The Integrated Incident Management (IIM) application provides a business-user interface with workflow automation for tracking and resolving database security incidents. It simplifies incident management by allowing administrators to group a series of related policy violations into a single incident and assign them to specific individuals. This reduces the number of separate policy violations that oversight teams need to review.
IIM also has a graphical dashboard for visually tracking key metrics, such as number of open incidents, severity levels and length of time incidents have been open.
Incident generation processes can be defined and scheduled to read the policy violations log and generate new incidents. From an incident generation process, each selected incident is:
Assigned a unique incident number
Assigned to a user
Assigned a severity code
Assigned to a category
In addition, policy violations can be assigned manually (by authorized users) to new incidents or existing incidents from the Policy Violations / Incident Management report.
Once an incident has been generated, administrators and other users work with incidents from the Incident Management tab, which is included on both the admin and user portals. From there, all other tasks can be performed (assign incidents, send notifications, assign status, and so forth).
The Incident Management functions can be accessed from the drill-down menus of the Incident Management reports. Each user may only have a subset of reports or functions available, depending on the security roles assigned to the user account.
You can create your own copies of the Incident Management reports, but those copies will not have all of the capabilities available from the pre-configured reports on the Incident Management tab. To assign incidents, severity codes, and so forth, use the reports on the Incident Management tab.
An incident generation process executes a query against the policy violations log, and generates incidents based on that query. By default, the definition and scheduling of incident generation processes is restricted to users with the admin role.
On the Administrator portal, select Administration Console > Incident Generation to open the Incident Generation Processes panel.
Click the Add Process button to open the Edit Incident Generation Process panel.
Select a query from the Query list. There are several restrictions that apply to queries used in an incident generation process. We suggest that you open the query in the Query Builder to verify that it satisfies the following criteria:
The query must be from the Policy Violations domain.
The main entity for the query must be the Policy Rule Violation entity.
The query fields for the query must not include a SQL string (from either the SQL entity or the Full SQL String attribute of the Policy Rule Violation entity).
Select a Severity for the incident (defaults to Info).
Optionally enter a Category for the incident (defaults to none).
Optionally enter a Threshold for generating the incident. The default is one, meaning every "row" returned by the query will generate an incident.
From the Assign to User list, select the user to whom the incident will be assigned.
Enter the From and To Dates for the query. For a scheduled query, use relative dates (for example: now -1 day and now).
Click Save to save the process definition. You cannot run or schedule the process until it has been saved.
To run the query now, click Run Once Now.
To schedule the query, click Modify Schedule to open the general-purpose scheduling utility. For instructions on how to use the scheduler, see Scheduling in the Common Tools book.
Double-click on the policy violation to be assigned or reassigned, in one of the Incident Management reports.
Select Assign/Reassign to incident from the drill-down menu. When selected, this menu will be replaced by a new menu containing a list of open incidents (for example, Assign to Incident #123), and one additional option: Assign to a new incident.
Select an incident to assign this violation to, or select Assign to a new incident to assign this Policy Violation to the next incident number available (they are numbered in sequence).
A message displays when the change has been completed, and the Incident Management panel will be refreshed. If a new incident has been created, it will be listed at the top of the Open Incidents report.
Double-click on the incident to be assigned to another user, in one of the Incident Management reports.
Select Assign to user from the drill-down menu. When selected, this menu will be replaced by a new menu containing a list of users, and one additional option: Unassign.
Select a user, or select Unassign to remove the current user assigned. When a user is assigned, the Status Description will be Assigned, and when unassigned the Status Description will be Open.
A message displays when the change has been completed, and the Incident Management panel will be refreshed.
Double-click on the incident on which the severity is to be changed, in one of the Incident Management reports.
Select Change Severity from the drill-down menu. When selected, this menu will be replaced by a new menu containing a list of severity codes: Info, Low, Med, and High.
Select the desired severity code.
A message displays when the change has been completed, and the Incident Management panel will be refreshed.
Double-click on the incident a user is to be notified about, in one of the Incident Management reports.
Select Notify from the drill-down menu. When selected, this menu will be replaced by a new menu containing a list of users.
Select a user.
A message displays when the user has been a notification.
Double-click on the incident on which the status is to be changed, in one of the Incident Management reports.
Select Change Status from the drill-down menu. When selected, this menu will be replaced by a new menu containing a list of status codes:
ASSIGNED - Once an incident has this status, it cannot have additional policy violations added to it. To add policy violations, change the incident status back to Open, add the violations, and then change the status back to Assigned.
CLOSED - Once an incident is marked Closed it cannot be modified, and is no longer listed.
OPEN - This is the initial status for a new incident.
Select the desired status code.
A message displays when the change has been completed, and the Incident Management panel will be refreshed.
Double-click on the incident to which comments are to be added, in one of the Incident Management reports.
Select Comments from the drill-down menu, to open the User Comment window. For instructions on how to add comments, see Commenting in the Common Tools book.