2 of 2 people found this helpful
Our Security Incident Management process in Remedy today is very simplistic at this stage, most of it is focused on categorising the different Security Incident types (using Op Cats) & customised alert notifications that are sent out when a Security breach/incident is recorded to the relevant local Security team(s).
My high level view is Security Incident Management would need to be treated differently to the standard incident flow, as there are sensitive issues that could be reported, which the business may not want to publicise the full investigation output to all users who have access to view tickets for the company. e.g. Stolen / damaged devices etc.. (Similar to HR related activities).
It would be really useful if this helped support ISO/IEC 27002 and the full life-cycle to be easily fed in from Remedy to Information security reviews and potentially a feed into Risk Management / Security Audits etc..
In our organization, we are planning to implement security incident. We are thinking of using the new AR security model starting from 9.1 (choosing support group for Application permission Model). Obviously we are assessing the impact of this since our security model was based to company. Changing from Company to support group may brought a lot of challenge that why we are still figuring out of the side effect of this to our customer, support team, etc. We have a lot of questions now and search for answers and experiences from other.
With the support group model security, we would like to manage security incident like this.
- User (client, Customer, employee, etc.) raise a ticket to service deskp
- After investigation, the service desk assigned ticket to security group
- Security Team decide the ticket should be treat as a '' Security incident''
- Security Team create a new ticket '' Incident security'' and assigne to them. Customer, contact and owner group of this new ticket are all related to them so it can't view by other.
- The original ticket (raise by user) is related to the security incident ticket. Only member of security team has access to the security incident ticket.