Incident management | The Centauri Step, Governance and IT Security
How can you anticipate and control incident management? One of the keys is having a good relationship with suppliers.
An issue overlapping with business continuity management
Within the big ISO 27001 family, you have the ISO 27035 standard for managing security events and incidents. However, incident management is also an important theme in another essential standard for business management: ISO 22301 on business continuity. This is a critical topic, which, one day or another, directly or indirectly affects anyone involved in organizations. In my own case, it is precisely incident and crisis management that led me to be working in the field of IT security today.
Rather than differentiate an IT incident from a security incident, this article focuses on the supplier relationship, as this is often the stumbling block when it comes to contracts.
The root of everything!
It might sound crazy but if there were no security problems, you wouldn’t need IT security teams! Therefore one of the founding elements of your ISMS (information security management system) is the creation of an internal alert and management system for incidents that could disrupt your business.
Before wanting to address incident risks with your suppliers, clarify your own methods and system. How do you anticipate and handle the everyday problems that your business faces? This might seem obvious, but some organizations are more demanding of their suppliers than their own staff.
NB: Obviously, this remark doesn’t apply if it is precisely the outsourcing of incident management services that the contract concerns!
What should you demand?
Here I introduce a new and fascinating notion: the service-level agreement, or SLA for short. In most cases, this is a contract clause (or a separate document appended to the contract at the project kick-off), which specifies the service expectations and how they will be assessed.
In other words, the SLA is where you can address the operational issue of availability of service. And this once again opens the door to the topic of continuity of business (with ISO 22301 and the Business Continuity Plan, or BCP for those already in the know). But that’s enough for now on that! Without making this a dissertation on SLA, the idea is that a software publisher undertakes to ensure the availability of its system – for example, 99.98% of the time – and that penalties will be due should they fail to meet this commitment.
You can also have a Security SLA, under which suppliers shall be liable in the event of repeated security incidents, or for incidents not resolved within the time limit agreed between the service provider and the business. Another crucial point, therefore, is this time limit. It is essential that you negotiate a maximum time limit within which service providers – or any supplier for that matter – must inform you in the event of a security breach.
MY ADVICE: A maximum of 24 hours should be allowed for reporting security breaches to the client. Some suppliers will argue that the EU’s GRDP regulations give a maximum of 72 hours. But watch out! The GDPR only applies to personal data, and not the entire scope of ISO 27001. To give a concrete example, if your supplier realises at 8 a.m. on the Monday that there has been an intrusion into his premises, I recommend that you agree that he has to report such an incident to you (but not necessarily resolve it) by 8 a.m. the following day.
It is about providing transparency, which will make for a better and smoother client-supplier relationship. It is up you as the client to ensure that your supplier’sincident management measures are effective.
The advantage of having one same expert who can perform both the security risk assessment on your supplier and negotiate the contract with them is that they can cross-check information and be even more pertinent in their approach.
I usually recommend following EU directives and the minimum amounts demanded in the case of personal data breaches. Negotiating a liability clause equivalent to five times the annual contract amount tends to be a good compromise. You will not receive full compensation in the event of a major attack (and this is even if accountability is established), but you can reduce losses to a minimum.
If you would like examples of liability clauses, or you want to discuss how best to deal with security in your contracts, drop me a line via the contact form!