Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix broken IR process #2429

Merged
merged 3 commits into from
Nov 2, 2023
Merged

Fix broken IR process #2429

merged 3 commits into from
Nov 2, 2023

Conversation

pburkholder
Copy link
Contributor

@pburkholder pburkholder commented Nov 2, 2023
edited
Loading

Changes proposed in this pull request:

  • Remove the checklist that is incorrect or out-of-date
  • Bring in the special situations from the checklist into the main document
  • Update the IR process to ack that pages is part of the system
  • Correct channel names
  • Make Slack a first-class tool now that it's no longer LiSaaS
  • Link to Google Docs
  • Update contacts to reach out to
  • Update the security.txt. GSA has the wrong links. Want to clarify that we do have bounties regardless of what GSA may say.

This is still a less-than-ideal document but is significantly better. I'd like to merge it once we correct what's still clearly wrong even we may still have some omissions.

Security Considerations

The IR process has already been open-source.

@pburkholder pburkholder requested review from a team November 2, 2023 20:28
markdboyd
markdboyd reviewed Nov 2, 2023
View reviewed changes
_docs/ops/security-ir.md
- Is there evidence of compromise or attack?
- Has the system been unable to maintain our [service level objectives]({{ site.baseurl }}{% link _docs/overview/customer-service-objectives.md %})?
- An availability issue impacting a single customer is likely _not_ an incident
- Is an attack imminent or suspected (e.g. a Log4J type vulnerability)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Is an attack imminent or suspected (e.g. a Log4J type vulnerability)
- Is an attack imminent or suspected (e.g. a Log4J type vulnerability)?

markdboyd
markdboyd reviewed Nov 2, 2023
View reviewed changes
_docs/ops/security-ir.md
Comment on lines +80 to +92
When a TTS staff member (the *reporter*) notices and reports a cloud.gov-related incident using the [TTS incident response process](https://handbook.tts.gsa.gov/general-information-and-resources/tech-policies/security-incidents/) they should then notify the cloud.gov team in [`#cg-support`](https://gsa-tts.slack.com/archives/C09CR1Q9Z)

When a cloud.gov team member is the first person to notice an incident, they should
join [`#cg-incidents`](https://gsa-tts.slack.com/archives/GTNBK2L9K), and use the "Declare Incident" Workflow.

When a cloud.gov team member is the first person to notice an incident, they should also begin reporting it by using the [TTS incident response process](https://handbook.tts.gsa.gov/general-information-and-resources/tech-policies/security-incidents/) and posting about it in [`#cloud-gov`](https://gsa-tts.slack.com/messages/cloud-gov/) using `@cg-team` (including notifying the cloud.gov leads).
Declaring an incident results in further guidance to:
- Designate an Incident Commander and Scribe
- Claim an incident folder in our "Incident Response" [Google Drive folder](https://drive.google.com/drive/folders/1WtLFiZuxLmKR4mrztEE9YtS78nGxC--P)
- We try to populate incident folders in advance based on existing templates
- Share the URL of the incident document
- Update incident doc in that folder with comms and key findings.
- Gather in a Google Meet
- Set reminders to send comms updates, and to rotate key roles every 6 hours.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This section feels broadly repetitive of https://github.com/cloud-gov/cg-site/pull/2429/files#diff-8b21e674168ee96c2cb0966300d0c51b63e5fd2389228d91f3d3cf45df23d510R39-R48

Is there any way to avoid that?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The IR document is still very duplicative. I’d like to do another round and leverage somthing like https://gist.github.com/scmx/eca72d44afee0113ceb0349dd54a84a2 to expand/collapse the details.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair. As a first pass, this is a big improvement

@pburkholder pburkholder added this pull request to the merge queue Nov 2, 2023
Merged via the queue into main with commit d3485ee Nov 2, 2023
2 checks passed
@pburkholder pburkholder deleted the peterb-ir-fixes branch November 2, 2023 21:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@markdboyd markdboyd markdboyd approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pburkholder @markdboyd