ISO/IEC 27001 Control 5.24: Information security incident management planning and preparation

Control

The organization should plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities.

Necessity of MidPoint

MidPoint is optional for implementation of this control.

Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.

Implementation Overview

MidPoint can provide useful information for preparation of incident management plans. MidPoint roles can be used to pre-configure emergency access control which can be used during incident response.

Implementation Details

The reporting capability of midPoint can be used to provide information necessary for incident response, e.g. it can provide information about the magnitude of the user population that can be affected by certain incident types. Simulation capability can be used to predict effects of identity-based incidents, e.g. predict the effect of an attacker gaining a particular role in the system. MidPoint policy-based RBAC mechanism can be used to pre-configure emergency access privileges for incident responders. Policy rules can be used to make sure that the system is prepared for incident response, e.g. that each application has an owner that can provide assistance with incident response. Such privileges are not active during normal operation, yet they can be easily activated during incident response or emergency. The goal of this control is to ensure quick, efficient and organized reaction to incidents. A reasonable degree of automation is a key to reach this goal, such as automation that midPoint can provide. Synchronization can automatically react to incidents, e.g. automatically deactivating orphaned accounts or executing other changes in identity lifecycle. Actions (bulk tasks) can provide automated actions that can be applied to a large portion of the user population, roles or other objects. This control asks for development and implementation of procedures which includes monitoring of activities. MidPoint audit trail can support some aspects of this requirement, especially when coupled with reconciliation and synchronization capabilities. Assignment metadata can quickly provide information during incident response, which can be used for quick analysis and filtering of suspicious identities.

Implementation Notes

  • Emergency privileges for incident responders are configured in a form of conditional inducements in the usual (business) roles for incident responders. The condition evaluates to `false` during normal operation, can be quickly changed to `true` for incident response, which grants the privileges. The privileges can be easily removed when an incident is handled.

Rationale

Reporting and simulation can provide essential information for planning. Ability to pre-configure emergency access control can provide an important advantage for rapid incident response.

Was this page helpful?
YES NO
Thanks for your feedback