The Cloud Controls Matrix (CCM) Control SEF-08 is all about making sure you have the right people on speed dial in case things hit the fan security-wise. You need a rolodex of contacts at places like law enforcement and regulatory agencies that you can call up ASAP if a security incident requires their help. Keeping this contact list updated is key to mounting a rapid response.
Where did this come from?
This control comes straight from the CSA Cloud Controls Matrix v4.0.10 released on 2023-09-26. You can download the full document with all 197 controls at https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4. The CCM provides a baseline of security controls specifically designed for cloud computing. It's kind of like a checklist of best practices to keep your cloud environment on lockdown.
Who should care?
This one is super relevant for:
- Security Incident Response Managers who need to coordinate with external parties during a security event
- Compliance Officers responsible for liaising with regulators
- Legal Counsel who may need to work with law enforcement or other legal authorities
- Executive Leadership accountable for the organization's incident response
What is the risk?
Not having up-to-date contacts for relevant external parties can really slow you down during an incident. Precious minutes or hours can be wasted trying to figure out who to call. This delay gives attackers more time to do damage.
Some potential consequences:
- Attackers gain a bigger foothold in your environment
- More data is stolen or destroyed
- Fines or legal action from regulators for inadequate response
- Reputational damage from appearing incompetent to authorities
What's the care factor?
Organizations should care a lot about having these contacts at the ready. While major incidents requiring law enforcement may be relatively rare, when they do happen, time is absolutely critical. Being able to quickly bring in the cavalry can make a huge difference in the impact and outcome.
That said, the effort to maintain the list is pretty minimal, so the cost/benefit makes sense even if it's rarely used. It's like a first aid kit. You hope to never need it, but if you do, you'll be very glad it's there and fully stocked.
When is it relevant?
SEF-08 is most relevant for organizations operating in regulated industries or dealing with highly sensitive data. Financial services, healthcare, government, critical infrastructure - they're more likely to experience incidents that require reporting to or coordination with authorities.
It's less critical for a small business or startup unlikely to catch the eye of sophisticated attackers. But as the organization grows and its risk profile changes, maintaining these contacts becomes more important.
What are the trade offs?
The main cost is the time of a senior employee to identify the appropriate contacts, reach out to establish the relationship, and periodically update the list. But we're talking hours per year, not a huge burden.
There's also a minor risk of this sensitive contact info leaking. It shouldn't be publicly accessible. But with proper access controls and "need to know" restrictions, this is manageable.
How to make it happen?
- Identify applicable regulation authorities, law enforcement agencies, and legal jurisdictions based on your industry, location, and type of data handled. Don't forget local as well as national.
- Designate a Point of Contact (POC) at your organization for each external entity. They should be senior enough to coordinate a major incident.
- Have each POC reach out to their counterpart to establish a relationship. Confirm communication channels - phone, email, secure portal, etc.
- Document each external contact with name, title, agency, and multiple communication methods. Follow info sec best practices - encrypt the file, restrict access, etc.
- Set a recurring calendar reminder to have POCs reconfirm contacts every 6 months. Update documentation accordingly.
- Ensure all incident responders know where to find this contact info and are authorized to use it. Include it in IR playbooks.
- If an applicable incident occurs, use these contacts immediately to meet reporting requirements and get help. Time is of the essence.
What are some gotchas?
- Don't underestimate the red tape involved in working with government agencies. Allow extra time.
- Contacts can change roles often, especially in law enforcement. Stay on top of this.
- Each jurisdiction and agency may have different reporting requirements and procedures. The more you can learn in advance, the better.
- Involve your legal counsel early and often. They can advise on notification obligations.
What are the alternatives?
There aren't really any alternatives to maintaining your own contact list. You can outsource some of the effort to law firms or consultants, but you'll still need an internal POC accountable for the information.
Properly implementing SEF-08 is really the only way to achieve the intent of the control, which is to enable swift coordination with authorities during security incidents.
Explore further
- The NIST Computer Security Incident Handling Guide has great info on coordinating with external parties: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
- The Sans Institute has a free template for a security incident contact list: https://www.sans.org/media/score/checklists/IncidentResponseContactList.pdf
- For issues of handling evidence, refer to the NIST Guide to Integrating Forensic Techniques into Incident Response: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-86.pdf
The CIS Controls v8 includes Control 17 - Incident Response Management. It maps well to CCM SEF-08 and provides additional guidance and resources for effective incident handling.
In summary, SEF-08 is a small but mighty control. A little proactive leg work to establish and maintain external contacts can pay huge dividends by enabling swift and effective incident response when it matters most. Don't neglect this key aspect of your security program!
