ISO IT Standards on Security Incidents

ISO standard 18044 was the standard for information security incident management. ISO 18044 states that information systems should have high standards for availability, integrity and confidentiality. ISO 18044 was published in 2004. ISO 18044 was revised and eventually replaced by ISO standard 27035 in 2011.

What are the other major industry standards in IT incident reporting? What do these and related IT security standards say regarding incident reporting?

ISO 18044 classified an information security event as any security breach, real or perceived. Any security hole, whether or not it has been exploited, and any unknown system activity that poses a security risk is also classified as an information security event. An information security incident is any event in which information security was compromised or could be compromised.

Accidental leaks of sensitive information by employees, suspected attempts to access the network by unauthorized parties and unwanted network activity that signals an attempt by intruders to access the system are considered "incidents". Incidents are more serious than events, since an incident is something that must have a significant probability of compromising information security. Events are merely possible threats and identified risks.

Information security management encompasses all activities to minimize information security risks. Risk assessments, communication of possible threats and efforts to mitigate risks all fall under information security management. ISO 18044 applies to information systems. Information systems include hardware, software, IT policies, user behaviors, networks and communication technologies.

ISO 18044 uses the term availability in reference to the up-time of information systems and the whether or not information is available to those who need it and have the right to access it. Availability means that the systems are not only up and running but that there is enough bandwidth and proper user rights management that users can access what they need when they need it.

ISO 18044 defines information system integrity as the certainty that only authorized people make changes to information and hardware, while unauthorized groups and individuals cannot make changes. Integrity also means that policies like access control limits are applied consistently across all sites. The rules on access to information and limits on the ability to make changes are the same for everyone.

Confidentiality refers to all protections against deliberate or accidental disclosure. Loss of confidentiality means that information that was protected was released.

Loss of confidentiality can occur through accidents such as emailing a document to an external contractor instead of an internal employee with the same name, deliberate leaks such as sending customer lists to a personal email address before leaving the company or sending suppliers higher level assembly drawings containing proprietary information along with the lower level part drawings they need to build the parts they are contractually required to build.

ISO 18044 uses the term controls to mean anything that reduces risk in the information system. ISO 18044 uses the term control to mean any safeguard or countermeasure against loss of confidentiality or threats that would shut down a system.

ISO 18044 requires companies to have policies and procedures in place to allow for the rapid identification of new threats and ways to deal with them quickly. Companies must have documented policies to respond to security threats and leaks.

ISO 18044 requires organizations to put in controls to protect the confidentiality of data and its integrity. These controls may be physical protections like routers with built in firewalls, information security policies that limit users' access to information they should not see, administrative controls such as user vetting prior to gaining access to systems and technical controls like biometric identification and badge readers to limit access to systems to authorized individuals.

Information security incidents must be tracked so that organizations can understand how often they are occurring.

This information can be used to determine the root causes of security breaches and potential problems so that these risks can be mitigated. Incidents are prioritized based on the possible harm and impact the incident causes, with faster response times required for serious breaches and incidents affecting many users. Intrusion detection systems, security audits and network monitoring can be part of the policies and protective measures put in place in accordance with ISO 18044. These requirements are carried into the ISO 27000 IT security standards.

The ISO 27000 series of standards are the new standards for IT security and security management. ISO 27001 is the standard for information security management systems. ISO 27002 is the standard for information security management.

ISO 27004 outlines the ways to measure the effectiveness of information security measurement systems and their improvements over time. ISO 27005 gives ISO's guidelines for defining information system risks and recommendations for managing them.

ISO Guide 73 gives the terminology used for all risk management standards, including the IT risk management portions of the ISO 27000 standards family.