Thought Leadership

The Ultimate Guide To Incident Management

Learn about the stages, factors to consider when purchasing software, making informed decisions, and more about incident management.

April 19, 2023

Preparations are made. Drills are run. Protocols are put in place.

And then it happens — despite your organization’s best efforts, you experience a critical system event.

Once brought under control, you have to deal with the costs — the impact on your employees, business operation, and stakeholders. Even simply finding out what happened and why will take time, effort, and money.

But there’s good news. The whole situation — from how you prepare for the worst, to what you do when it happens, and how you move forward when it’s over — is a process monitored by your incident management system.

Understand Differences Between Activity, Incident, Investigation, and Case Management in Corporate Security Read Now

Incident management: a process

Incident management is your organization’s way of identifying, analyzing, and working to prevent future events from occurring. Having processes in place can not only help you handle a server crash but also what you do to minimize the risk of one happening again.

The most efficient way to set up these processes is with an incident management system that can help fix and prevent events within your organization. In a nutshell, incident management is everything your organization does to identify, respond to, manage, document, analyze, and correct incidents — adverse events, occurrences, or situations — of any kind.

Stages of incident management

Because the process of incident management is a comprehensive one, there are a few steps involved — four, to be precise. Each one is in place to ensure that every aspect of every incident is seen and responded to by your security team. This includes determining what caused the incident, addressing them immediately, and putting measures in place for potential future threats.

Stage 1: plan and prepare

In this step, you’ll define the threats your organization faces including:

  • What kinds of risks are you exposed to?
  • What’s the likelihood that those risks could come to pass?
  • What impacts would you see if one or more of those threats became an actual incident?

You’ll then work to implement countermeasures, or strategies and tactics, to implement if and when a risk becomes a reality. This could include an effective incident management solution that acts as a line of defense against threats to your organization. From there, you can put safeguards, or protections, in place to try and prevent another threat.

In addition, this first stage also encompasses measuring the effectiveness of those countermeasures and safeguards in the unlikely circumstances of an actual incident occurring. It also involves doing further planning and preparation based on what you learn or discover.

You may already be familiar with a quality improvement model from the Deming Institute called the PDSA Cycle, in which you Plan, Do, Study, and Act as a way of constantly learning and improving. This model serves incident management by consistently setting goals, implementing learning lessons, and adapting so your organization will be better able to deal with threats.

Stage 2: respond

When you reach this stage, it may already be too late (that’s why proper planning and preparation in stage one is so critical). Don’t worry, though — the reality is that critical incidents are rare. Most of the threats you’ll deal with will be the farthest things from catastrophes. However, even if being faced with a dangerous threat, your incident management system is your best line of defense at this stage.

Big or small, however, the process of managing and responding to an incident is essentially the same:

  • Let your response team know that an incident is in progress (or has taken place)
  • Initiate standard operating procedures (developed ahead of time for these situations)
  • Send emergency notifications (if applicable)
  • Mobilize response personnel (if applicable)
  • Update data about the incident

Stage 3: document

When documenting what happened in an incident, you’ll:

  • Thoroughly capture a record of the event (or events) that took place
  • Compile insight data for analysis
  • Perform a root cause to examine potential sources, including human or system error
  • Summarize any corrective actions
  • Share what you’ve learned with the relevant parts of your organization

Imagine there was a security breach in your organization. To document the incident, you’d start by completing an incident report, noting:

  • General details, including any narrative accounts
  • Any information about linked incidents (if applicable)
  • A summary of the impacts following the incident

You’ll then make a decision about whether or not to investigate. If so, it’s time to move on to the fourth stage.

Stage 4: investigate

In the last stage of the incident management process, you’ll need to delve deep. Throughout the process, your security team will be capturing statements from involved participants or witnesses, monitoring evidence, looking at data, and more. During the investigation part of the process, you’ll be getting to the bottom of what happened and why, as well as how to prevent a similar incident from occurring again.

Depending on the incident, you may indeed need an investigator or investigation team to step in and uncover more than what was initially reported. With a thorough investigation, your organization will be better able to determine how and why the incident happened.

Using investigation management software to examine and monitor threats, and will help you take preventive action against future attacks.

Read: Avengers, Assemble! Roles and Responsibilities of Your Incident Management Team

Factors to consider in your incident management software

Having a quick response to an incident can reduce loss, determine existing vulnerabilities, and demonstrate to your shareholders that your processes are secure. By investing in incident management software, you’re protecting more than your organization’s security — you’re establishing processes to maintain business continuity. Doing so means becoming familiar with factors to consider in incident management.

Incident management and risk

“Risk” is a broad term. But, generally speaking, the level of risk that your organization can face is calculated by the likelihood that an incident could cause damage or loss, multiplied by the size of potential damage or loss.

Risk management is the process of determining what level of risk is acceptable, and what actions should be taken to mitigate what your organization determines to be unacceptable.

The incident management process, in turn, is critical to risk management. Without incidents, there would be no risk, and risk management would be unnecessary. Clearly, this isn’t the case.

The goal, then, is not to eliminate incidents, but to manage them and reduce their impact.

That’s where the PDSA cycle described above comes into play. After an incident — often aided by incident management software — plan and implement a countermeasure, then gauge its effectiveness while you monitor incident activity.

You can then plan how to mitigate future risks, and the cycle will continue.

Incident management and performance

In theory, the “perfect” incident management software would eliminate all incidents — and the loss and damages caused by them.

In reality, perfection is unattainable.

You can, however, examine historical data and set realistic performance goals based on your organization’s current incident rate. The math seems like common sense, but unfortunately, this level of clarity can be hard to achieve. With an overwhelming volume of data available, your incident management program can be quickly hindered.

Incident management software can help greatly. By enabling you to glean insight from the chaos of incident data and investigation reports, the right software can make it much easier to set — and achieve — performance targets.

Incident management and intelligence

Better data is the key to better performance. But how can you get it? And once you have it, how can you turn it into actual business intelligence? After an incident, investigators often find that the reason was hiding in the data all along.

Reliably moving from identifying small insights to seeing the big picture is difficult — but it’s easier with the proper tools. The right incident management solution can easily help you:

  • Reduce guesswork by revealing complex associations hidden in your data
  • Display data visually for easier analysis
  • Identify additional relationships between various data
  • Turn large volumes of data into actionable intelligence that can lend clarity to complex investigations

Diving deeper: making an informed decision about incident management

As with any important decision, determining which incident management software fits your organization’s needs requires you to have the knowledge and resources needed to make an informed decision. This includes knowing questions to ask, understanding the importance of data, and everything in between.

6 questions to ask

Keep these six questions in mind as you move through the PDSA cycle. Not only will they help you manage incidents and risk, but they’ll also make moving through the cycle easier:

  1. Has the incident happened before? It’s important to document whether or not it has continued to happen since implementing countermeasures, and what the benchmark was for the number of times it was acceptable for the incident to recur.
  2. If it has, what was the impact on your organization? Consider direct losses and indirect ones, both on a per-incident basis and across a full year. Remember that several minor incidents with a higher frequency may have a larger impact than a single major one.
  3. Is the incident likely to happen again? If so, how often, and what is the estimated frequency of the incident?
  4. What would the impact be? Determine the potential impact of the incident occurring again — either once or several times.
  5. What countermeasures are currently in place to prevent the incident from happening again? Ensuring that they’re effective and how appropriate based on the level of risk associated with a recurrence.
  6. What further steps can be taken to mitigate the risk of the incident’s recurrence? Establish if your current countermeasures are enough, if you need to increase their intensity, or if you need to put others in place.

The answers to these six questions will provide you with powerful tools for making knowledge-based, data-driven decisions — a key factor in the success of your incident management effort.

Resolver: your incident management backbone

The foundation of good risk management is a superior incident management solution. At Resolver, we understand that — which is why we power incident management and risk management by focusing your efforts on what matters most and eliminating unnecessary activities.

Reach your full potential with Resolver. Manage incidents. Expand your insights. Make better decisions. Confidently meet and exceed your objectives. Join an upcoming incident management showcase to learn more about how Resolver can protect your organization and prove your security team’s value.