Information Security Animations - Information Security Incident Management
(Script)
Information Security Incident Management
Information security incidents generally refer to computer data leakage or incidents threatening the
availability, integrity and confidentiality of an information system.
Security incident handling is a series of ongoing procedures, including:

Before the incident - planning and preparation;

During the incident - response to security incident;

After the incident - aftermath.
Planning and Preparation
The first and foremost task in handling security incidents is to set out a comprehensive plan, and devise
appropriate procedures and implementation guidelines. Major tasks include:
(1)
Security incident handling plan – define the scope, objectives and priorities in handling the
incidents.
(2)
Reporting procedure – set out steps and procedures for timely reporting of suspicious activities to
all relevant personnel.
(3)
Escalation procedure – compile in advance a contact list of decision makers for legal, technical and
management issues so that any incidents can be reported promptly to relevant parties to ensure
immediate actions will be taken.
(4)
Security incident response procedure – define the necessary steps to follow in case of incident. For
instance, investigate the cause, minimise damage, restore system to normal operation, etc.
(5)
Training and education – All parties should be familiarised with the incident handling procedures,
including incident reporting, identification, and taking appropriate actions to restore the system to
Page 1 of 4
normal operation.
(6)
Incident monitoring measure – install intrusion detection tools; monitor, detect and respond to
system intrusion proactively.
Response to Security Incident
Response to security incident refers to the need to respond promptly when an incident occurs in order to
restore the system to normal operation as soon as possible.
In general, response to security incidents involves 5 stages:
(1)
Identification:

Determine whether an incident has indeed occurred;

Conduct preliminary assessment;

Log the occurrence and get system snapshots.
(2)
Escalation:

Notify relevant parties to get assistance and guidance.
(3)
Containment:

Control affected area and minimise damage;

Protect key resources;

Decide whether to suspend system operation, for example, to close down or quarantine the
mainframe unit or system under attack in order to prevent collateral damage to connected
systems.
(4)
Eradication:

Eradication is to eliminate from the computer the cause that triggered the incident. For example,
delete a computer virus from an infected computer or medium, fix a security loophole by installing
patch or repair programs, rectify inappropriate system configuration, change passwords, etc.
(5)
Recovery:
Page 2 of 4

Recover damaged or lost data;

Restore normal operation of the system.
Aftermath
After a security incident, follow up actions should be taken to assess its cause and to enhance security
measures, in order to prevent recurrence of similar incidents.
Follow up actions include:

post-incident analysis;

post-incident report;

security assessment;

review on existing protection measures; and

investigation and prosecution.
Quiz
Please select the correct answer.
1. Which of the following is NOT regarded as a “response action” to be taken when a security incident
occurs?
A) Training and education [Correct]
B) Escalation
C) Containment
D) Eradication
2. Which of the following is part of security incident handling?
A) Planning and preparation
B) Response to security incidents
Page 3 of 4
C) Aftermath
D) All of the above [Correct]
To learn more about information security, please visit the InfoSec website at:
http://www.infosec.gov.hk
Page 4 of 4