Just another ComMetrics – social media monitoring, best metrics, marketing metrics weblog

Debunking some myths about critical incident response – if procedures and politics fail the outsourcers’ best efforts

July 15th, 2007 · No Comments ·

In the past we have written about:

Debunking 7 myths about network security – have you fallen for any of them?

Zero-Day Mozilla Firefox OR ‘old’ Microsoft Internet Explorer vulnerability – debunking some myths about early warning systems

Debunking mania – early warning systems and better security

When one has to outsource certain services, critical incidents can happen and do require an appropriate response

die Malediven haben die erste diplomatische Mission auf Second Life eroeffnet

If you cannot read the above chart, please click here

==> Critical Incident Response – Outsourcer

But the above could be theory, unless the incident response mechanisms put in place have been:

– spelled out in detail (who does what, when, where, etc.),
– are specified in the contract under a sub-section and speeled out in more detail in an Appendix – Critical Incident Response, and finally,

– tested to make sure they work in practice to both, the outsourcer’s and also the client’s satisfaction.

But our experience is that such issues are often overlooked when a contract is finally signed. So in one case, the disaster hit… After it had happened we were asked to investigate the scence of the ‘crime.’ Our work was extensive but in a nutshell it boiled down to the fact that it took forever to have a decision made at the client’s side in case a critical incident was discovered by the outsourcer’s staff. Numerous steps were involved such as:

    1 incident response manager calls manager from the outsourcer’s division,
    2 he or she calls boss who is in another canton or province or maybe even country in Europe,
    3 that executive decides to call the sales representative,
    4 the outsourcer’s sales rep. calles the contact person at the client’s location,5 client contact calls that organization’s security department,
    6 client contact points out to security team, urgent need for them to talk to the outsourcer,
    7 client’s security team tells that organization’s client contact to arrange a conference call with the outsourcer’s security experts8 client’s contact tells outsourcer’s sales representative to arrange a conference call,

    9 clients contact tells sales representative from outsources that it is okay to arrange for a conference call,10 manager outsourcer and manager client talk to each other and try to arrange a conference call, and oh no
    11 due to scheduling difficulties, the conference call gets delayed another 24 hours before it will happen.

So when a security engineer is heard saying:

    oh sh… We are seeing attacks from network X and this is a data security breach in progress …

It cannot be that it takes several working days and going through all the steps outlined above UNTIL FINALLY something can be done on the client’s side, can it?


So let us just agree for a moment that the following is true:

3 privacy function has been outsourced

Critical incidents need to be managed and and if a 24-hour response is needed than the right mechanisms must be put in place before such a type of incident happens. Defining what a critical incident is and a 5-step list for the duty officer to follow through if such a critical incident has been identified must be done carefully. Sloppiness here can be very costly, in case such an incident will happen. Let us not forget, a critical incidcent will surely happen sometime in the not too distant future.


The above illustrates that when a critical incident is occuring, what needs to be done is not an easy decision. In fact, the above example suggests that it can be downright frustrating. Here, there is a botnet you have discovered sending out spam but it takes maybe 4 or more business days to get somebody up the food chain to make a mission critical decision that will, in turn, allow the techies to implement the change.

Sometimes, things are not as clear cut as one may think they are. Also of interest:
Debunking some common myths about safe personal computing


To make it more convenient for you to take advantage of CyTRAP Labs’ offerings, just provide us with your e-mail address below. You can personalize your subscription to make it suit your needs.


→ No CommentsTags: arrange · debunking · mongous · outsourcer · representative · tells · ‘old’