The purpose of an Incident Management process is to establish procedures and standards to handle any interruption to a working service that disrupts access or use of technology-related services. Information collection, processing, storage and sharing is essential for Cloud Elements to deliver services to its customers. That information is also valuable to those who would misuse that data to cause damage to Cloud Elements or defraud its customers. Cloud Elements has deployed administrative, technical and physical controls to protect sensitive company information as well as customer privacy. However, if controls fail to protect sensitive data, Cloud Elements must have an Incident Response Plan to mitigate damage, investigate the cause and recover services.
Incident Response is the final stage in a process that escalates events through an operation review process to determine if an event observed in development or on a production processing system could have caused a breach of the system or compromise of sensitive data. Cloud Elements has appointed an Incident Response Team (IRT) and maintains a plan to effectively guide response to an incident response. Incident Management begins with the recognition of a problem and ends when the problem has been closed and the solution validated. Problems invoking the Incident Management Process are those that interrupt or degrade a key service, impacting a large number of users or key functions.
The intent of the Incident Management is to mitigate risk, and the company will respond to incidents according to the following priorities:
- Human life and safety
- Sensitive or mission-critical systems and data
- Other systems and data
- Damage to systems and data
- Disruption to access or services
- Loss or Breach of data
Specifically, Incident Management addresses problems that interrupt or significantly impact access or performance, such as:
- Local and remote hardware and software problems
- Incomplete or unavailable functions and applications
- Local and remote facility problems
- Operational problems
- Local and remote network problems
- Process problems
- Ensure that all problems are reported and recorded correctly.
- Ensure that all problems are assigned appropriate priority.
- Recognize and escalate recurring problems.
- Ensure all outstanding problems are managed to resolution and the service is restored.
- Identify, and escalate to management, issues that are not resolved within stated criteria.
- Review closed problems and validate their resolutions.
- Provide management with an overview of problems having an impact on the delivery of applications or system service.
- Advise management on methods to prevent problem recurrence, which includes documentation of occurrence and go-forward changes
- Ensure communication to key users and their management, as well as senior management.
Key Success Factors
- Problem assignment – Appropriate people should be assigned to work on a given problem. Problems can be reassigned to other people or groups if they are outside of a given person’s or group’s knowledge, skills, abilities or assigned area. Additionally, problems can be reassigned to a coordinator for formal closure.
- Problem duplication – All problems are tracked with date of occurrence and resolution. This allows for the effective tracking of repetitive problems with reference to prior actions.
- Problem escalation – Each incident is appropriately escalated to other managers so that resources are assigned effectively, and communications occur in a timely manner.
- Use of metrics and reports to evaluate timeliness of response and resolution.
- Key users and their management receive appropriate communication when a problem occurs, when it is resolved, as well as status updates during the resolution process.
- Problems are resolved in a timely manner.
The Incident Manager is the primary point of contact most responsible for the affected service or the source of the problem. The Incident Manager is responsible for working with the Incident Coordinator to ensure that communication to affected users and managers is occurring. The Incident Manager is also responsible for ensuring adequate and appropriate resources are assigned to the Incident Response Team. Specifically, the Incident Manager is responsible for:
- Invoking the need for the Incident Response team.
- Keeping Cloud Elements Management informed of incident status.
- Ensuring appropriate resources are assigned.
- Ensuring that the work of the Incident Response Team is coordinated.
- Escalating the problem as outlined in the escalation process.
- Ensuring problem notification and communicating status to affected customers, users and management, in conjunction with the Communications Guidelines and Incident Response
- Process, as specified herein.
- Provide status updates to customers as necessary
- Completing Master Incident Response Report (FM-23)
The CISO will act as the Incident Coordinator and is the key contact point for the Incident Response Team. The Incident Coordinator is responsible for working with the Incident Manager to pull together an Incident Response Team. The Incident Coordinator coordinates the Incident Response Team in its effort to identify and resolve the problem. Specifically, the Incident Coordinator is responsible for:
- Working with Incident Manager to identify resources needed to resolve the problem.
- Sending problem notification and communicating status as provided by the Incident Manager.
- Recommending specific assessment, investigation, and mitigation steps to the Incident Manager.
- Making recommendations to the Incident Manager such as a need for escalation, communication, etc.
- Supporting the Incident Manager in the execution of his or her role and responsibilities.
Incident Response Team
The Incident Response Team is a group of individuals who are identifying the issue and working to resolve it. The Incident Response Team can be composed of people from various departments. The Incident Response Team is responsible for:
- Collaboratively working together as a team to identify the problem using the technical expertise of all individuals to investigate all potential sources of a given problem.
- The team discusses ideas and suggestions for the possible source of the problem.
- The team agrees on an action plan for closing the issue.
- Individuals must participate fully as members of the team by communicating and coordinating their work with other members of the team.
Note: For the duration of the incident, members of the Incident Response Team are directed by and responsible to the Incident Manager
- Once the issue is identified, the group agrees on an action plan and carries it out.
Incident Response Team
Response to significant cyber incidents is guided by the company’s Incident Response Team (IRT). Although first responders may be general IT staff or even other company employees, the IRT provides overall response guidance. This team’s first effort during an incident is to take control of the situation with the intent of mitigating potential damage to the company or its customers. It is the IRT's responsibility to:
- Manage the incident response process
- Defend against attacks and prevent further damage from occurring when an incident does occur
- Implement improvements that prevent attacks from reoccurring
- Report to the CISO the outcome of any security or data loss incidents
The company has appointed a qualified IRT with current members listed in the following table.
|CRT Member Title||Current IRT Member||CRT Member Contact Information|
|SVP Product Engineering||Atul Barveemail@example.com|
|VP IT & OPS, CISO||Ed Fullerfirstname.lastname@example.org|
|Director of Engineering||Pat Dechantemail@example.com|
|Director Technical Support||Brody Taylorfirstname.lastname@example.org|
Incident Response Process
The incident response process consists of four stages:
- Detection, Assessment and Triage
- Containment, Evidence Collection, Analysis and Investigation and Mitigation
- Remediation, Recovery
Detection, Assessment and Triage
Any event needs to be documented and reported to the Incident Response team.
Containment, Evidence Collection, Analysis and Investigation and Mitigation
The Incident Log is reviewed by the Incident Manager who is the Process Owner. The Process Owner assesses the event and decides on a mitigation plan and suitable escalation to management as applicable.
The incident closure is tracked by the Process Owner. The Management Representative reviews the incident logs every two weeks and sends a report to the Management on Incident closure statistics.
A risk treatment plan is prepared for any incident whose closure time is 20% more than the anticipated time decided for Incident Types as mentioned in the section below. The Process Owner is responsible for the Risk Treatment Plan.