Incident response and management of the information
Questions 100 to 105 — find out what you can see and control in security incidents — get the right level of assurance from the service provider.
Questions 100 to 105 — incident response and management of the information
Table 1 lists who is responsible for answering each question.
Record your answers to these questions in either:
- the Excel version — risk assessment tool for public cloud services
- your organisation’s document for recording risk assessments.
Questions to answer
- Does the service provider have a formal incident response and management process and plans that clearly define how they detect and respond to information security incidents?
- If yes — will they provide the government organisation with a copy of their process and plans to enable it to determine if they are sufficient?
- Does the service provider test and refine its incident response and management process and plans on a regular basis?
- Does the service provider engage its customers when testing its incident response and management processes and plans?
- Does the service provider appropriately train its staff on incident response and management processes and plans to ensure that they respond to incidents in an effective and efficient manner?
- Do the service provider’s terms of service or service level agreement define the support they will provide to the government organisation if an information security incident happens? For example, does the service provider:
- notify customers when an incident that may affect the security of their information or interconnected systems is detected or reported
- specify a point of contact and channel for customers to report suspected information security incidents
- define the roles and responsibilities of each party during an information security incident
- allow customers to access evidence to enable them to perform their own investigation of an incident — evidence such as time-stamped audit logs or forensic snapshots of virtual machines
- make sufficient information available to enable the government organisation to cooperate effectively with an investigation by a regulatory body — such as the Privacy Commissioner or the Payment Card Industry Security Standards Council
- define which party is responsible for the recovery of data and services after an information security incident has occurred
- share post-incident reports with affected customers to enable them to understand the cause of the incident and make an informed decision about whether to continue using the public cloud service
- specify in the contract limits and provisions for insurance, liability and indemnity for information security incidents?
- Note — It’s recommended that government organisations carefully review liability and indemnity clauses for exclusions.
- Terms and conditions for negotiating contracts for public cloud services
- Does the service provider’s incident response and management procedures map to, or fit with, the government organisation’s internal policy and procedures — meaning that they will not hinder or delay the government organisation’s ability to manage incidents in a timely and effective manner?
|Entity||Questions to answer|
|Service provider||100, 100a, 101, 102, 103, 104, 104a, 104b, 104c, 104d, 104e, 104f, 104g, 104h|
Where to find the service provider’s answers
You can get the answers to the service provider’s questions from a combination of:
- direct communication with the provider
- the provider’s policies and audit reports on their website
- previous assessments by other government organisations.
If you do not have the service provider’s answers
If you need higher assurance for the information, consider a different public cloud service if:
- the provider does not give you their answers or other information you need for your risk assessment
- you cannot get acceptable third-party assurance
- there are no ways to lessen the risk of this incomplete information.
Context and help for questions 100 to 105
The following guidance gives you context and help for answering questions about incident response and management of the information.
Direct contracts — check for information you can use
Another NZ government organisation may have previously assessed the public cloud service you’re looking to use. See which organisation to contact for information by:
NZ government agreements and contracts — check for certification documents you can use
You can use certification documents to help with your risk assessment of using either:
- an all-of-government agreement
- a Marketplace contract.
To get these, contact the security team at the Department of Internal Affairs at firstname.lastname@example.org.
Factors affecting visibility and control of security incidents
What you can see and control in security incidents is different depending on the:
- service models you’re using for public cloud
- type of cloud services you’re using — public cloud or another type.
Incidents occur — find your level of assurance
Even the most carefully planned, used and managed preventative controls can fail to stop a risk from happening. This is why it’s important to get the right level of assurance for your information. It shows that the service provider is capable of effectively and efficiently responding to an information security incident.
Review the service provider’s contract
It’s rare for government organisations to be able to negotiate contracts directly with providers of public cloud services.
Review the contract — either the:
- terms of service
- service level agreement.
See what, if any, support the service provider gives to their customers during an information security incident.
See or develop your incident response and management
Government organisations need to have their own processes and plans for incident response and management. They define how the government organisation will handle its responsibilities during an information security incident.
Topics to cover in plans and processes
For your organisation’s incident and response management, make sure your plans and processes cover, for example:
- incident definitions
- notification criteria
- escalation channels
- evidence collection and preservation
- post-incident activities.