Methodology

Preparation & Planning

The most important aspect in incident handling is preparing the organisation to handle events that may occur. A cross-functional team should be defined with clear roles and responsibilities. Knowledge of the incidents that could occur and how they can be handled should be developed and shared to ensure an efficient organisational response. QCC help you identify the ideal response, test your scenarios and train your staff to deal with security incident and minimise loss.

Notification

The general user community and any teams that could be hit by incidents need to utilise pre-defined communication channels and follow the set process. Front line incident handlers need to react to incidents, undertake the initial identification and escalate genuine events to the Incident Response Team (IRT). QCC will help you to identify the correct roles, skills and communications techniques to knit your notification requirements into a seamless process.

Identification

Once an incident is detected, the IRT needs to undertake a more detailed analysis and confirm the predefined incident resolution process that should be followed. As much as possible, the organisation should have agreed an incident classification, defined traps and have mapped the processes that should be followed. QCC bring their considerable experience of dealing with security incidents to assist you in the identification process. We will teach you the techniques that can give clarity to what often appears as chaos.

Handling

This stage requires enacting the response process and forms the heart of your incident management strategy. The Investigation, Containment and Eradication of the incident causes are followed by Full Recovery of business systems and a Follow-Up step to ensure the response has been effective. In 'walking-the-walk' QCC can assist in professionally briefing your management, advising and supporting your staff and even managing specific security incidents to successful conclusion. Where evidence of misuse is required, you can be sure that it will be collected swiftly, accurately, has full integrity and provenance and can be used to protect your organisation when needed.

Aftermath

Post incident, the IRT, in conjunction with other relevant teams should conduct a review of the technical components of the incident to determine what could be done to seek to reduce the risk of reoccurrence. This could include risk assessments, review of policy or discussion with suppliers. It will identify options to tighten or re-position security controls and enact enforcement where needed. QCC bring their experience to bear in helping you to understand the root cause, identify trends and patterns in security incidents, to re-assess risk and to apply practical safeguards and compensating measures.

Responsibilities and Administration

Based on the post-incident review findings; the organisation needs to agree the final closure actions. These could include dissemination of new policy, realignment of asset ownership, running awareness campaigns, implementing patches or new countermeasures and could also include disciplinary/legal actions where necessary. QCC can assist you to correctly identify the need to review responsiblity in your organisation to ensure the incident management process is operating most effectively.