ISO/IEC 27001 Control 5.24: Information security incident management planning and preparation
Control
The organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities.
Necessity of MidPoint
MidPoint is optional for implementation of this control.
Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.
Implementation Overview
MidPoint can provide useful information for preparation of incident management plans. MidPoint roles can be used to pre-configure emergency access control which can be used during incident response.
Implementation Details
Reporting capability of midPoint can be used to provide information necessary for incident response, e.g. it can provide information about magnitude of user population that can be effected by certain incident types. Simulation capability can be used to predict effects of identity-based incidents, e.g. predict the effect of attacker gaining a particular role in the system. MidPoint policy-based RBAC mechanism can be used to pre-configure emergency access privileges for incident responders. Such privileges are not active during normal operation, yet they can be easily activated during incident response or emergency.
Implementation Notes
-
Emergency privileges for incident responders are configured in a form of conditional inducements in the usual (business) roles for incident responders. The condition evaluates to `false` during normal operation, can be quickly changed to `true` for incident response, which grants the privileges. The privileges can be easily removed when incident is handled.
Rationale
Reporting and simulation can provide essential information for planning. Ability to pre-configure emergency access control can provide important advantage for rapid incident response.