Tuesday, November 15, 2016

Incident Management Planning with a Tabletop Exercise

Within an operational IT ecosystem, issues occur continuously.  Mostly, incidents relate to application defects, resource consumption or the outage of a core infrastructure component such as a server, hypervisor, storage subsystem or network.

There are a whole series of other failures or issues that can occur because of an operational error, a configuration issue, or any number of malicious attacks.

In the course of managing an IT ecosystem, regulated firms need to determine which of the plethora of events are to be regarded, classified and handled as incidents. 

Typically, a regulated company will work closely with its cloud service provider to understand incident management roles and responsibilities in detail.  Before the deployment of production workload, the stakeholders conduct a Table Top Exercise, a subset of techniques derived from planning military operations.

The table top exercise is a meeting to discuss simulated emergency situations. Stakeholders review and consider the necessary actions taken in multiple emergency scenarios, testing their incident response plan in an informal, low-stress environment. Central to the exercise is creating an understanding of the information needed to handle an incident, the sources of information, the decision-making roles & responsibilities and the sequence of hand-offs.

Specifically, a table top exercise goes beyond the need to purely understand an incident.  While not all scenarios will cause business impact or outage to the availability of service, the role of a table top will include how the company makes provisions to ensure continuity of business.  Equally, a table top may determine recommendations for how to ensure an incident does not recur, or specify how to preserve information for subsequent external inspection and audit.

Ahead of time, stakeholders will agree on a set of potential incident scenarios varying in severity.  Each will be simulated to test the possible response with the essential steps captured and documented.


Finally, a Table Top exercise might be useful as part of contractual discussions between a client and cloud service provider in the creation of a Cloud Services Agreement.  The table top output might be a RACI that unambiguously specifies roles and responsibilities.




Reference Examples:

The FDIC has good planning materials for evaluating cyber incidents.
https://www.fdic.gov/regulations/resources/director/technical/cyber/cyber.html

https://www.youtube.com/results?search_query=table+top+incident+managment contains multiple video examples of table top exercises that focus on public emergency situations or business continuity situations.

Posted by at No comments:

Sunday, November 6, 2016

Consider These Themes Before Selecting a Cloud Provider for Your Regulated Workloads

Might I suggest you consider the following important points as you select a cloud provider...
  • Are cloud computing offerings the core business of your chosen cloud providers?
  • Is cloud a financially viable business for the cloud provider?
  • Does the cloud provider have a strong technical vision, ability to deliver and proven expertise?
  • How does the cloud service provider maintain a compliant position if using 3rd party staff? What contractual arrangements are in place that enables compliance to be asserted or validated?
  • Are data centers and operational function locations appropriately secured?
  • What are the plans for Continuity of Business and Disaster Recover?  Do major outages impact a client? What capacity remains available in the event of an outage and how can it be reserved and accessible?
  • Track record and availability statistics for service offerings?
  • References from existing clients within regulated industries
  • Unambiguously documented roles and responsibilities (especially for availability, monitoring, incident management, security, and privacy)
  • Reporting capabilities for availability, usage and financial metrics
  • Ability to assure infrastructure, storage, and staffing location 
  • Compliance with published regulatory standards
  • How should consideration of the above change when buying higher value offerings such as PaaS and SaaS?
  • Does the cloud provider understand how to sell and service enterprise clients?
  • Does the cloud provider encourage a one-size fits all approach? - likely this does not work for regulated industries?
  • Can the cloud provider support hybrid on-prem/off-prem deployment models with a supporting ecosystem of connectivity, consistency, and interoperability?
  • Is pricing competitive?  
  • Is the cloud provider profitable and sustainable?

*** Vic Winkler's book, "Securing the Cloud: Computer Security Techniques and Tactics", inspired me in creating this list.


    Posted by at No comments:
    Subscribe to: Comments (Atom)