How to document security incidents for compliance in 10 steps

Many organizations are subject to regulations that enforce compliance to federal standards, such as HIPAA. This is because these organizations often operate in sensitive ways, such as handling customers' personal data, and enforcing regulations can be necessary to ensure properly-heightened security. However, it's impossible to predict every outcome, and security incidents are very likely to occur.

One of the chief compliance requirements is for organizations to document such security incidents. This article will detail the steps that organizations will want to use if they are documenting security incidents for compliance.

Documentation

When security incidents occur, documentation is required for compliance. The Security Officer for the organization is the individual responsible for this documentation, whether in an electronic or written format.

Step 1: Security incident report – Contact information

The security incident report needs to contain certain information to meet compliance. It is best to make a form that will contain certain information in different sections.

The first section that you will want to make is Contact Information. The information should include:

• The reporting individual's name and title
• Both work and mobile phone number
• Name of the organization's security officer
• Email address
• Fax number

Step 2: Security incident description

Next, the security incident report should have a section designated for the description of the security incident. This section is where you want to be brief but include as much detail as possible about the security incident. Not only will this look good for compliance auditors, but it will also serve as good documentation of commonly-occurring security issues your organization faces.

Step 3: Impact/potential impact

Document any impact that this security incident may have had on your organization. You can present this as a free-form text box to be filled, check boxes next to predefined impact types or an approach where you use both. If you want to use predefined impact types, they should include the following:

• Loss of Data/Data Compromise
• System Damage
• Financial Loss
• Other System was Affected
• Damage to the Delivery or Integrity of Information
• Regulation Violation
• Information Security Policy or Procedure Violation
• Presently Unknown

Step 4: Sensitivity of information/information involved

You will want to categorize the sensitivity level of the information involved in the security breach. For each selection, your security officer will want to include an example of information that qualifies for each of the different levels of sensitivity. Include the following levels:

• Public
• Internal Use Only
• Restricted or Confidential (Privacy Policy Violation)
• Unknown

After the sensitivity levels have been defined, use a check box selection for the different levels. Also include a text box area for a brief description of the information that was compromised.

Step 5: Notification

Include a section that describes who else has been notified of the security incident. Make sure to include the individual's name and title at the organization.

Step 6: Incident details

This section is an at-a-quick-glance version of the security incident description section above. It should be brief answers to predefined questions about the security incident. The incident details questions should include:

• Date and time that the security incident was discovered
• Has the security incident been resolved?
• Physical location of the affected system or information
• Number of physical locations affected
• Number of systems affected the security incident
• Number of users affected by the security incident
• Any other additional important information about the security incident

Step 7: Mitigation

This section should include details about what actions the organization has taken to mitigate the security incident. The response should be brief but include all relevant information.

Step 8: Security officer's signature

The Security incident report should include the security officer's signature.

Step 9: Security incident log

Aside from the security incident report, security officers are also tasked with creating and maintaining a security incident log. The security incident log is a short document that will tell you most of what you will want to know at a quick glance. Some items that you will want to include in your security incident log are time, date and who discovered the security incident, along with a brief description of what the security incident was.

Where the security incident log differs most from the security incident report is the use of a severity scale. The log should include an item that rates the severity of the security incident from 1 to 5, with 1 being the least serious and 5 being the most serious.

Step 10: Retention

To meet compliance, organizations are required to retain all security incident reports and security incident logs for at least six years. This six-year period begins at the time of the last entry.

Conclusion

Organizations that operate in highly-regulated industries, such as healthcare, are subject to meeting compliance with regulations like HIPAA. HIPAA mandates that to meet compliance, organizations have to create and maintain security incident reports and security incident logs for all security incidents that affect their organization and retain these documents for at least six years. By following the steps detailed above, your organization's security incident documentation will meet compliance.

Sources

• Security Incident Procedures: Response and Reporting, HIPAA
• Information Security Incident Response Plan, Oregon OSCIO
• Sample Security Incident Reporting Form, Pennsylvania Department of Human Services