ISO/IEC 27001 Control 5.26: Response to information security incidents

Information security incidents should be responded to in accordance with the documented procedures.

MidPoint is optional for implementation of this control.

Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.

MidPoint provides essential information for incident response, as well as rapid immediate actions to contain the incident and ensure business continuity.

MidPoint is an essential tool for containing security incidents, allowing immediate deactivation of user access to applications. Assignment metadata can be used to provide information about privilege provenance, e.g. when the privilege was assigned, who has approved. This is an essential information for incident response, as it may point to affected or compromised identities, provide clues for investigation. MidPoint can help with evidence collection, especially by providing information on user access rights and records from its audit trail. Reporting and dashboard capabilities can provide important insights as well, both in containing phase and during evidence collection. MidPoint can be a useful tool in escalation phase as well, quickly providing temporary access to ensure business continuity. All escalation activities performed by midPoint are properly recorded in midPoint audit trail. In case that escalation activities are performed outside of midPoint control, midPoint can be used ex-post to clean up the escalation fallout, discovering temporary accounts and privilege escalation. Synchronization capabilities can be used for that purpose. Automated identity connectors based on ConnId framework ensure a quick response in the containment phase, as well as rapid escalation and reliable post-incident cleanup.