Information Security Incident Management and Countermeasures: Establishing Response Mechanisms to Mitigate Impact

As information security incidents often occur suddenly, companies frequently  experience confusion immediately following an occurrence, struggling to determine response priorities or how to adequately respond during the critical initial stage. This in turn affects the efficiency of incident containment, resulting in expanded damage or prolonged operational interruptions. To mitigate and avoid the impacts of such threats, ECOVE has established a clear information security incident management procedure as the handling guideline for employees to follow. It facilitates prompt incident notification, assessment, disposition, and recovery. Post-incident reviews and improvements are also conducted to continuously fortify information security protection mechanisms.

Information Security Incident Notification

If employees detect anomalies in information equipment or systems, or suspect data leakage involving personal data or company-sensitive data, they should immediately notify the Information Security Office, Information Center, or other relevant units to assess the severity level. After the incident is reported, the Information Security Office and the Information Center will document the incident to monitor the timeliness of information security incident handling and ensure there is a clear basis for subsequent actions, thereby preventing delays caused by insufficient information.

Information Security Incident Impact Levels

In ECOVE's information security incident management procedure, incidents are measured across three dimensions to ensure that impact levels are defined by clear, quantitative indicators. Each incident is assessed based on its impact on confidentiality, integrity, and availability (CIA), with severity classified from minor to severe. Once the impact level is determined, resources are allocated according to each specific level. This ensures that response measures are commensurate with the severity of the incident,  thereby minimizing the impact on operations and data security.

Specific Information Security Management Measures

To avoid being caught off-guard by sudden incidents, ECOVE has established a comprehensive response framework covering pre-incident protection, active emergency responses, and post-incident recovery. This integrated mechanism enables rapid handling and effective disposition whenever an incident occurs:

1. Pre-incident Protection: Includes the development of prevention, response, and recovery plans, as well as protective measures for infrastructure, environment, personnel training, and educational programs. Through proactive planning, the likelihood of incidents can be reduced, ensuring that the established procedures can be promptly activated should an incident occur.
2. Active Emergency Response: If the company suffers a hacker intrusion or attack, the emergency response plan is activated to promptly minimize damage and operational downtime. The primary focus is on rapid identification, activating necessary defenses, and allocating resources based on the impact level to contain the spread.
3. Post-incident Recovery: Includes reviewing existing information security protective measures, executing system restoration and reconstruction, and timely patching vulnerabilities in current information security mechanisms and response plans to prevent the recurrence of similar scenarios.

Information Security Incident Review and Continuous Learning

To ensure continuous improvement, the results of incident handling are regularly summarized and presented for management review, ensuring that no personal data or business secrets are compromised. Following a previous significant incident that caused service interruption, ECOVE conducted a comprehensive case study to identify root causes and refine response protocols. Key enhancements integrated into our current security framework include:

1. Commissioning external security experts to conduct annual security clinics and verification of improvements.
2. Expanding Managed Detection and Response (MDR) across all servers and increasing protection density on end-user computers to fortify defense-in-depth and improve the timeliness of incident alerting and response.
3. Establishing an Offline Backup Verification Center, including dedicated hardware and software, and verification systems.
4. Transitioning the email system to cloud services to enhance operational resilience and security.
5. Deploying Data Loss Prevention (DLP) solutions to implement a mechanism for detecting and auditing the transmission of sensitive data on end-user computers.
6. Implementing Privileged Account Management (PAM) to strictly control high-privilege accounts on server systems.
7. Employees use remote encrypted connections (Secure Sockets Layer Virtual Private Network; SSL VPN) that are automated through domain policies. All remote connections must pass through the corporate firewall for security verification. Non-company employees, including vendor accounts, are strictly managed, requiring departmental approval, IP restrictions, and defined validity periods.
8. Engaging professionals for on-site disposal of decommissioned hard drives to prevent unauthorized data recovery or tracking.

Continuously Enhancing Security Resilience Through Comprehensive Planning

Information security protection is not a one-time effort. Only through a comprehensive protection plan, combined with practiced emergency response procedures, could incidents be quickly assessed and appropriately handled. In addition to prompt reporting, the causes of the incidents must be thoroughly reviewed to remediate internal security weaknesses. The established information security protection plan and emergency response procedures should also be reassessed to determine whether corresponding revisions are required to prevent recurrence of intrusions or attacks. Only through a continuous “Plan-Do-Check-Act” (PDCA) cycle could information security defenses be effectively strengthened and the impact on operations and data security be minimized.

Information Security Incident Management Procedure