Cyber incident response structure Cybersecurity authority matrix Delegation of Authority in cybersecurity DoA for threat management DoA in incident handling Governance in cybersecurity operations Incident response roles and responsibilities IT DoA playbook IT security delegation process ITSM and Delegation of Authority

Navigating the Digital Frontline: DoA’s Role in Cybersecurity and Incident Handling ;an IT Delegation of Authority Process Playbook.

by Soumya Ghorpode

In the ever changing field of cybersecurity which is home to complex, far reaching, and very sudden threats the ability to react quickly and do what is necessary is of the essence. It is no longer sufficient to simply detect what is going on; what we see is that organizations must also be able to respond, contain and recover very precisely. At the core of this agility is a well thought out and very detailed Delegation of Authority (DoA). Also beyond being a organizational chart what we are talking about is a very strong DoA framework which in many cases we have seen best put into practice via an IT Delegation of Authority Process Playbook which in turn becomes the operational base that supports better decision making in the middle of an incident.

This report goes into the key role which DoA plays in improving an organization’s cybersecurity posture and in the optimization of incident response. We will be looking at what DoA means in an IT setting, also we will present the main difference between it and role based access and we will put forth the basic elements of a full DoA process playbook for the modern digital enterprise.

Understanding Delegation of Authority (DoA) in the IT Landscape

At the root of it, what we see in Delegation of Authority (DoA) is the formal transfer of decision making authority, responsibility, or tasks from higher level of authority to a subordinates or identified person. In the IT space this concept goes beyond that of just task assignment; it includes the explicit ability to make key decisions, give the go ahead to actions, or to commit resources on the organization’s behalf within set parameters.

In a large scale organization which has very complex IT infrastructure we see that without defined points of contact any great change, any access request, or any critical incident may go to the highest level for approval which in turn causes debilitating delays. With DoA we see it is the role of certain individuals or teams to be given the go ahead to take action quickly which at the same time is in alignment with the company’s strategy and we are still able to maintain accountability. For instance we may have a systems architect which is given the authority to approve of minor network changes, a security analyst which is made to take charge of initiating a system quarantine, or a project manager which is given the authority to go ahead and buy specific software up to a certain budget.

In IT DoA is about process streamlining and increased efficiency and also putting decision making at the right level which is nearest to the action without trade off in control or oversight.

DoA in Cybersecurity: A Strategic Imperative

DoA at the crossroads of cybersecurity is where we see operational efficiency come together with strategic defense. In terms of DoA in Cybersecurity and Incident Response it is not enough to know who has access to a system; it is also about which entities have the go ahead to isolate a key server during a ransomware attack, which have the say in the emergency deployment of a patch for a zero day vulnerability, or which may call for a major security incident which in turn sets in motion the full scale incident response team.

A strong DoA framework which in turn improves organization’s security posture by:.

Ensuring Swift Decisiveness: Cyber attacks are very quick. What may seem like a small issue at the time of the attack may grow into a much larger problem by the time a decision is made. DoA which is a feature of some incident response plans identifies which individuals have the authority to make the tough calls (for example to take down a system, to block an IP address, to begin forensics) and2 does that without the delay of multiple levels of approval which may not happen if senior management is not available.

  1. Clarifying Accountability: Through formal delegation of authority organizations put in place clear lines of responsibility. When an action is taken (or not) it is easy to see which party had the power to make that decision which in turn enables better post incident analysis and continuous improvement.
  2. Optimizing Resource Deployment: DoA supports the idea that those which have the requisite expertise and proximity to an issue should be the ones to make decisions within it  in this way we see that special skills are best used.
  3. Supporting Compliance and Audit: A reported DoA framework which we see as a platform that tracks decision making processes, very important for regulatory compliance issues (eg. GDPR, HIPAA, SOX) and also for internal governance. Also it is a proof of due care and of controlled operations.
  4. DoA in Incident Handling: The Crucible of Preparedness

Now in which we see that which the DoA plays out the largest role in Incident Handling. We have a situation which at the fall of a security breach the environment transitions from routine operations to that of high stake crisis management. Time is of the essence. A pre determined DoA framework what turns what would have been chaos into a structured and executable response.

Consider a scenario: A key production system is down which is a result of data exfiltration.

  • Without DoA: Security analyst reports the breach but has to wait for IT director’s approval which in turn goes to the CISO, and at times it may go as far as to the CEO to give the go ahead for decisive action like shut down of the system. In that time, the attacker is still at work and precious hours are lost.
  • With DoA: In the IT Delegation of Authority Process Playbook it is stated that for “Extreme Severity” incidents which include data exfiltration from critical systems the Lead Incident Responder has the go ahead to immediately implement network segmentation and system shut down which in parallel will see the notification of the CISO and legal counsel. This quick turn around in authority transfer reduces the time available for the attacker which in turn sees a great decrease in possible damage and data loss.

In incident handling, DoA defines: In the field of incident response DoA sets out:.

  • Who can declare an incident: Activation of the incident response plan.
  • Who can authorize containment actions: Network division, system separation, disabling user accounts.
  • Who can approve eradication efforts: System refreshes, patch updates.
  • Who can communicate with external parties: Law enforcement, customers, media (which at times includes high level officials).
  • Who can authorize forensic investigations: Engagement of outside experts, resource allocation.

Bringing systems back up, enacting new controls.

Clear DoA is which the right person with the appropriate expertise steps forward to make the right decision at the right time in a crisis which at times may be very pressurized.

Role-Based Access vs. Delegation: Main Points of Contrast.

In many cases it is easy to confuse Role Based Access Control (RBAC) and Delegation of Authority (DoA) but in fact they are separate.

  • Role-Based Access Control (RBAC): RBAC is a security tool which which restricts system access based on a user’s role in the organization. For instance a “Network Administrator” role may have the ability to set up network devices, assign IP addresses, and view logs. An “HR Manager” role may have access to employee data in the HR application. RBAC determines what a user may do within a system based on his or her role and what that role is given in terms of permissions. It is about fine grain access to resources and the technical features made available to a certain user identity. It is also a mostly static structure which sets out what is and is not allowed in the IT environment.
  • Delegation of Authority (DoA): DoA in turn is a formal structure which puts in place the ability to make decisions, authorize actions, or commit resources on the organization’s behalf. It goes beyond technical access. A “Network Administrator” may have RBAC permissions to reconfigure a firewall, but at the same time may not have what is required by way of specific DoA to go ahead and do it in an emergency without first getting approval from a higher up. DoA sets out what people can decide or which they have the power to approve which in turn may have large scale impact on the organization, financial results, or legal issues. It is related to the power structure in the organization which is in many cases dynamic and situational, also able to be put in place temporarily.
  • Synergy, Not Substitution: While separate, RBAC and DoA are complementary. For a delegated authority to be effective the individual or team which is given the DoA usually requires the appropriate RBAC to carry out the action. For example should the Lead Incident Responder be given authority to shut down a server (DoA) that which technical access (RBAC) they will also require to perform that action in the system. RBAC is the what and how of technical performance of an action, as opposed to DoA which is the who we choose to go with that action at a strategic and organizational level.

Building an IT Delegation of Authority Process Playbook

Developing out a Formal IT Delegation of Authority Process Playbook is key to getting DoA into the fabric of an organization’s IT and cyber security practices. This playbook is a full guide which also provides consistency, clarity and accountabiliy.

Key elements of such a playbook include:.

  1. Defining Scope and Purpose: Clearly present what the playbook includes (for example incident response, change management, procurement, access management) and its goals (for instance to improve efficiency, enhance security, ensure compliance).
  2. Identification of Key Decision Areas: Identify and document all key IT and cyber security processes which make decisions. This includes routine operations, emergency procedures, and strategic initiatives.
  3. Hierarchy of Authority: Set out clearly defined levels of authority which range from operational staff to senior executives. Also put forth what each level does and what is expected of them.
  4. Granular DoA Matrix: At the base of the system we have that which is presented in the playbook. For each key decision point define:.
    1. The Specific Action/Decision: “Forward emergency firewall rule change, -- “Authorise external communication in the case of a breach, -- “Go ahead with release of PII to third party.
    2. The Authority Level Required: Which post is it that has the right to make this decision.
    3. Delegation Conditions: In which cases will this authority be passed along to lower levels, and to what parties? (e.g. When the CISO is out the Security Operations Manager takes over for Level 2 incidents).
    4. Notification Requirements: Who is to be notified after a decision has been made or action taken.
    5. Documentation Requirements: How should decisions and their reasoning be recorded.
  5. Emergency Procedures and Escalation Paths: Detail out specific DoA for crisis situations which may see the break down of normal chains of command (for instance when the CISO is out during a large scale breach). Also put in place clear escalation routes if delegated authority is to prove insufficient or if the situation surpasses a pre defined threshold.
  6. Training and Communication Plan: Ensure that all affected staff are made aware of the DoA framework, their which parts they are responsible for, and what that looks like in practice. Also we see value in regular training and easy to access documentation.
  7. Review and Update Cycle: The IT environment is in a constant state of change. The DoA manual must be a flexible policy, a living document which we review and update -- for example annually, or after large organizational changes or when we experience major incidents  that is the key to its value and effectiveness.
  8. Templates and Forms: Provide models for reporting of delegated decisions, approvals, and incident summaries.

Conclusion

In the ever changing field of cybersecurity and IT which sees quick response as the difference between success and failure a well defined Delegation of Authority (DoA) is a must which we may call a strategic requirement. By putting in place an IT Delegation of Authority Process Playbook organizations empower their teams, define what is to be done and which is to be done by whom and thus guarantee that key decisions are made in a timely and accurate fashion.

Comprehension of the difference between DoA and role based access is fundamental to developing a strong framework. While RBAC deals with technical permissions, DoA is about the authority to act and to authorize which in turn creates a robust operating structure. Also we see that investment in a complete DoA framework for use in Cybersecurity and Incident Handling improves an organization’s defense, reduces operational friction, increases accountability and also see to it that when the cyber attack does come the response is not confused but is that of confident, delegated action.

More from: Cyber incident response structure Cybersecurity authority matrix Delegation of Authority in cybersecurity DoA for threat management DoA in incident handling Governance in cybersecurity operations Incident response roles and responsibilities IT DoA playbook IT security delegation process ITSM and Delegation of Authority
Back to IT Operations Playbook