Implementing CCM: Incident Response Controls

The Cloud Controls Matrix (CCM) is a framework of controls that are essential for cloud computing security. Created by CSA, the CCM aligns with CSA best practices.

You can use CCM to systematically assess and guide the security of any cloud implementation. CCM also provides guidance on which actors within the cloud supply chain should implement which security controls. Both cloud service customers (CSCs) and cloud service providers (CSPs) use CCM in many ways.

CSCs use CCM to:

• Assess the cloud security posture of current or potential cloud vendors. If a cloud vendor isn’t transparent about their security controls, the risk of doing business with them can be quite high.
• Compare vendors’ level of compliance with relevant standards like ISO 27001.
• Clarify the security roles and responsibilities between themselves and the CSP.

CSPs use CCM to:

• Assess, establish, and maintain a robust and internationally accepted cloud security program. CCM helps solidify CSPs' positions as trusted and transparent providers of cloud services.
• Compare their strengths and weaknesses against those of other organizations.
• Document controls for multiple standards in one place. CSA has mapped the controls in CCM against several industry-accepted security standards, regulations, and control frameworks.

 

CCM contains 197 control objectives structured into 17 domains that cover all key aspects of cloud technology:

CCM Domains

Today we’re looking at implementing the fourteenth domain of CCM: Security Incident Management, E-Discovery, & Cloud Forensics (SEF). The SEF domain enables both CSPs and CSCs to respond to security incidents in a timely manner. This helps minimize the disruption to business operations.

Under the Shared Security Responsibility Model (SSRM), both CSPs and CSCs are responsible for:

• Developing incident response (IR) plans
• Defining roles and responsibilities
• Implementing incident metrics
• Reporting to stakeholders
• Escalating procedures to efficiently manage security incidents

Collaboration is key. CSPs offer insights into infrastructure-level causes of incidents. CSCs provide data, application, and user-specific context for thorough investigation and resolution.

A critical aspect of stakeholder collaboration is triaging potential security incidents. This often requires a joint effort. The CSP can provide valuable insights into potential sources or root causes of the security event. Meanwhile, the CSC can contribute information specific to their data configuration applications and user activity.

 

Reviewing the Control Specifications

The SEF domain consists of the following 8 control specifications:

 

1. Security Incident Management Policy and Procedures

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for Security Incident Management, E-Discovery, and Cloud Forensics. Review and update the policies and procedures at least annually.

This control’s ownership is Shared (Independent) as both the CSP and CSC need to establish their own policies. They should use Key Shared Security Responsibility Indicators (KSSRI) to identify the shared responsibilities.

Policies should include (but are not limited to) provisions on the following:

• Incident handling process
• Detection
• Analysis
• Containment
• Eradication
• Recovery
• Post-mortem
• Response time agreement
• Communication path with the CSC
• Reporting path
• Escalation path
• Notification path
• IR plan testing
• Approval
• Communication
• Maintenance and reviews

 

2. Service Management Policy and Procedures

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the timely management of security incidents. Review and update the policies and procedures at least annually.

This control’s ownership is Shared (Independent) as the CSP and CSC establish their own policies.

Policies should include (but are not limited to) provisions on the following:

• CSP-CSC collaboration
• Roles and responsibilities
• Proactive measures
• IR automation SOAR
• IR containment
• Evidence cloud storage
• Approval
• Communication
• Maintenance and reviews

Other policy considerations for timely management of security incidents should include agreements on:

• IR alerting
• IR time
• Investigation of the time and date of each occurrence
• RTO metrics
• IR records

 

3. Incident Response Plans

Establish, document, approve, communicate, apply, evaluate and maintain a security incident response plan, which includes but is not limited to: relevant internal departments, impacted CSCs, and other business critical relationships (such as supply-chain) that may be impacted.

This control addresses four of CSA’s top threats to cloud computing:

• Insufficient identity, credential, key, and privileged account management
• Unsecured third party resources
• Misconfigurations
• Exploitation of serverless and container workloads.

The control ownership is Shared (Independent) as both the CSP and CSC need to establish their own security IR plan. The IR plan should enable efficient management of security incidents for the organization’s cloud products and services.

The IR plan should include the following provisions:

• Scope
• IR team and stakeholders
• Incident tracking and classification
• Response type and expected response timeframes
• Evidence gathering and handling
• Incident lifecycle phases and procedures
• Roles and responsibilities
• Notification and reporting
• Business impact assessment information
• Reference information
• Schedule
• Plan testing

 

4. Incident Response Testing

Test and update as necessary IR plans at planned intervals or upon significant organizational or environmental changes for effectiveness.

This control’s ownership is Shared (Independent). Both the CSP and CSC need to test and update their individual organization’s IR plan. Organizations should test IR plans periodically, either through paper walk through/table top exercises or simulations. Where feasible, both the CSP and CSC should participate to verify the plan’s effectiveness.

Make sure to:

• Validate and update all contact information and IR team members
• Validate and update the scope of the IR plan
• Define the scope for the IR test
• Decide which area in the threat landscape to test the IR plan with
• Schedule the IR plan test
• Conduct the paper walk through or simulation following the IR plan and all phases of the incident
• Review and update manual processes and automated incident management features
• Reconcile the organization's BC and DR plans with the IR plan, and address discrepancies
• Document and communicate the IR plan test results
• Update the plan to address discrepancies and failures

The CSP and CSC should also test, update, and improve IR plans after:

• Significant organizational changes
• External supply chain disruptions and natural disasters
• Security attacks, particularly those resulting in security breaches

 

5. Incident Response Metrics

Establish and monitor information security incident metrics.

Example metrics include mean time to respond, mean time to identify, time to contain, and data recovery time.

This is a shared responsibility between the CSP and the CSC. They both must ensure that they've established and continue to monitor appropriate security incident metrics.

They should define, implement, and monitor security incident metrics related to:

• All supporting infrastructure
• Middleware, development tools, BI services, and database management systems
• Applications configured as contractually agreed upon

 

6. Event Triage Processes

Define, implement and evaluate processes, procedures and technical measures supporting business processes to triage security-related events.

This control is Shared (Dependent), leading to a more targeted and efficient response. The CSP can provide valuable insights into potential sources or root causes of the security event. The CSC can contribute information specific to their data, configuration, applications, and user activity.

For example, consider a security incident occurring in the platform layer for an IaaS infrastructure. The CSC and CSP should both drive triage to determine where the incident originated. This may involve containment measures implemented by the CSP, such as isolating affected resources. Meanwhile, the CSC can take steps like user account suspension or data recovery, depending on the specific event.

 

7. Security Breach Notification

Define and implement processes, procedures and technical measures for security breach notifications. Report security breaches and assumed security breaches including any relevant supply chain breaches, as per applicable SLAs, laws and regulations.

This is a shared independent control. Both the CSP and the CSC are responsible for reporting security breaches. Security breaches include any relevant supply chain breaches as per applicable laws and regulations.

Implement procedures to report security breaches and assumed security breaches for all supporting infrastructure. This includes virtual elastic compute, server operating systems, storage, and networking. Also implement procedures for middleware, development tools, BI services, database management systems, and applications configured as contractually agreed upon with the CSC.

 

8. Points of Contact Maintenance

Maintain points of contact for applicable regulation authorities, national and local law enforcement, and other legal jurisdictional authorities.

Both CSPs and CSCs are responsible for maintaining and documenting the points of contact. They should implement a communication process and assign responsibilities to the communications team to prepare them for investigations requiring engagement with law enforcement.

 

Risks Addressed by the SEF Domain

Lack of Clear Rules and Responsibilities Between the CSP and CSC

A lack of clear responsibilities results in a pretty inefficient IR plan and slows down the response. Use of a key shared security responsibility indicator can indicate where roles and responsibilities begin and the transfer direction.

 

Untested Incident Response Plans

Some CSCs may misunderstand the rules and responsibilities regarding testing the plan. This results in an ineffective IR plan. No one will identify ineffective or invalid steps, failures, and deviations from the plan.

Organizations should periodically perform IR plan testing, either through a paper walkthrough, tabletop exercise, or simulation. Both the CSP and the CSC should participate. This verifies the IR plan’s effectiveness using various event scenarios.

 

Break in Communication Channels Between the CSP and CSC

If there's a limited collaboration stream for triaging, the time to acknowledge and contain the incident is impacted. Establish a communication plan and channel for notifying relevant stakeholders. Don't forget to notify impacted internal teams on both the CSC and CSP sides. To share relevant security incident information promptly, use a key shared security responsibility indicator.

 

Breach Notification Timeframe is Not Followed

This can result in regulatory or legal penalties. Establish breach notification procedures in alignment with the timeframe’s requirements.

 

Implementation Best Practices

• Develop and maintain an incident documentation and categorization process
• All personnel involved in incident and problem management must receive all required trainings
• Close incident records with closure status and linked to a problem management statement
• Establish an IR plan that outlines the incident criteria, the severity levels, and the roles and responsibilities
• Always validate incident closure
• Clearly define, implement, and periodically review the event triage process
• Annually review and update your points of contact

 

A Final Word

The CCM’s SEF domain provides a standardized set of controls that different CSPs can consistently apply. It provides comprehensive coverage of incident and problem lifecycle management components, as well as policy development. It ensures compliance with multiple frameworks by leveraging CCM mappings, various SEF regulatory requirements, and industry best practices. Leverage the CCM Implementation Guidelines to conduct a gap analysis, correct and address deficiencies, and implement security controls.

All CSA documentation is free to download and use. Learn how to implement the other CCM domains by reading the rest of the blogs in this series. Be on the lookout for the next installation: Supply Chain Management, Transparency, and Accountability.