Ever had an incident blow up because no one knew what to do? The SEF-02 control from the CSA CCM helps prevent that by requiring documented policies and procedures for handling security incidents. These cover all phases from prevention to resolution and regular staff training.
Where did this come from?
This control comes from the CSA Cloud Controls Matrix v4.0.10 released on 2023-09-26. You can download the full CCM spreadsheet from https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4 to learn more. The CCM provides a comprehensive set of cloud security controls mapped to various standards.
Who should care?
- Security managers responsible for incident response
- Operations teams that handle incidents when they occur
- Compliance officers that need to demonstrate the organization has defined IR processes
What is the risk?
Without documented incident handling procedures, incidents may be dealt with inconsistently leading to:
- Delayed response times increasing business impact
- Failure to contain and eradicate threats
- Inadmissible evidence if legal action is required
- Incomplete remediation allowing repeat incidents
Well-defined procedures help avoid these adverse outcomes. The extent depends on the scale, severity and sensitivity of incidents the organization typically faces.
What's the care factor?
Incident response is important for organizations of all sizes. Even small incidents can balloon without swift, coordinated action. The need for robust IR increases for:
- Highly-regulated industries like finance and healthcare
- Organizations holding sensitive data like PII
- Businesses where downtime is especially costly
- High-risk threat profiles facing targeted attacks
Don't wait until a major incident happens to get your IR house in order. Make it a priority before you wish you had.
When is it relevant?
Incident handling procedures are necessary whenever an organization:
- Relies on technology to deliver products/services
- Faces malicious threats like hackers and malware
- Has employees that could make mistakes or act maliciously
- Needs to satisfy legal, regulatory or contractual obligations
Even serverless startups are not immune to security incidents. Procedures may not be warranted for a one-person operation or non-critical systems.
What are the trade-offs?
Developing and maintaining IR procedures takes time and effort. Requirements and risks change, so they can't be "set and forget". Other trade-offs include:
- Overhead of periodic training and awareness activities
- Opportunity cost of responders not focussing on primary tasks
- Potential to slow down important business processes
The costs are usually far outweighed by having an oiled IR machine ready to leap into action. Just keep procedures lightweight and targeted.
How to make it happen?
- Assign an owner to lead development of IR procedures
- Determine IR goals and gather key stakeholder requirements
- Identify applicable regulations, obligations and standards
- Conduct a risk assessment to identify top incident scenarios
- Document procedures for each phase:
- Prevention - hardening, monitoring, threat modelling
- Detection - logging, alerting, triage, classification
- Analysis - forensics, impact assessment, communication
- Containment - isolation, eradication, system lockdown
- Recovery - patching, rebuilding, restoring from backup
- Post-incident - lessons learned, evidence retention
- Define roles, responsibilities and comms channels (phone, chat, email)
- Setup secure tooling for case management, evidence handling, collaboration
- Develop training and conduct awareness activities
- Schedule attack simulation exercises to test procedures
- Review, update and re-approve procedures at least annually
Procedures should be tailored to the organization's setup (on-prem, IaaS, PaaS, SaaS) and integrated with SOC playbooks and runbooks.
?