ISO/IEC 27001 Control 5.26: Response to information security incidents

Information security incidents should be responded to in accordance with the documented procedures.

MidPoint is necessary to implement this control properly.

MidPoint features and capabilities are essential for efficient implementation of this control. While it is theoretically possible to implement this control without a comprehensive IGA platform in place, the implementation is likely to be inefficient, costly, slow and unreliable in the long run. MidPoint can make implementation of this control efficient and reliable.

MidPoint provides essential information for incident response, as well as rapid immediate actions to contain the incident and ensure business continuity.

Activation schema can be used for immediate deactivation of user access to applications. Assignment metadata can be used to provide information about privilege provenance, e.g. when the privilege was assigned, who has approved. This is essential information for incident response, as it may point to affected or compromised identities, and provide clues for investigation. This information is further supplemented and kept up-to-date using synchronization mechanisms. Especially live synchronization provides almost real-time analysis and detection of new accounts and lifecycle changes to existing accounts. MidPoint actions (a.k.a. "bulk actions") can be used to execute actions on a large population of identities during the response. MidPoint can help with evidence collection, especially by providing information on user access rights and records from its audit trail. Reporting and dashboard capabilities can provide important insights as well, both in containing phase and during evidence collection. MidPoint can be a useful tool in the escalation phase as well, quickly providing temporary access to ensure business continuity. Object history feature can provide a quick overview of past changes for each object, possibly revealing malicious changes. Policies, policy rules and outlier detection can assist in pointing out users that are likely to be the source of problems. All escalation activities performed by midPoint are properly recorded in the midPoint audit trail. In case that escalation activities are performed outside of midPoint control, midPoint can be used ex-post to clean up the escalation fallout, discovering temporary accounts and privilege escalation. Synchronization capabilities can be used for that purpose. Automated identity connectors based on ConnId framework ensure a quick response in the containment phase, as well as rapid escalation and reliable post-incident cleanup.

MidPoint is an essential tool for containing security incidents, allowing immediate deactivation of user access to applications, also providing supporting information and helping with evidence collection.