Contingency Plans and Incident Management
When an incident occurs, it is important to be prepared to avoid wasting valuable time on activities that should have been ready in advance. Who should be notified, who is responsible, and who can help?
Many people think of security incidents as targeted attacks where someone attacks a solution by hacking it. In some cases, this may be correct, but an incident can be much more.
NSM defines a security incident as "A deviation situation where there is a potential for loss of confidentiality, integrity, and/or availability of information or ICT services. A security incident can occur as a result of a data attack, technical failure, or unintentional errors." In other words, an incident can be almost anything that affects confidentiality, integrity, and availability, and depending on the context, different customers will have different requirements for when we need to report and/or act on this.
Preparations
This is covered in several articles under "Plan," but one of the most important things you can do is document the requirements we must comply with and our responsibilities within the different phases, in addition to contact points with the customer. Some customers are very security-focused and will monitor and alert the delivery team on their own, while others rely on the teams to monitor themselves.
NSM lists several useful points that should also be considered within the team; many of these point to the organization as a whole, but it can be important for the team to be aware of the different measures.
When an Incident Occurs
Incidents can take many forms. An incident can be weaknesses or vulnerabilities discovered in an application, dependencies, or the runtime environment, but it can also be attacks - both obvious and more covert.
If you discover or have reason to believe that a solution is under attack, this must be reported to the customer immediately. It is not always the case that the attacked solution is the target; in many cases, a solution is just a stepping stone to another. Therefore, it is also important to know what accesses and network openings it has to other solutions, so the customer's IT organization can check these for signs of attacks.
If you come across signs that a solution has been attacked or used for an attack, it is also important to notify the customer so they can secure information and evidence for further investigation.
Handling and investigating incidents is a specialized field. If you come across signs that something may have happened, inform your contact point and wait for instructions from them before taking any action.