Incident Investigations and Incident Management

Does your stomach drop when you hear something has gone wrong at work? Perhaps a product failure requiring a recall? Or a client has banned your workers from site due to poor adherence to safety requirements? Do you know how you would handle an information security incident?

After being called in to run numerous incident investigations over the years, it’s evident that many small-medium businesses do their best to manage the event, but they don’t have the in-house capability to conduct an adequate investigation, and some struggle to understand the importance of the different aspects to managing an incident.

Success requires strong leadership throughout management of the event. Assignment of temporary (and permanent) responsibilities and regular communication with interested parties such as the customer(s), senior management, and involved employees (perhaps establishing an incident response team). It also requires an ability to understand the cause of the incident to put the right actions in place to prevent recurrence.

The 4 Step Process

Keeping it simple, I have included a 4-step process here, which can be tailored for any type of incident.

It is important that staff know how to identify each type of incident, how to escalate and who is responsible for managing the response. And it is critical that an incident be ‘contained’ to ensure it doesn’t get worse. That might require stopping work, quarantine of product, isolation and so on. For a WHS emergency the first step is always call 000, but for an info sec emergency it would be company specific. This is the Respond phase of Incident Management.

The Report phase is about getting the incident in your system and assigning the right people to help. Make sure it is clear who will notify relevant authorities and external parties for the various types of incidents you might have to deal with. A table of responsibilities can help serve as a good reference here.

Don’t Jump to Actions too Quickly

Once the incident is identified it is important to preserve and gather the relevant information before jumping to conclusions about the actions to take. This is the investigation phase. Photos, logs and interviews are all useful pieces of the puzzle here. Root cause analysis tools can be helpful to understand the cause(s) before selecting corrective actions. Some easy-to-use tools I like include Fishbone Analysis and the 5 Whys, which I have made available for free download from my website.

The final step is all about prevention. Actions are not only about Containing the extent of the incident but should also be about preventing in from happening again. This is where change management comes in, and good communication becomes vital. Equipment, software or processes might need to change, and if they do that means updating associated procedures or instructions and training the relevant people. Customers might also want to know what’s going on. So one of the actions for an incident should always be the Communication Plan for internal and external stakeholders.

As I see it there are 3 factors that will be the difference between successful incident management and a head-in-the-sand approach. The first is clear responsibilities. The second is use of tools and techniques for the investigation. And the third is a communication plan. Being prepared with these will reduce that sick feeling in your stomach when the call comes.