Business continuity, rotation planning, media monitoring… All of these concepts are now defined in the PRIS framework (prestataires de réponse aux incidents de sécurité) for security incident response providers.
Against this backdrop, a new activity is being added: cyber-origin crisis management. Under the code CRISE, it joins:
- Indicative indicators of compromise (REC)
- Digital investigation (INV)
- Malware analysis (CODE)
- Coordination and steering of investigations (PCI)
Crisis management was already present in the previous version of the framework (July 2024), but only marginally. It was mainly addressed through a recommendation to raise awareness among sponsors about the implementation of such a mechanism.
A margin to delegate
The service can be performed independently of the others – whereas, for example, PCI cannot be delivered without REC and INV, which are inseparable.
ANSSI allows delegating certain support tasks to another profile than the crisis manager:
- Transcription and drafting of meeting minutes
- Implementation of crisis organization and resources (for example, booking meeting rooms and logistics)
- Transcription of decisions, actions and arbitrations
- Collection of interviews and logistical aspects for the possible debrief
It does not, however, recommend that for a given service designation a single physical person hold both the crisis management role and the analyst role.
Synchronizing with PCI activities
As a consequence of integrating this activity into the framework, the duties of the investigations lead (paired with PCI) evolve. It is now formally expected of them to ensure coherence with cyber-origin crisis management priorities. This is even mandatory at the high qualification level (as opposed to the so-called substantial level): “When investigation operations and cyber-origin crisis management are carried out simultaneously […], the provider must ensure the proper synchronization of these operations within the scope that falls to them (sic).
The provider must be able to help identify, upstream:
- Applications, systems, data, and organizational critical periods
- Impacts related to the security incident and consequences for the beneficiary’s activity
- Possible third parties whose involvement might be necessary
- Main short- and medium-term issues and applicable legal obligations
- Crisis communication issues
It also involves supporting the preparation of complaints and incident reports to the competent authorities. While establishing, with the sponsor, the criteria and indicators for monitoring and exit from crisis.
Hot-outcome and high-qualification-level debriefing
Regarding the execution itself, a few elements apply only at the high qualification level.
- Limit the strategic objectives defined in the action plan and base them “on the context priorities”; specify at least a deadline for implementing the operational objectives that follow from them.
- Be able to provide decision-support materials to the strategic crisis cell (or equivalent).
- Take into account the consequences and impacts that justify the conduct of actions recorded in the log that the provider must maintain.
The high qualification level also requires a live, end-of-day debrief and the ability to formalize a post-action review (retex).
