How_to_Manage_Incident_Management_On_Sprinto
Why It’s Important?
An IMS offers several key advantages, including efficient service request management, reduced service downtime, effective data loss management, improved visibility, better planning, etc.
From a security compliance standpoint, it is important to track incident tickets and their response details. Doing so helps the organization achieve compliance with the requirements of their desired security compliance framework.
How Sprinto Manages Incident Management?
Sprinto helps manage incident tickets from various sources and reminds the user to take effective action within the defined timeline, as per the Service Level Agreements (SLAs), to keep the organization compliant with its desired security compliance framework.
Setting Up Sprinto as Incident Management System:
By setting up Sprinto as your Incident Management System (IMS), you can integrate threat detection tools from various cloud services such as Microsoft Defender or AWS GuardDuty.
You can log the incident ticket on Sprinto by the following means:
Threat detection tools: Sprinto fetches incident data from the cloud service's threat detection tools and logs an incident ticket based on the details.
Employee portal: For incidents that cannot be tracked by the threat detection tools, employees can log incidents through the employee portal. Examples of such incidents include receiving phishing calls/emails, loss of identity card, system performance decline, and so on.
The incident tickets then get categorized based on the severity of incident and prioritized for the resolution. Resolution of all the incident tickets can be done directly through the Sprinto portal.
Integrating External Incident Management System on Sprinto:
Sprinto offers users who have an incident management system (IMS) set up within their organization the option to integrate their external IMS with Sprinto. Sprinto tracks the incident tickets logged in this external IMS and categorizes them based on their severity.
This feature enables users to track each incident ticket directly on Sprinto without having to migrate from the current IMS. Furthermore, Sprinto helps collect evidence in a timely manner for each incident ticket's action, assisting organizations in preparing for security compliance framework audits.
Sprinto currently integrates with the following Incident management tools:
PagerDuty
OpsGenie (Coming soon)
VictorOps (Coming soon)
xMatters (Coming soon)
Getting Started:
Begin your journey on Sprinto by setting up the Incident Management System (IMS). If no IMS is set up on Sprinto, a check in the "Failing" status will appear on the Sprinto dashboard, prompting you to set up the IMS. This is a primary requirement for implementing an IMS within the organization.
Setting up IMS on Sprinto can be done in following ways:
Configure Sprinto as Incident management system: This helps users integrate threat detection tools from cloud services and create incident tickets based on the incident details provided by these tools.
Integrate PagerDuty as incident management system: Integrate your PagerDuty account with Sprinto to track all incident tickets directly on Sprinto. Note that to close the incident tickets, they will need to be closed on PagerDuty itself.
User Guides:
Configure Sprinto for Incident Ticket Management
Configure PagerDuty for Incident Ticket Management
Managing Incident Management on Sprinto:
Managing Incident management on Sprinto can broadly divide into two following sections:
1. Reporting Incident Tickets:
Introduction:
Incident reporting is the process of documenting and communicating information about any unexpected event in an organization to identify potential risks and vulnerabilities and take steps to mitigate them.
Importance of Incident Reporting:
Incident reporting is important for the security compliance framework standpoint as it helps organizations demonstrate compliance with industry standard frameworks. To achieve this, organizations must have in place processes for identifying, documenting, and reporting security incidents.
Failure to report security incidents in a timely manner can result in loss of compliance with the desired security framework, regulatory fines, legal penalties, and reputation damage. Therefore, incident reporting is a critical component of any organization's security compliance program.
Reporting Incident tickets on Sprinto:
To report incident tickets on Sprinto, employees can use the incident section on the employee portal. However, before reporting an incident, an incident management system (IMS) must be configured on Sprinto.
Refer to:
Configure Sprinto for Incident Ticket Management Configure PagerDuty for Incident Ticket Management
Once the IMS is configured, users can log incident tickets in the following ways, depending on the IMS chosen:
PagerDuty: Users can report incidents by sending an email that describes the incident in detail. This creates an incident ticket on the integrated PagerDuty account.
Sprinto: Users who integrate threat detection tools from cloud services into Sprinto as their IMS can report incident tickets through the employee portal's incident tab. They just need to fill in the required details and submit the incident report.
2. Resolving Incident Tickets:
Introduction:
Resolving incident tickets on a timely manner is important to ensure compliance with the security framework requirements. Sprinto tags a check for each incident ticket, reflecting its status in the following stages:
Due:
Critical:
Failing:
Passing:
Users who have Sprinto as their incident ticket management system can take direct action to resolve incident tickets within the Sprinto platform. For users who have integrated PagerDuty as their IMS option, they can track incident tickets and collect evidence against those tickets on Sprinto. However, users need to go to their respective PagerDuty accounts to close the incident ticket.
User Guides:
Report an Incident Ticket (Sprinto)
Report an Incident by Email (PagerDuty)
Resolving Incident Ticket (Sprinto)
Resolving Incident Tickets (PagerDuty)
Monitors for Incident Management:
About:
Sprinto comes with built-in monitors for incident management, which notify users of necessary actions to keep the system working as expected. Monitors typically track changes in the system or process, and alert you if there are any issues.
Sprinto’s Incident Management Monitors:
The following are the monitors Sprinto offers for the Incident management section:
Incident Management Service Configuration: This monitor is generally activated for new users who have just onboarded Sprinto. It provides information on the configuration requirements for the incident management service on the platform. Users can either configure an external IMS service that they are already using to manage incident tickets on the Sprinto platform, or they can configure Sprinto as the IMS by integrating threat detection tools from cloud services to log and manage incident tickets.
Monitor Passing Condition: Need at-least one IMS to be configured on Sprinto.
Monitor States:
Failing: No IMS is configured on Sprinto. Note: There is no passing state for this monitor, once the IMS is configured this monitors disappears from the Sprinto dashboard and Incident overview page.
PagerDuty Incident Ticket Resolution: By default, all incident tickets logged on the PagerDuty account are tracked under the PagerDuty tab on the Incidents page. Users can view the status of the incident ticket on Sprinto. However, to resolve the incident tickets tracked from PagerDuty, users need to go to the PagerDuty account and resolve the incident ticket there. Once the incident ticket is closed on PagerDuty, Sprinto's Monitor status also changes from failing to passing.
Monitor Passing Condition: All open incident tickets must be closed from the integrated PagerDuty account.
Monitor States:
Failing: Incident ticket is open on the PagerDuty account.
Passing: Incident ticket is closed on the PagerDuty account.
Reporting Data Loss Incidents: Any incident that involves data loss by any means must be reported to the relevant stakeholders. All incident tickets that are tracked through the PagerDuty account must be closed from the PagerDuty platform. When closing an incident ticket, if the closing notes description includes the string "Data loss," another incident ticket for reporting data loss gets created on the Sprinto tab. This ticket must be addressed by defining the type of data loss and reporting action against the data loss. The monitor tracks the closing note description of PagerDuty incident tickets and gets activated if "Data Loss" is mentioned in the closing notes of the incident ticket.
Monitor Passing Condition:
Resolve the data loss reporting incident ticket created on Sprinto that was created regarding the PagerDuty Incident ticket defining "Data loss" in the closing notes description.
Monitor States:
Failing: Data loss reporting incident ticket is not resolved on Sprinto.
Passing: Data loss reporting incident ticket is resolved on Sprinto.