"Data breach" – an event where sensitive information is stolen without the owners' authorisation – is one of the worst nightmares for any organisation. Not only does this cause severe reputational damage, but organisations may also be severely fined by regulators for breaching data protection rules.

Just this week, the UK Information Commissioner's Office fined British Airways £20 million for failing to protect the personal and financial details of more than 400,000 of its customers.

To prevent this from happening, organisations should not only focus on preventing security threats using sophisticated technologies but should also form well-tested incident response plans. This is not just a job for IT teams; legal and compliance teams should also be well informed on how to deal with incidents.

Read on to discover a few acronyms IT teams use in incident management.

Term

Definition

CSIRT

A Computer Security Incident Response Team (CSIRT) (pronounced 'see-sirt') are a group of professionals within an organisation on-hand to respond to any cyber-related threats or attacks. The role of a CSIRT is to manage the response to the incident quickly and effectively, in order to minimise physical, digital, financial and reputational damage to the organisation.

A CSIRT team may contain different members based on the nature of the incident. However, it is very important to have a "cross-silo" team every time, with skills and expertise in a number of roles, including legal and compliance, customer service, HR, cybersecurity, forensics etc.

ITSM 

IT Service Management (ITSM) is a set of policies, frameworks and procedures that IT teams follow to maintain the end-to-end delivery of IT services for their customers internally and externally. It encompasses creating, operating and tracking of any required IT services within an organisation to satisfy customer needs.

ITSM focusses on optimising the use of IT by adopting best practices and seeking continual improvement in order to gain value for the organisation, whilst simultaneously managing any associated risks.

One common use case of how a typical employee comes across ITSM is contacting the organisation's IT helpdesk. The helpdesk team would usually file a ticket on your behalf, then assign it to the relevant IT team, who will kick off the appropriate workflow that is tracked on an ITSM tool.

You may think that ITSM would be the team to also handle data breach incidents, but that is not recommended, as such incidents should be managed by CSIRT instead to allocate the incidents dedicated time and personnel needed.

SIEM 

A security information and event management (SIEM, pronounced "sim") system is a common computer security tool that collects, aggregates, categorises and analyses machine data from a wide range of sources to identify atypical behaviour which could signify a potential cyber-attack or security breach. The system is made of two parts.

The security information management part of the system provides the team with a snapshot of the organisation's IT infrastructure and allows you to log data with audit trails to ensure compliance with industry standards. The ability to correlating event information between devices is especially useful.

Based on the aggregated event information, the system's security event manager provides real-time monitoring of events, and alert to the relevant team, instructing them where to stop the activity before it results in a breach/attack.

SIEM tools often use a combination of machine learning and advanced analytics software in order to carry out these functions and can be a helpful tool in protecting against data breaches or cyber-attacks.

IRM

Within the information technology field, IRM (integrated risk management) is a set of practices or processes to assess multiple dimensions of risk across the whole organisation supported by risk-aware professionals and technologies. Effective IRM allows risks to be identified and prioritised, and mitigation planning to be set up quickly.

By having a comprehensive view of all internal business units, external partners and suppliers in an IRM tool, leaders can analyse key risks more easily and make informed, strategic decisions that are based on a risk-centric decision-making approach, rather than a traditional compliance-led one.

SOAR

Security Orchestration, Automation, and Response (SOAR) platforms are a collection of software programs which not only conduct comprehensive data gathering and analysis from multiple sources (e.g. alerts from a SIEM system), but also provide case management, workflow and automation in response to threats and security events.

By combining threat intelligence, case management and orchestration, SOAR responds to events by automating the security playbooks that organisations set out. This improves the efficiency and effectiveness in dealing with day-to-day security operations and helps minimise the time to react to a threat, allowing more time for human-led remediation if required, and lowering the chance of damage and disruption.

SOAR is best suited for large scale organisations who work in globally distributed environments. However, SOAR still requires customisation and is merely a tool to simplify incident response processes. It is by no means a replacement of IT security and CSIRT teams.