Security information incident (SII) management is an aspect of security management that is aimed at tracking, reporting, investigating, and dealing with vulnerabilities, issues, and security incidents (Rhodes-Ousley, 2013, p. 59). Incident responses are a part of SII management, and they involve particular actions of a response team that consists of a number of internal and external professionals (in various fields) who cooperate to handle various emergencies or incidents (Rhodes-Ousley, 2013, p. 158). The latter can be defined as unexpected and potentially threatening events in information security (Tøndel, Line, & Jaatun, 2014).
SII management is of paramount importance for information security because it is not always possible to prevent emergencies, which means that the latter need to be managed to avoid grave consequences. In this paper, a case study of SII management is going to be provided.
The article by Bartnes-Line, Tøndel, and Jaatun (2016) is devoted to modern SII management practices, and it singles out several self-reported cases of SII that were experienced by Norwegian distribution system operators (DSOs) in the field of the electric power industry. Bartnes-Line et al. (2016) discover that serious SIIs are not reported by the DSOs studied, but there occur less significant SIIs that are usually related to “vulnerabilities in software that required patches, malware infections, breaches of procedures,” certain unintentional “mishaps,” and technical failures (p. 19). The authors choose not to name the DSOs, but they cite one case that was encountered by the second DSO that they investigated. It involved the control system being infected by a virus, the source of which was never identified. The SII did not cause any direct damage, but it reduced the efficiency of the work of the system. It is noteworthy that there was no active antivirus software at the time. The DSO handled the issue by organizing clean-up efforts that were very resource-consuming and extensive.
The DSO reported being 100% dependent on its control systems (Bartnes-Line et al., 2016, pp. 15, 17), which highlights the fact that a more serious SII of a similar type could paralyze its work and result in noticeable damage. Apart from that, both at the time of the incident and the investigation by Bartnes-Line et al. (2016), the DSO did not have a well-defined response team with strictly determined responsibilities. The interviewee pointed out that no issues occurred because of it, but they admitted that in a worst-case scenario, problems would probably arise (p. 20).
Bartnes-Line et al. (2016) point out that the majority of investigated DSOs, including the DSO from the case, demonstrated the lack of experience and preparedness for SII even though their dependence on IT was very significant. Also, the authors point out that DSO security training rarely focuses on SII. The described DSO did not report particular lessons learned that were used to improve its preparedness; it can be explained by the fact that the incident was regarded as a minor one.
In general, the case appears to demonstrate a rather flawed SII management. Even though the direct response can probably be described as appropriate (the problem was detected and successfully eliminated), the fact that no attempts to improve preparedness were made does not seem to be acceptable. Planning, strategy construction, development and implementation of particular procedures, training, and the establishment of a response team with clearly defined responsibilities are important parts of SII management (Ahmad, Maynard, & Park, 2012; Bartnes-Line et al., 2016; Cichonski, Millar, Grance, & Scarfone, 2012). The present case study indicates incomplete and inappropriate planning (the lack of active antivirus software in an IT system that is crucial for the company’s functioning), potentially deficient training and procedures, and the lack of a response team, which are weaknesses that should be eliminated. Also, more attention should be paid to considering lessons learned and using the experience in SII to improve the system (Bartnes-Line et al., 2016; Tøndel et al., 2014). Finally, it may be necessary to raise the DSO’s awareness of the importance of SII management, which will naturally result in greater interest in this area of security.
References
Ahmad, A., Maynard, S., & Park, S. (2012). Information security strategies: towards an organizational multi-strategy perspective. Journal of Intelligent Manufacturing, 25(2), 357-370.
Bartnes-Line, M., Tøndel, I., & Jaatun, M. (2016). Current practices and challenges in industrial control organizations regarding information security incident management – Does size matter? Information security incident management in large and small industrial control organizations. International Journal Of Critical Infrastructure Protection, 12, 12-26. Web.
Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident handling guide. NIST Special Publication.
Rhodes-Ousley, M. (2013). Information security: The complete reference, second edition (2nd ed.). New York, NY: McGraw-Hill.
Tøndel, I., Line, M., & Jaatun, M. (2014). Information security incident management: Current practice as reported in the literature. Computers & Security, 45, 42-57.