SEC10-BP01 Identify key personnel and external resources

Identify internal and external personnel, resources, and legal obligations to help your organization respond to an incident.

Desired outcome: You have a list of key personnel, their contact information, and the roles they play when responding to a security event. You review this information regularly and update it to reflect personnel changes from an internal and external tools perspective. You consider all third-party service providers and vendors while documenting this information, including security partners, cloud providers, and software-as-a-service (SaaS) applications. During a security event, personnel are available with the appropriate level of responsibility, context, and access to be able to respond and recover. 

Common anti-patterns:

• Not maintaining an updated list of key personnel with contact information, their roles, and their responsibilities when responding to security events.

• Assuming that everyone understands the people, dependencies, infrastructure, and solutions when responding to and recovering from an event. 

• Not having a document or knowledge repository that represents key infrastructure or application design.

• Not having proper onboarding processes for new employees to effectively contribute to a security event response, such as conducting event simulations.

• Not having an escalation path in place when key personnel are temporarily unavailable or fail to respond during security events.

Benefits of establishing this best practice: This practice reduces the triage and response time spent on identifying the right personnel and their roles during an event. Minimize wasted time during an event by maintaining an updated list of key personnel and their roles so you can bring the right individuals to triage and recover from an event.

Level of risk exposed if this best practice is not established: High

Implementation guidance

Identify key personnel in your organization: Maintain a contact list of personnel within your organization that you need to involve. Regularly review and update this information in the event of personnel movement, like organizational changes, promotions, and team changes. This is especially important for key roles like incident managers, incident responders, and communications lead. 

• Incident manager: Incident managers have overall authority during the event response.

• Incident responders: Incident responders are responsible for investigation and remediation activities. These people can differ based on the type of event, but are typically developers and operation teams responsible for the impacted application.

• Communications lead: The communications lead is responsible for internal and external communications, especially with public agencies, regulators, and customers.

• Subject matter experts (SMEs): In the case of distributed and autonomous teams, we recommend you identify an SME for mission critical workloads. They offer insights into the operation and data classification of critical workloads involved in the event.

Consider using the AWS Systems Manager Incident Manager feature to capture key contacts, define a response plan, automate on-call schedules, and create escalation plans. Automate and rotate all staff through an on-call schedule, so that responsibility for the workload is shared across its owners. This promotes good practices, such as emitting relevant metrics and logs as well as defining alarm thresholds that matter for the workload.

Identify external partners: Enterprises use tools built by independent software vendors (ISVs), partners, and subcontractors to build differentiating solutions for their customers. Engage key personnel from these parties who can help respond to and recover from an incident. We recommend you sign up for the appropriate level of AWS Support in order to get prompt access to AWS subject matter experts through a support case. Consider similar arrangements with all critical solutions providers for the workloads. Some security events require publicly listed businesses to notify relevant public agencies and regulators of the event and impacts. Maintain and update contact information for the relevant departments and responsible individuals.

Implementation steps

1. Set up an incident management solution.

   1. Consider deploying Incident Manager in your Security Tooling account.

2. Define contacts in your incident management solution.

   1. Define at least two types of contact channels for each contact (such as SMS, phone, or email), to ensure reachability during an incident.

3. Define a response plan.

   1. Identify the most appropriate contacts to engage during an incident. Define escalation plans aligned to the roles of personnel to be engaged, rather than individual contacts. Consider including contacts that may be responsible for informing external entities, even if they are not directly engaged to resolve the incident.  

Resources

Related best practices:

• OPS02-BP03 Operations activities have identified owners responsible for their performance

Related documents:

• AWS Security Incident Response Guide

Related examples:

• AWS customer playbook framework

• Prepare for and respond to security incidents in your AWS environment

Related tools:

• AWS Systems Manager Incident Manager

Related videos:

• Amazon's approach to security during development