Please note that these guidelines are not final and still in development

Security Development Lifecycle

Establish and Test Response Processes establish-and-test-response-processes

Practice #01

Establish and Test Response Processes

Preparing an Incident Response Plan is crucial for helping to address new threats that can emerge over time.

An Incident Response Plan should be created in coordination with your organization’s dedicated Product Security Incident Response Team (PSIRT).The plan should include who to contact in case of a security emergency, and establish protocols for security servicing, including plans for code inherited from other groups within the organization and for third-party code. The incident response plan should be tested before it is needed!

Please check section 16 of the UCOP IS-3 guidelines (https://policy.ucop.edu/doc/7000543/BFB-IS-3) for the minimum requirements for an incident response plan.These requirements include all elements included in the UCOP Information Security Response Standard, available at https://security.ucop.edu/files/documents/policies/incident-response-standard.pdf

At UC Davis, security incidents should be reported to the Information Security Office https://iet.ucdavis.edu/security via cybersecurity@ucdavis.edu. If private data is exposed then the details should also be provided to the Privacy Office https://privacy.ucdavis.edu/ via privacy@ucdavis.edu.

Document and test a Disaster Recovery Plan (DRP)

No application can be made completely secure. If an application, server, or network is compromised it may not be possible to fully recover from the production systems. Having a fully documented and tested disaster recovery plan that allows an application or system to be recovered or rebuilt from a secure, alternative location can make a big difference in mitigating the severity of a security breach.

According to section 17 of the UCOP IS-3 guidelines (https://policy.ucop.edu/doc/7000543/BFB-IS-3) Units must plan, implement, test and review the continuity of information security as an integral part of the Unit’s business continuity and disaster recovery plans.Units must also include IT Resources classified at Availability Level 4 in emergency and disaster recovery planning. The goal is to maintain information security during adverse situations and ensure that information security is embedded in UC’s business continuity and/or disaster recovery processes.

Safety Services provides some useful resources for emergency and disaster planning (https://safetyservices.ucdavis.edu/article/emergency-management-plans-and-procedures), including:

  • An Event and Crisis Management Guide
  • An Emergency Action Plan template and guide
  • The UC Ready tool for developing Business Continuity Plans

All DRP documents should include a recovery time objective (RTO) and recovery point objective (RPO). The first defines how quickly a system is expected to recover while the second is a description of the application or system will look like when it has sufficiently recovered. Each department may have different RTO and RPO values based on their sensitivity level, risk appetite, and capabilities.

More DRP templates and guidance are provided by the Department of Homeland Security through Ready.gov at https://www.ready.gov/business/implementation/IT