Building on the experience gained over the past six year of running Cyber Response exercises, it is becoming clear that Cyber Incidents should not be led by the ICT function. Cyber Incidents are in fact service disruptions. The Information Assurance trinity (Confidentiality, Integrity and Availability)
reflects the holistic approach to the security of information.
Cyber incidents come in different shapes and sizes. If one system is affected, then generally. The ICT function will be able to respond to it. However, if cyber incidents cover more than one system or a large service, it will in fact impact up
on the business. Once the business is impacted. This becomes a strategic issue and requires. Senior leadership intervention through a crisis management team. Traditionally. This has all been thought of in the enterprise, as business continuity planning. The coordination of business continuity planning is done through Business Continuity Management, which manifests itself through Enterprise level Contingency plans. A contingency plan is a plan which addresses a specific issue.
Enterprise level business continuity plans are generally speaking, generic. However, a contingency plan is specific. For instance. A contingency plan could deal with the loss of a building, be that a headquarters, a town hall or a head office. Obviously. If such a building was lost or unavailable for a period of time, all of the process is services and systems that rely on that building for their delivery. would also potentially become unavailable.
This becomes a serious problem. As we've moved on, through the information technology journey over the years. The proliferation of cloud based systems, and integrated hybrid systems, which are partly on premise and partly in the cloud, bring a different set of challenges. The loss of a building may not mean the loss of a service. However, contingency plans need to cater for the loss of services and specific systems.
As the computer world has moved more towards the agile approach to software development and delivery of services, so too must agile be taken into account, in the way in which we respond to cyber incidents. We propose the best way of doing this is just like in agile, is through playbooks, often called runbooks. C-TAG have developed a cyber instant response primer which itself supports a number of playbooks. The other components which support Playbooks in their invocation and their ability to remediate a specific problem. Is the use of break glass policies.
Break Glass Policies
A break glass policy as the name describes. A Break Glass being the type of button that you have to set a fire alarm off when you break the glass. A break glass policy will enable a certain set of preauthorised. Delegated actions, empowering individuals to carry out tasks, incur expenditure and to deploy resources, in an autonomous fashion to act in a very quick and timely manner.
One of the key things moving forward for cyber incident response, is the availability and deployment of a crisis management team. A Cyber Incident Coordination cell should be established internally, which is different to the ICT team that may be resolving the actual problem. Cyber Incident coordination requires Situation Awareness, Strategic Decision Support, Intelligence Assessment and Analysis as well as Situational Awareness, to feed back t the Crisis Response Team.
Working through playbooks, which are in fact delegated contingency plans enacted through break glass policies and reporting back into the crisis management team. A break glass policy may have a predetermined initial time span. With delegated authority, this could be 1224 or 48 hours. The point being that once the crisis response team (in ICT) is stood up it reports it’s initial actions to the Crisis Management Team. The crisis response team and the crisis management team are both supported by the Cyber Coordination Cell. The Critis Management Team, will take back control, the role of the Break Glass Policy and it’s delegation having concluded.
But the break glass policy, once enacted, means that immediate tactical response can take place to deal with the situation through the predefined playbook.
Golden Hour Guide
There is also a Golden Hour Guide, which starts to describe how you would actually do this. For crisis Management teams, there are various approaches, including one called the “Four Boards Approach”. The four board approach gives a cadence to each of the meetings that the crisis management team holds, so they're very rigid, very structured time boxed. They have specific tasks, responsibilities and outcomes. In crisis management. You don't always determine or dictate how something will be carried out. The focus needs to be on outcomes and effects. This is the exact approach by the UK Government in how they run their COBR/A operations room. COBR/A will always talk about an effect that it wants to achieve. Rather than the actual method to get there.
References:
https://guidance.ctag.org.uk
https://www.theguardian.com/government-computing-network/2011/jun/13/local-cio-council-information-assurance-strategy-mark-brett
https://guidance.ctag.org.uk/local-authority-cyber-resilience-planning-guide
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/192425/CONOPs_incl_revised_chapter_24_Apr-13.pdf
https://www.researchgate.net/profile/Mark-Brett/publication/342898805_Cyber_Incident_Response_-Working_Paper/links/5f0c7c9792851c38a519c080/Cyber-Incident-Response-Working-Paper.pdf
No comments:
Post a Comment