Contingency Procedure (A.17.1.2)

Contingency Procedure (A.17.1.2)

Introduction

anDREa is committed to protecting the security of its business information in the face of incidents and unwanted events and  has implemented an Information Security Management System (ISMS) that is compliant with ISO/IEC/27001:2013, the international standard for information security.

The purpose of this document is to describe anDREa’s Contingency Procedure. This procedure encompasses the Business Continuity Plan as well.

This document will be updated at least annually and when significant change happens. 

Contingency Procedure

Scope

anDREa’s operations are running on Microsoft Azure and are all tied to the same Azure Active Directory (AAD). The AAD provides access to assets needed to run the business, the assets required to run and access the Azure DRE Shared Tenant, and the Workspaces at the Tenants.

anDREa’s Contingency Procedure deals with any threat or incident that has a major impact on an ANDREa's customers or anDREa itself. The Contingency Procedure includes but is not limited to the Business Continuity.

The prioritized scope of the Contingency Procedure is:
  1. The operational Core of anDREa including the AAD
  2. The Subscriptions and their Workspaces
  3. Github with the anDREa code
  4. Development, Test & Acceptance environment
  5. ZoHo Desk
  6. Office 365

Assumptions

The viability of this Business Continuity Plan is based on the following assumptions:
  1. That a viable and tested IT Disaster Recovery Plan exists and will be put into operation to restore data center service at a backup site within three working days.
  2. That this plan has been properly maintained and updated as required.

Contact information

See: Support and Escalation Contacts in the different departments in support.mydre.org

General procedure

When this procedure must be applied, the situation is by far from normal. Emerging findings and observations will dictate how to proceed. The procedure described below is therefore more of a guideline than strict and detailed procedure that must be followed.

  1. Establish if the threat is ongoing
    1. Block and contain the threat
      1. Apply the appropriate hand-brake(s) if needed to contain and/or protect: Workspace, Subscription, Shared Tenant
      2. Shut down and isolate compromised (Workspace) VMs
    2. Explicitly keep monitoring all resources for strange behavior or other vectors of attack
    3. Keep the logs safe
    4. Scramble a team
      1. CTO, IT architect, senior devs, ops
      2. Inform (C)ST, users and other relevant stakeholders
  2. Establish if the cause is a network attack, an authorization attack, or rogue internal application
  3. When possible isolate the services involved in the threat for deep investigation and possible forensic investigation, if not destroy the services
    1. Establish what has been (potentially) compromised
  4. If applicable develop and deploy hotfixes
  5. Restart or redeploy services 
  6. Inform (C)ST, users and other relevant stakeholders
    1. In case of (possible) compromised workspaces or data leaks: Data Breach Procedure
  7. Root cause analysis & Resolution 

    • Related Articles

    • Contingency plans

      Version: 3.0 Valid until: 2025-04-16 Last reviewed: 2024-10-30 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-12-23 2.0 Edward Robinson Additions/changes ...

    • anDREa B.V. obtains ISO 27001 certification

      Version: 2022-09-15 TL;DR: anDREa B.V. obtained ISO 27001 certification. Feel free to download the certificate (attached at the bottom). Introduction anDREa B.V. is committed to protecting the security of its business information in the face of ...

    • ISO 27001 - Overview & Statement of Applicability

      Introduction This page is the stepping stone to all ISO 27001 related policies and procedures. anDREa's Access Control Policy applies. Some documents, records especially, might not be accessible. Authorized access will be issued based on invitation ...

    • Definition of (Security) Roles and Responsibilities

      Version 1: 2022-07-13 Update: 2023-01-02 Introduction anDREa is committed to be GDPR Compliant and protect the data and privacy of all stakeholders. The purpose of this document is to describe anDREa’s Definition of (Security) Roles and ...

    • Data Breach Procedure

      First version: 2021-04-15 Last updated: 2023-10-19 Last change: Link to Data Protection policy Last reviewed: 2024-10-30 Introduction Every care is taken by anDREa to protect personal data from situations where a data protection breach could ...