Control 5.26 : Response to Information Security Incidents

Summary

Information security incidents should be responded to in accordance with the established procedures. This phase focuses on containment, eradication, and recovery to minimize the damage to the organization.

Applicability

In-Scope: Mandatory for all organizations. It provides the technical and procedural roadmap for stopping an active threat and returning to a known good state.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

• Containment: Utilize Entra ID to immediately disable compromised accounts or revoke active session tokens to stop lateral movement.

• Eradication: Use Microsoft Defender for Endpoint to isolate infected devices from the network and perform automated remediation of malicious files.

• Recovery: Restore data from Microsoft 365 backups or SharePoint version history to recover files that were encrypted or deleted during an incident.

Evidence Checklist

• Incident Reports: Detailed post-mortem reports for all major incidents, including timelines and actions taken.

• Remediation Evidence: Records showing that the root cause of an incident was identified and addressed.

• Chain of Custody: If applicable, evidence of how digital forensics data was collected and preserved for legal purposes.

Practical Audit Advice

Here are some questions the auditor might ask:

• Can you provide a timeline and action log for a recent security incident from detection to final recovery?

• How does the organization ensure that the containment actions taken during an incident do not cause more business damage than the incident itself?

• What is the process for conducting a post-incident review to prevent the same type of breach from happening again?

• How do you ensure that the recovery process does not re-introduce the vulnerability or malware that caused the incident?