An incident is an event that negatively alters the production of IT services. Incidents are capable of degrading services as well as interrupting them completely, depending on their severity and the responsiveness of the IT team.

 The incident can be identified by the IT operating teams or by users who communicate information to the IT service center. A failure of a component of technical assistance that has not yet struck the service to users should also be viewed as an incident.

 In case someone is interested in running, or even if they work in this area, we want to present three main aspects that should at least be taken into account is the main cause of incident response failure:

Preventing all incidents may not be possible, but knowing how to respond when they can be done.

 As part of proper information security management, risk management shows us that there are certain incidents to which our company is more vulnerable and that for more preventive controls that are implemented, the risk can continue to be a major threat.

 In these cases, given that due to the nature of the risk it is not possible to be sure that we will eliminate it completely, the most reasonable thing is to be prepared to know how to react to the different scenarios to which the organization could be exposed if one of the These risks materialize.

 Incident management must be a balance between technical and administrative matters.

 When talking about effectively managing incidents that may affect information security, it is very important that the person in charge of this work has the technical knowledge to understand what is happening and to make the right decisions to ensure business continuity.

 But while technical knowledge is an indispensable basis for successful risk management, it is also very important to have administrative skills. We must not forget that the recovery of an incident must go beyond solving the problem; it must be linked to a process of continuous improvement that includes the communication of the incident, the assessment of the damages, and the implementation of the improvements to prevent similar risk events from happening again.

 Identify the most critical information assets.

 Since a wide variety of technologies can coexist within the company, it can be very expensive to guarantee the highest level of security for all information. For this, it is necessary to know what the critical information of the business really is and its level of vulnerability.

 To the extent that this identification is adequate, the response to incidents will be efficient to focus efforts where it is most important to meet the objectives of the organization.

 The incident response plan must be formalized to be known to all those who should intervene in the recovery of a security incident.

 If you have clearly defined who the people are and what are the steps that must be followed to deal with a security incident, valuable time can be saved to reduce the impact of the incident and even prevent further damage to company information.

 Having defined the steps to follow in case of an incident, the equipment that must intervene and the appropriate communication plans is a fundamental part of the response to incidents, and unless they are rigorously tested, it will not be possible to be sure that it really works as it is waiting.

 Periodic tests on the procedures established in the plan are the best alternative to ensure that a plan works, in addition to allowing the establishment of improvement actions that make it a more effective plan.

 As we have already mentioned, the management of information security must go beyond the size of the company. Managing security is not a guarantee that incidents will not occur, but if done properly, we can be sure that we can respond in the most appropriate way and minimize the negative impacts they may have on the business.