a call with our team, where we can discuss your requirements and demonstrate, firsthand, how SimpleRisk can help you accomplish your goals.