Cloud Incident Response

Back to discussions
Expand all | Collapse all

Key Notes from 30th Jan Call

  • 1.  Key Notes from 30th Jan Call

    Posted Nov 20, 2019 02:32:00 PM
    Dear all, 

    The call was mainly for brainstorming ideas to consider in the scope of our deliverable(s). 

    Background/ Reference documents (under "Docs & Files" tab).

    • TR 62 - Cloud Outage Incident Response 
    • ENISA Cloud Computing Security Risk Assessment
    • NIST - Computer Security Incident Handling Guide
    • ISO 27035 Preview document on Information Security Incident Management
    Please suggest additional reference documents that are relevant to the WG's deliverable. If there are new best practices that come up along the way, we could also make use of it appropriately so as not to reinvent the wheel.
     

    What the WG hopes to accomplish

    When faced with a cloud incident, the root cause is typically not known instantly. Could it be due to a DDoS attack? A misconfiguration? Incidents cover data breaches as well. Could that be due to exfiltration by a malicious intruder, or something less nefarious? The intended framework aims to harmonize and incorporate the aforementioned documents to create a framework for users/ CSPs to respond to, handle and mitigate the impact. You could think of it as a decision tree with recommendations, where it eventually branches down to the type of incident (outage / no outage → cyber / non-cyber related → what type of cyber / non-cyber factors) and how to deal with it. 

    Title of Deliverable

    CSA's deliverables are typically bite-sized for the fast consumption of the industry. It need not be a hefty 100-paged document detailing every parameter. The first deliverable could be akin to this piece of work by CSA's Mobile Application Security Testing Working Group where the content is high level and provides an overarching framework. Areas that can be further elaborated can be addressed in future deliverables. The title should reflect this. Here are a couple of suggestions: 
    • Guidelines for Cloud Incident Response
    • Cloud Incident Response Framework
    Currently, participants of the call expressed preference for 'Cloud Incident Response Framework'. Please sound off your thoughts and also, feel free to suggest an appropriate title which you think well encompasses the deliverable while keeping in mind that the deliverable is a recommendation / guideline rather than standard / regulation. You can find the two titles in the comments section: Boost the comment (i.e. title) you prefer with the round spaceship icon. Or, leave a new comment to suggest your own title.

    Scope for First Deliverable

    Here are some thoughts to kick around.
    • To cover incident response for users or vendors or both? Since they have different processes and practices, the responses should be handled differently. If we start with a concise and high level overarching framework, the scope can include provisions for both users and vendors. Another suggestion is to focus on one in the first deliverable, and the other in the next deliverable? If so, which first?
    Let us hear your thoughts in the comments below!We will be working with the WG Co-Chairs to develop a draft structure for the first deliverable and will share that on Basecamp in due time to be kicked around further. 

    In the meantime, we appreciate any suggestions for the title of deliverable and scope.

    Best Regards,
    Jane Chow


    ------------------------------
    Jane Chow
    Jan 31 · Notified 18 people
    ------------------------------