You are working at the IT service desk of an organization and someone reports that their system is creating duplicate files and gets restarted every few minutes.
You realize that the system has been infected by malware and immediately disconnect it from the main network. You then create a ticket in your ITSM ticketing system, reporting an incident and mark it as urgent so the threat is contained and taken up immediately, preventing further damage.
Modern organizations should equip themselves against such unforeseen operational disruptions. Putting incident management protocols in place ensures that companies are fully prepared to respond, contain and minimize the damage caused by a security breach, IT system failure, or damage to physical IT infrastructure.
Most organizations build up incident management strategies and implement them through IT service management and assisting technologies to ensure business continuity in face of an unplanned event or service interruption.
By using different software tools, you can now build a strong incident response program that is capable of detecting threats proactively and can help you respond effectively when an incident occurs.
A robust incident management protocol helps you move as swiftly and efficiently as possible from initial detection of an incident to damage control and final resolution.
Why do you need an incident management strategy?
There are numerous types of incidents that require detailed protocols and preparations to minimize operational downtime and uninterrupted service. A robust incident management strategy focuses on the nature and severity of the incident so appropriate action can be taken.
Here is how you can classify an incident based on its severity level.
1. Critical breakdown/major incident
Severity 1 incidents typically include major breakdowns where the situation has no workarounds. The services/operations are halted until further actions are taken and usually experienced resources are deployed to work on such an issue.
During such a situation, the stakeholders or customers are usually notified. There are different scenarios that classify as SEV 1 incidents, for instance, customer data loss, confidentiality breach, or infrastructure failures.
2. Significant impact incidents
This is also a crucial situation where the services are greatly impacted and your customer service is severely affected but workarounds are still possible.
Examples include an application being unavailable, automation system failure, or your employees’ Personal Identification Information (PII) leak. Such incidents are handled almost similarly to SEV 1 incidents with dedicated resources deployed to resolve the issue.
3. Minor impact incidents
These include scenarios where businesses are still able to function in face of low-impact incidents. Customers are able to use the service but there are hindrances along the way.
Such incidents qualify as minor impact incidents. These include performance issues, non-satisfactory customer service due to communication gaps, or slow response to requests. In such cases, tickets are usually generated with a 24-hour window to fix a problem so that the operations can run smoothly again.
4. Non-production incidents
Minor issues that don’t impact the customers and can be resolved before they turn into bigger issues are usually classified as SEV 4 incidents.
They don’t require immediate resolution and instead, the ticket is usually resolved in its own turn. Such low-priority incidents include minor bugs before production, and slow page loading speed, etc.
Crucial steps for incident resolution
Along with putting various tools and software in place, your organization must also come up with an effective resolution strategy in case an incident occurs. In most organizations that focus on incident management, their resolution workflow — from detection to resolution is as follows:
1. Incident detection
Once the end-users, employees, or agents identify an incident, their foremost responsibility is to report it.
Within most IT service management software like Zendesk and Jira, users can create a ticket outlining complete information and extracting additional relevant information from the integrated ITAM tool, and prioritize the ticket to speed up the recovery process.
Depending upon your ITAM and ITSM tools, system-generated notifications may be initiated once an anomaly is detected by the software or an end-user.
2. Incident classification
Based on the business impact and severity of the incident, it is classified into a category as there are usually different protocols defined for different categories.
How the incident is escalated further and the measures are taken may also depend on the severity of the incident. If you are using a service desk or have automated the incident management protocols, then such incidents are automatically classified, prioritized, and escalated saving up valuable time and resources.
Once the impact of the incident is established, the investigation teams can begin their work to mitigate the damage.
Once categorized, the IT security teams initiate an investigation to determine the type of incident and its root cause and present probable solutions. The investigation process will most likely disrupt your operations until the incident has been contained.
The cybersecurity teams usually look for indicators like anti-malware programs, assets logs, operating systems, applications, and so on.
The purpose of containing the incident is to limit damage and prevent any further damage from occurring. For example, if malware has been detected in one hardware machine, detaching it from the network and installing security patches may contain the damage and minimize the effects of the incident.
Your incident management responders would also back up the affected hardware systems to preserve their current state for forensics and determining the root cause of the malware.
5. Incident resolution and closure
The last stage of incident management is the resolution of the problem and the recovery phase so operations can start getting back to normal. You have to make sure that your systems no longer have any malicious content on them and can be integrated back into the organization’s network.
During the resolution phase, the most common steps include implementing password changes, updating information in your IT inventory management software, solidifying monitoring of assets’ check-ins and checkouts, and patching and hardening system images. Your IT service teams can then close the tickets as resolved or the end-users can do so through self-service portals.
6. Review and precautions
A forensic review of the incident reveals how an incident took place. Whether it was due to a human error or a machine error and what could have been done to prevent it.
Such forensic reports pave the way for new, stricter incident management protocols, and proactive measures to be taken to prevent such incidents from happening again. From problem management to change management, protocols are edited and updated for better security.
How can AssetSonar help?
ITAM software is a vital tool in a fully functioning IT infrastructure. Here are a few ways AssetSonar can assist you with dedicated incident management:
1. Integration with ITSM tools
AssetSonar can easily integrate with top-of-the-line ITSM tools like Zendesk and Jira. If you integrate an ITAM tool with an ITSM tool, you can easily and quickly retrieve asset data and link it to the ticket — whilst staying on the same tab.
Furthermore, you can also evaluate your asset health with details of past incident records if any. The information fetched from AssetSonar can lead to resolving incidents more quickly and avoid future problems through accurate tracking.
2. Asset details and checkout history
When an asset-related incident occurs such as asset theft or loss, asset details can provide you all the insights you need. You can view who had the asset, how many times it was checked out to an employee, and for what duration.
If it is a hardware asset, you can also see which software was installed on the system. This may help you mitigate the incident or contain it by isolating it from your organization’s network.
3. Service history
Maintenance and servicing are important to the optimal utilization of an asset’s life cycle. An accurate account of service history may give you clues about which tasks were performed, if the asset’s servicing was overdue, and more.
This helps you strengthen the weak links in your cybersecurity chain and prevent further incidents.
4. Warranty information
You can save all the vendor agreements and warranty information regarding the assets through Custom Fields in AssetSonar. This information may help you claim a warranty in case your asset is compromised during a breach.
Keeping track of your asset’s warranties help you save hefty overhead costs in case an unfortunate incident occurs.
5. Point of contact
For every asset, you can enter a point of contact through Custom Fields so in case of an incident, you know who to escalate the case too. This way, your team would have a clearer approach to resolving the incident.
Tips for setting up a strong incident management strategy
A robust incident management strategy includes both proactive monitoring of operations and assets, and active mitigation to minimize the damage.
An integration of effective tools can help your organization with proactive monitoring and threat intelligence as well as vulnerability testing and reactive incident response.
Following are a few tips to help you improve your incident management protocols:
- Train your employees on how to enter and update the data on your ITAM and ITSM tools. Educate them on the protocols to be followed in case of a security breach or any other incident.
- Set alerts and notifications for anomalies so the incident can be detected as early as possible.
- Make sure that the incident goes through forensic search so you can learn from your mistakes.
- Ensure that your ITAM or ITSM tool has a customized incident management form template so your security teams can get accurate information in minimum time.
- Set up automation for ticket resolution once the incident is resolved.
AssetSonar is the leading IT asset management software used by IT-intensive organizations and businesses all over the globe.
Sign up today for a free 15-day trial.