Management of reported events

The organization shall ensure that clear persons are assigned to incident management responsibilities, e.g. handling the first response for incidents.

Incident management personnel need to be instructed and trained to understand the organization's priorities in dealing with security incidents.

All security incidents are addressed in a consistent manner to improve security based on what has happened.

In the incident treatment process:

• the reported incident is confirmed (or found unnecessary to record)
• the type and cause of incident is documented
• the risks associated with the incident are documented
• the risks are re-evaluated and treated if that is necessary after the incident
• risk mitigation measures or a decision their acceptance is documented
• people who need to be informed of the results of the incident treatment are identified (including external ones)
• possible need for a post-incident analysis is determined

Organisation should have a procedure for categorizing security incidents during processing. The incident should be categorized to at least the following categories:

• Personnel
• Physical
• Cyber

The incident should then be qualified based on it's effects for example into:

• Not security relevant
• Observation
• Suggested improvement
• Vulnerability
• Security incident

The incidents should then be prioritized based on the severity of the incident.

Our organization has pre-defined procedures through which the detected security breach will be addressed. The process may include e.g. the following things:

• who are part of a team that is ready to respond to breaches
• how and along what channel the entire team is immediately notified of the breach
• the team determines the severity (low, medium, high) of the breach based on predefined criteria
• the breach management is continued with a larger group according to the severity level

The organization has defined a process and the team involved in responding promptly to security incidents and deciding on the appropriate actions.

The first level response process includes at least:

• effectively seeking to confirm the identified incident
• deciding on the need for immediate response

The organization has defined procedures to ensure that the original reporter and other personnel involved in the incident are informed of the outcome of the incident management.

Linked personnel can be documented on an optional field on the incident documentation template.

The knowledge gained from analyzing and resolving security incidents should be used to reduce the likelihood of future incidents and their impact.

The organization regularly analyzes incidents as a whole. This process examines the type, amount and cost of incidents with the aim of identifying recurrent and significant incidents that need more action.

If recurrent incidents requiring response are identified, based on them:

• new management tasks are created or current ones expanded
• security guidelines in this area are refined or extended
• a case example of the incident is created that is used to train staff to respond to or avoid similar incidents

If it is difficult to identify the source of a security incident based on the primary treatment, a separate follow-up analysis is performed for the incident, in which the root cause is sought to be identified.