Welcome » IT Booklets » Information Security » Security Monitoring » Analysis and Response » Security Incidents
An internal security response center serves as a central location for the analysis and investigation of potential security incidents. To serve in that role, the security response center should consider, evaluate, and respond to both external threats and internal vulnerabilities. Sources of external threat information include industry information sharing and analysis centers (ISACs), Infraguard, mailing lists, and commercial reporting services. Internal vulnerability information is available from condition reporting and activity monitoring. Security response centers should be able to access all relevant internal vulnerability information in a read-only manner. That data may reside in centralized log repositories, on the devices that perform the logging, and in results of self-assessments and independent tests. Security response centers also should have available tools to analyze the logs and to perform ad hoc activity monitoring. Other additional and useful data sources are reports of anomalies in both network and host performance and the end-user experience. The latter relates both to internal users as well as contractors and customers who use the institution's systems.
Because the identification of incidents requires monitoring and management, response centers frequently use SIM (security information management) tools to assist in the data collection, analysis, classification, and reporting of activities related to security incidents.
The security response center should be governed by policies and procedures that address security incidents:
Additionally, a policy should address who is empowered to declare an incident to be an intrusion.
The effectiveness of a security incident response center also is a function of the training and expertise of the security analysts. A financial institution should ensure that its analysts are sufficiently trained to appropriately analyze network and host activity and to use the monitoring and analysis tools made available to them.