Enriching Incidents Generated by Other Systems
Targeted Behaviour
Security staff find it difficult to prioritise data loss, system failure, data breach, etc. incidents as they lack knowledge of the sensitivity of the data that was lost, has become unavailable, or was unlawfully accessed.
Directive
Incident alert tickets should include relevant information gathered from other systems. In the case of data loss, system failure and data breach incidents, information should be available that exposes the sensitivity, importance and frequency of use of the data in the affected file shares/systems.
Policy Requirements
| An incident is triggered by another system that concerns a file share, SharePoint site, etc. |
| The creation of the incident runs a set of standard analyses for that repository; identification of PII/PCI that were accessed/modified at the time of the breach, files that may contain password information, etc. |
| The incident management system can also connect to results of analyses that were previously collected via a recurring schedule. |
| Links to related dashboards are added to the incident. |
| Security staff use the additional information to help prioritise and analyse incidents. |
