People are sometimes confused on where to start when preparing to handle crisis and security incidents.
My advice is to start with a plan and start the plan with identifying what you actually are supposed to protect. Start with thinking big. Perhaps the ultimate asset to protect is not a service demon on your server or some records in your database but the trust the stakeholders have for your organization, that is customers, staff, students, providers, funding bodies, media, and the general public. There is some explicit trust in form of for example agreements on your ability deliver what is expected of you in a trustworthy manner, but also a lot of implicit trust. As we all know, it takes normally a long time to earn trust, but you can lose the trust ease and fast if you act wrong during a crisis.
To be able to act in a responsible and trustworthy manner during a crisis, we need to do some planning before the crisis. These plans can have different names depending on the organisation and context, but they can include information security policies and guidelines, business continuity and disaster recovery plans and crisis management and communication plans. Let’s not go into these now.
A plan is a good start, but…
My main point here is, that all these fine proactive plans can and will be easily forgotten during a crisis of they are not properly communicated in advance and, here we go, exercised in a systematic manner. Crisis management is not (only) about documentation, it’s about the ability to handle awkward and sensitive situations under pressure and with uncomplete information for decision-making. It is also very common that normal decision-making patterns are bypassed during a crisis resulting in additional confusion and uncertainty.
The idea to exercise crisis management is be all means a new or original idea. Armies have done that for millennials, and it is a standard procedure for all security, safety and rescue bodies. In information security many of us are still in an early phase of the learning curve.
In most international and national information security frameworks exercising crisis management and incident handling is a mandatory requirement. You will not comply with these standards if you cannot show a record of regular exercises kept. The international ISO standard for Information Security Management ISO/IEC 27001, for which my company have obtained a certification, states, in a such nice way that ‘The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations’. A light review of documentation will not be sufficient for you to pass the certification audit, you need to rehearse crisis management as well.
An exercise makes it work
At CSC in Finland I and our director for communications, Ms Minna Lappalainen, have been lucky to be able to participate in crisis management trainings provided by GÈANT and Surfnet. Last spring, we even invited Charlie van Genuchten from Surfnet to lead a crisis management exercise with university information security managers during their annual security seminar held in the beautiful city of Seinäjoki in Western Finland. You can read more about this very successful and fun exercise on the CSC webpage.
Now we are at CSC preparing crisis management exercise for our managers and for our staff. We will rehearse how to apply the division of duties and chain-of-command in our own crisis management guidelines. We have defined roles in charge in case of different types of crisis: (information) security incidents and rescue situations, unannounced service breaks, privacy issues and brand crisis. I am in charge of the first type and Ms. Lappalainen of the last category.
Most of the participating universities at the Security Seminar in Seinäjoki are currently preparing to participate in national crisis management exercises. At the time of writing this text, we are jointly planning how to lead the exercises in our own organisations.
At least the University of Jyväskylä is also preparing their own exercise, my colleague there, The Information Security Manager, Mr. Teijo Roine told me.
I recommend that you, my dear reader, now during the cyber security month: plan a cyber security exercise for your own organisastion. There is a lot of good advise and template available for that on the GÉANT wiki and you can attend the annual CLAW Crisis Event to get inspiration. You don’t need to start with rebooting your whole NREN or university, you can start with a more narrow scope and a table-top exercise too. In that case even a vulnerable service demon which expose your data for a leak can be a good practical scenario.
Urpo Kaila (CISSP, CISM, GCIH, GCED) is a seasoned Head of Security at CSC – IT Center for Science Ltd. Urpo has handled many incidents of many types and managed a lot of crises. He is also a member of the steering committees of SIG-ISM and WISE.