In January 2021, we asked a group of 175 financial institution cybersecurity professionals if their organization had a formal incident tracking system.
Today's financial institutions are spending more time managing cyber incidents with yesterday's resources. As incidents continue to increase in number and complexity, more formalized systems and processes are necessary. In this article, we'll provide you with five benefits of an incident tracking system, as well as some resources to help you get started.
Benefit #1: Improved Clarity
According to the NIST Computer Security Incident Handling Guide, an incident tracking system allows members of the incident response team to "maintain records about the status of incidents" which helps ensure "incidents are handled and resolved in a timely manner." The document goes on to list several items which should be featured in the system:
- Incident status and summary
- Indicators of compromise
- Related incidents
- Handler actions and comments
- Evidence lists and chains of custody
- Impact assessments
- Contact information
- Next steps to be taken
This can turn into a lot of data which needs to be connected in various ways and accessed by different individuals, sometimes simultaneously. A centralized system takes the complexity and helps you communicate clearly.
Benefit #2: Exam-Ready Reporting
While compliance is not the primary reason to implement an incident tracking system, a system can provide you with exam-ready reporting. For example:
- The FDIC Information Technology Risk Examination (InTREx) program encourages examiners to review various aspects of the bank's incident response plan, including "a process to classify, log, and track incidents." (Support & Development, Procedure 13)
- To achieve "Baseline" maturity, the FFIEC Cybersecurity Assessment Tool (CAT) recommends incidents be "classified, logged, and tracked." In addition, to achieve "Evolving" maturity, the CAT expects "tracked cyber incidents [to be] correlated for trend analysis and reporting." (Domain 5: Cyber Incident Management and Resilience)
- The CAT expectations are restated in the NCUA's Automated Cybersecurity Evaluation Toolbox (ACET), the NCUA's desktop application for completing the CAT as part of their information security examination program.
In each of these cases, instantly generated reports from a formal incident tracking system would help satisfy these requests and demonstrate your organization's compliance with regulatory expectations.
Benefit #3: Lower Time and Cost Investments
Responding to an incident involves a coordinated effort among many individuals, including not only the incident response team, but also technical specialists, legal advisors, public relations coordinators, and other departments (e.g., BCP, BSA/AML, fraud, etc.). In recognition of this, the FFIEC Architecture, Infrastructure, and Operations Booklet encourages management to "minimize confusion" by implementing incident management "processes to coordinate and define roles and responsibilities."
Incident tracking systems are designed to do just that. When each handler knows what they are expected to do (and not do) during incident response, time is saved. When steps taken are clearly documented, duplication of efforts does not occur. When an incident tracking system operates at the center of an incident management function, the organization's bottom line is improved.
Benefit #4: Fewer Exceptions During Response
Another key benefit of an incident tracking system is the ability to launch an action plan when an incident occurs. By predefining steps to follow (often referred to as a "playbook"), when an incident occurs, you can be ready. When paired with defined handler roles and responsibilities, the organization can expect to see fewer exceptions during the response process. Fewer exceptions can result in not only lower time and cost investments, but it can also reduce the potential damage of the incident by ensuring all steps were adequately performed.
Benefit #5: Immediate Trend Analysis
Another benefit of an incident tracking system is immediate trend analysis. We've all been there: trying to come up with data that would be meaningful, valuable, and beautiful. Then, spending hours trying to finagle spreadsheet data, so that it displays correctly in a chart or graph, only having to start over when one of the incidents we needed to include wasn't part of the calculations. Even if you have mad spreadsheet design skills, getting trend reports in this way can still be a headache.
With an incident tracking system, the trend analysis is built into the solution. For example, with Tandem Incident Management, you can obtain instant reports over relevant trends like:
Incidents by Occurrence Date
Incidents by Severity
Instant trend analysis can provide up-to-date information about the status of your incidents, making it easier to communicate about the nature and severity of each incident with senior leadership.
Incident Tracking System
If you are just getting familiar with the idea of an incident tracking system, download our Incident Tracking Form to help you get started. This form includes the elements of an incident you should be recording and can be used as a guide when an incident happens.
If you are ready to streamline your program, see how a formal incident tracking system could benefit you with Tandem Incident Management. Based on the NIST Computer Security Incident Handling Guide, the Tandem incident tracking system makes recording details about an incident easy, while providing the reports you need to share with external individuals. Learn more about how Tandem can help you at Tandem.App/Incident-Management-Software.