WEBVTT 0:00:03.900000 --> 0:00:08.320000 The incident response responsibility matrix. 0:00:08.320000 --> 0:00:15.520000 So now that we have an idea of the various roles and responsibilities 0:00:15.520000 --> 0:00:20.140000 within an incident response team as well as the different types of incident 0:00:20.140000 --> 0:00:25.260000 response teams, it's time to turn our attention to something very, very 0:00:25.260000 --> 0:00:31.440000 important when it comes to the process of developing or maturing an incident 0:00:31.440000 --> 0:00:34.840000 response team or the process as a whole. 0:00:34.840000 --> 0:00:41.960000 And that is the responsibility matrix or simply put clearly defining and 0:00:41.960000 --> 0:00:47.120000 understanding who is responsible for what aspect of the incident response 0:00:47.120000 --> 0:00:48.980000 process or life cycle. 0:00:48.980000 --> 0:00:52.140000 So that begs the question, right? 0:00:52.140000 --> 0:00:57.520000 If it isn't obvious already, and that is why roles and responsibilities 0:00:57.520000 --> 0:01:03.160000 matter. So when responding to security incidents, time is critical or 0:01:03.160000 --> 0:01:08.920000 is of essence. And in addition to that, so is clarity of responsibility. 0:01:08.920000 --> 0:01:15.160000 So time is important as well as who exactly is responsible. 0:01:15.160000 --> 0:01:19.660000 Now, without clearly defined roles and responsibilities, even a well prepared 0:01:19.660000 --> 0:01:30.020000 organization can, and you know, a response. 0:01:30.020000 --> 0:01:35.520000 So as a result of that, defining who is responsible, who is accountable, 0:01:35.520000 --> 0:01:40.760000 and who needs to be consulted or informed ensures that every action is 0:01:40.760000 --> 0:01:43.540000 deliberate, timely and effective. 0:01:43.540000 --> 0:01:48.240000 This in turn reduces overlap, which is, you know, big thing or, you know, 0:01:48.240000 --> 0:01:52.500000 something that usually happens within teams, eliminates gaps and enables 0:01:52.500000 --> 0:01:56.120000 teams to work together efficiently under pressure. 0:01:56.120000 --> 0:01:59.720000 In the next set of slides, we're going to explore how clearly assigning 0:01:59.720000 --> 0:02:04.740000 responsibilities using frameworks like the RACI framework, which I'll 0:02:04.740000 --> 0:02:09.060000 explain shortly, can enhance communication, streamline decision making, 0:02:09.060000 --> 0:02:13.860000 and ultimately lead to a faster, more efficient incident response. 0:02:13.860000 --> 0:02:18.000000 So that brings us to the RACI responsibility matrix. 0:02:18.000000 --> 0:02:22.600000 Now, before I even get started with this, I just want to point out that 0:02:22.600000 --> 0:02:28.600000 there are, you know, the ability matrices that can be used or frameworks 0:02:28.600000 --> 0:02:34.020000 as it were. The only reason I'm sort of using the RACI framework is down 0:02:34.020000 --> 0:02:38.580000 primarily because it applies really well, especially in the context of 0:02:38.580000 --> 0:02:40.080000 an incident response team. 0:02:40.080000 --> 0:02:43.380000 But with that being said, let's get started. 0:02:43.380000 --> 0:02:45.580000 So what is RACI? 0:02:45.580000 --> 0:02:52.560000 RACI is an abbreviation for, you know, responsible, accountable, consulted, 0:02:52.560000 --> 0:02:56.920000 informed. So it's a widely utilized responsibility assignment matrix that 0:02:56.920000 --> 0:03:02.400000 helps organizations clearly define who is involved in what when it comes 0:03:02.400000 --> 0:03:08.140000 to completing tasks, making decisions or even executing processes, such 0:03:08.140000 --> 0:03:12.380000 as, you know, an example of that is an incident response team or the incident 0:03:12.380000 --> 0:03:13.520000 response process. 0:03:13.520000 --> 0:03:16.820000 So as I said, RACI is an abbreviation. 0:03:16.820000 --> 0:03:20.000000 So R, meaning responsible, what does that mean? 0:03:20.000000 --> 0:03:25.480000 Well, this is referring to the person or role who performs the work or 0:03:25.480000 --> 0:03:29.520000 the task. And it's very important to note that there can be multiple people 0:03:29.520000 --> 0:03:31.560000 responsible for executing the task. 0:03:31.560000 --> 0:03:35.600000 So let's say, you know, we had a grid and I'll actually show you what 0:03:35.600000 --> 0:03:39.300000 it looks like. And it said, you know, who is responsible for triage. 0:03:39.300000 --> 0:03:45.960000 In the case of the SOC tier one analyst, the R would be annotated in accordance 0:03:45.960000 --> 0:03:50.480000 with that particular role, therefore telling you that the SOC tier one 0:03:50.480000 --> 0:03:54.020000 analyst as an example is responsible for triage. 0:03:54.020000 --> 0:03:55.700000 We then have accountable. 0:03:55.700000 --> 0:04:00.500000 This is referring to the person that is ultimately answerable for the 0:04:00.500000 --> 0:04:03.260000 task being completed correctly and thoroughly. 0:04:03.260000 --> 0:04:07.340000 And in this case, only one person should be accountable for each task. 0:04:07.340000 --> 0:04:12.980000 So in this case, you're really looking at, you know, as an example, the 0:04:12.980000 --> 0:04:17.620000 incident response manager or team lead who is accountable for the entire, 0:04:17.620000 --> 0:04:19.880000 you know, incident response process. 0:04:19.880000 --> 0:04:21.260000 They're accountable, right? 0:04:21.260000 --> 0:04:24.880000 You then have consulted, which can be a little bit confusing, but it's 0:04:24.880000 --> 0:04:26.540000 fairly simple to understand. 0:04:26.540000 --> 0:04:31.420000 In this case, it's referring to the individuals who provide input guidance 0:04:31.420000 --> 0:04:33.240000 or expertise during the task. 0:04:33.240000 --> 0:04:36.080000 And of course, this will involve a two way communication. 0:04:36.080000 --> 0:04:42.900000 So think of specialist rules like, you know, for example, a threat hunters, 0:04:42.900000 --> 0:04:47.240000 digital forensic specialists or digital forensic analysts as it were. 0:04:47.240000 --> 0:04:48.740000 And then you have informed. 0:04:48.740000 --> 0:04:53.200000 So these are individuals who are kept updated on progress or outcomes. 0:04:53.200000 --> 0:04:56.620000 And they are not directly involved, but need to know. 0:04:56.620000 --> 0:04:59.740000 So that means, you know, this is a one way communication. 0:04:59.740000 --> 0:05:03.440000 So what are the benefits of using RACI as a framework? 0:05:03.440000 --> 0:05:08.580000 Well, firstly, it eliminates ambiguity about who is doing what. 0:05:08.580000 --> 0:05:13.720000 Secondly, improves accountability across cross functional teams and shows 0:05:13.720000 --> 0:05:17.900000 nothing falls through the cracks during time sensitive operations. 0:05:17.900000 --> 0:05:21.800000 It, of course, simplifies or streamlines communication during complex 0:05:21.800000 --> 0:05:24.040000 or high stress incidents. 0:05:24.040000 --> 0:05:28.040000 And finally, aligns everyone involved in the incident response process, 0:05:28.040000 --> 0:05:34.180000 that being or those being a technical team, the legal PR and leadership. 0:05:34.180000 --> 0:05:36.320000 So very, very important. 0:05:36.320000 --> 0:05:42.680000 So that begs the question again, why a RACI matrix is important or is 0:05:42.680000 --> 0:05:45.640000 useful, you know, an incident response? 0:05:45.640000 --> 0:05:50.100000 Well, as you already know, or, you know, probably would have, you know, 0:05:50.100000 --> 0:05:53.800000 you're able to tell by this point, incident response is often complex, 0:05:53.800000 --> 0:05:59.780000 fast paced and involves multiple teams ranging from SOC analysts and IT, 0:05:59.780000 --> 0:06:03.740000 IT staff to legal PR and executive leadership. 0:06:03.740000 --> 0:06:08.900000 Now, you know, if you think about it, without clearly defined roles, the 0:06:08.900000 --> 0:06:12.400000 obvious result of that will be confusion and delays. 0:06:12.400000 --> 0:06:17.340000 So, you know, it should be confusion and delays will occur as opposed 0:06:17.340000 --> 0:06:22.240000 to can. But more importantly, they can occur at the worst possible time. 0:06:22.240000 --> 0:06:25.920000 And this is where the RACI matrix becomes invaluable. 0:06:25.920000 --> 0:06:30.440000 So a RACI matrix brings structure clarity and accountability to instant 0:06:30.440000 --> 0:06:34.300000 response. It ensures the right people are involved. 0:06:34.300000 --> 0:06:38.380000 And this is the key at the right time, you know, it reduces confusion, 0:06:38.380000 --> 0:06:43.060000 improves response speed and helps organizations learn and improve after 0:06:43.060000 --> 0:06:47.520000 an incident. So let's go through some of these benefits. 0:06:47.520000 --> 0:06:50.300000 And don't worry, I'll show you what a RACI matrix looks like. 0:06:50.300000 --> 0:06:54.860000 So when it comes down to one of the first benefits, you know, of a RACI 0:06:54.860000 --> 0:06:58.260000 matrix, especially in the context of incident response, it's, you know, 0:06:58.260000 --> 0:07:00.800000 going to be clarifying roles and responsibilities. 0:07:00.800000 --> 0:07:05.320000 So the key, you know, objective or the key outcome here is that everyone 0:07:05.320000 --> 0:07:07.240000 knows what they expected to do. 0:07:07.240000 --> 0:07:12.240000 So a RACI matrix removes ambiguity by clearly identifying who is doing 0:07:12.240000 --> 0:07:17.280000 the work. So responsible, who is ultimately in charge accountable, who 0:07:17.280000 --> 0:07:22.920000 should be consulted for advice or approval that's consulted and then who 0:07:22.920000 --> 0:07:26.840000 needs to be informed of progress or outcomes that's informed. 0:07:26.840000 --> 0:07:29.400000 So, you know, very, very comprehensive. 0:07:29.400000 --> 0:07:33.220000 And what this does is it ensures that tasks or, you know, activities or 0:07:33.220000 --> 0:07:38.700000 processes do not fall through the cracks or, and this is very important, 0:07:38.700000 --> 0:07:41.380000 there's no duplication of work or effort. 0:07:41.380000 --> 0:07:44.820000 So you don't have, you know, two different individuals doing the same 0:07:44.820000 --> 0:07:47.820000 thing. And the only reason they're doing it is because they didn't know 0:07:47.820000 --> 0:07:49.720000 someone else was doing it. 0:07:49.720000 --> 0:07:53.860000 So, you know, everyone needs to know what they're responsible for. 0:07:53.860000 --> 0:07:59.520000 And more importantly, you know, who is in charge, who should or can be 0:07:59.520000 --> 0:08:02.080000 consulted for advice or approval. 0:08:02.080000 --> 0:08:07.340000 And again, it's equally as important who needs to be informed of progress 0:08:07.340000 --> 0:08:13.940000 or outcomes. So now let's take a look at, you know, how it improves coordination 0:08:13.940000 --> 0:08:18.920000 across teams. So the key outcome here is that it streamlines collaboration, 0:08:18.920000 --> 0:08:23.380000 you know, across technical and, of course, non-technical functions. 0:08:23.380000 --> 0:08:24.840000 That's quite important. 0:08:24.840000 --> 0:08:28.100000 So incident response as we've gone through this, you know, we've gone 0:08:28.100000 --> 0:08:32.500000 through this already, often involves cross-functional teams. 0:08:32.500000 --> 0:08:37.580000 So examples of that are, you know, SOC or IR team, that's technical response. 0:08:37.580000 --> 0:08:41.660000 IT operations, typically containment and recovery. 0:08:41.660000 --> 0:08:45.540000 You then have legal who deal with compliance and breach notification, 0:08:45.540000 --> 0:08:50.200000 PR, you know, public communication, HR, typically inside the threats, 0:08:50.200000 --> 0:08:53.560000 executives for approval or oversight. 0:08:53.560000 --> 0:08:58.700000 So RACI essentially, you know, clarifies or makes it clear everyone knows 0:08:58.700000 --> 0:09:06.880000 when and how to engage, you know, with either within a team or, you know, 0:09:06.880000 --> 0:09:09.860000 across teams. So very, very important. 0:09:09.860000 --> 0:09:15.920000 And then, of course, the third benefit of, you know, the RACI matrix in 0:09:15.920000 --> 0:09:19.560000 the context of IR, but also widely speaking, it's not just limited to 0:09:19.560000 --> 0:09:24.140000 incident response, is that it speeds up decision making. 0:09:24.140000 --> 0:09:28.940000 So the key outcome here is that it removes delays caused by unclear ownership 0:09:28.940000 --> 0:09:33.940000 of tasks. So when dealing with high pressure incidents, as I've mentioned, 0:09:33.940000 --> 0:09:35.860000 time is of the essence. 0:09:35.860000 --> 0:09:40.300000 And the RACI matrix identifies who is authorized to make key decisions, 0:09:40.300000 --> 0:09:46.040000 so who is accountable, so that teams aren't waiting on unnecessary approvals 0:09:46.040000 --> 0:09:50.700000 or second-guessing their actions, which is, you know, this usually causes 0:09:50.700000 --> 0:09:52.820000 a lot of lethargy. 0:09:52.820000 --> 0:09:56.580000 And what ends up happening is things fall through the cracks, because 0:09:56.580000 --> 0:10:01.200000 no one knows who is supposed to, you know, approve something or who is 0:10:01.200000 --> 0:10:04.920000 supposed to make a key decision about what to do next, et cetera. 0:10:04.920000 --> 0:10:07.480000 So it speeds up decision making. 0:10:07.480000 --> 0:10:11.420000 And of course, it also supports regulatory compliance. 0:10:11.420000 --> 0:10:15.380000 So the outcome here is that it ensures the right people are involved in 0:10:15.380000 --> 0:10:18.260000 breach handling and reporting, because you don't want the wrong people 0:10:18.260000 --> 0:10:19.220000 involved in that. 0:10:19.220000 --> 0:10:23.980000 So, you know, for compliance with regulations like GDPR, hyper or PCI 0:10:23.980000 --> 0:10:28.980000 DSS, it's essential to involve the correct stakeholders at the right time. 0:10:28.980000 --> 0:10:33.580000 And RACI ensures that A, legal teams are consulted when needed, B, reporting 0:10:33.580000 --> 0:10:37.900000 obligations are not missed, and C, incident documentation is thorough 0:10:37.900000 --> 0:10:43.220000 and complete. All right, so now that you know what a RACI matrix is and 0:10:43.220000 --> 0:10:48.800000 you sort of understand how or why it's important or can be useful, you 0:10:48.800000 --> 0:10:53.920000 know, an incident response or in developing incident response capabilities, 0:10:53.920000 --> 0:10:57.720000 you may have been asking what exactly does this matrix looks like? 0:10:57.720000 --> 0:10:59.020000 What does it look like? 0:10:59.020000 --> 0:11:03.260000 So this is an example of an incident response RACI matrix. 0:11:03.260000 --> 0:11:06.760000 Now, the reason we're not going through the process of creating one ourselves 0:11:06.760000 --> 0:11:11.080000 is because this is, you know, always going to be defined by the organization. 0:11:11.080000 --> 0:11:15.260000 I can't, there's no predefined standard as to who should be doing what, 0:11:15.260000 --> 0:11:19.200000 because different organizations have different types of teams that have 0:11:19.200000 --> 0:11:23.020000 different numbers of individuals or specializations, and you know, they 0:11:23.020000 --> 0:11:27.040000 have different models of incident response teams, as you already know. 0:11:27.040000 --> 0:11:32.640000 So it's a very esoteric thing, or it's something that, again, will be 0:11:32.640000 --> 0:11:35.800000 tailored to the organization's needs, right? 0:11:35.800000 --> 0:11:37.920000 And, you know, the staff that they have. 0:11:37.920000 --> 0:11:43.020000 So I've just set up one here in an image, and you can see what I've used 0:11:43.020000 --> 0:11:45.500000 primarily for response. 0:11:45.500000 --> 0:11:49.000000 I've sort of limited it to the incident response process, and I've outlined 0:11:49.000000 --> 0:11:51.240000 the different phases. 0:11:51.240000 --> 0:11:55.920000 So, you know, preparation, detection and analysis or identification. 0:11:55.920000 --> 0:12:01.600000 In this case, I sort of used the SANS process or phase names, and then 0:12:01.600000 --> 0:12:03.420000 containment eradication recovery. 0:12:03.420000 --> 0:12:07.040000 So I wanted a bit of granularity so that, you know, and this is something 0:12:07.040000 --> 0:12:08.380000 that's very important. 0:12:08.380000 --> 0:12:11.840000 You never want to sort of combine containment eradication and recovery 0:12:11.840000 --> 0:12:17.500000 at least at this level, and then say, and then start applying responsibilities. 0:12:17.500000 --> 0:12:23.180000 So on the left here, or the left-most column, you have some rules that 0:12:23.180000 --> 0:12:27.220000 I've sort of defined here, like the incident response manager, SOC analyst, 0:12:27.220000 --> 0:12:31.200000 incident responder, IT specialist, management, legal, etc. 0:12:31.200000 --> 0:12:35.220000 And with this grid, you sort of get to determine or you get to set or 0:12:35.220000 --> 0:12:41.700000 specify who is either responsible, accountable, consulted, or informed 0:12:41.700000 --> 0:12:46.300000 about, you know, each of these phases or, you know, in relation to each 0:12:46.300000 --> 0:12:47.180000 of these phases. 0:12:47.180000 --> 0:12:50.220000 So in the case of the incident response manager, they are accountable 0:12:50.220000 --> 0:12:54.640000 for all phases. So you can see preparation, identification, containment, 0:12:54.640000 --> 0:12:56.300000 eradication, and recovery. 0:12:56.300000 --> 0:13:02.780000 The incident responder is consulted in the case of, you know, the phases, 0:13:02.780000 --> 0:13:04.580000 preparation, and identification. 0:13:04.580000 --> 0:13:09.320000 However, they're responsible for containment, eradication, and recovery. 0:13:09.320000 --> 0:13:10.500000 Of course, this is an example. 0:13:10.500000 --> 0:13:15.160000 I'm not saying this is what, you know, an actual, you know, responsibility 0:13:15.160000 --> 0:13:19.220000 matrix would look like, or a race matrix for that matter, where you can 0:13:19.220000 --> 0:13:24.880000 see that management are kept informed, you know, on all phases, or in 0:13:24.880000 --> 0:13:28.760000 reference to all phases, and then legal are kept informed for preparation, 0:13:28.760000 --> 0:13:34.580000 identification, and then containment, eradication, recovery, consulted. 0:13:34.580000 --> 0:13:39.540000 So hopefully this makes sense to you, and you can start to see how important 0:13:39.540000 --> 0:13:42.940000 this is. And again, this is a very basic example. 0:13:42.940000 --> 0:13:46.340000 There's many, you know, resources and templates that you can, you know, 0:13:46.340000 --> 0:13:48.100000 you can find online. 0:13:48.100000 --> 0:13:53.160000 Of course, the starting point I would recommend is the Wikipedia, the 0:13:53.160000 --> 0:13:58.880000 RACI matrix Wikipedia page, we will sort of explain the RACI matrix and 0:13:58.880000 --> 0:14:02.820000 its entirety, although I think I have done it quite well. 0:14:02.820000 --> 0:14:06.680000 And, you know, it's not just for incident response or cybersecurity or 0:14:06.680000 --> 0:14:07.720000 technology teams. 0:14:07.720000 --> 0:14:11.540000 It can be applied to anything really, or to any organization. 0:14:11.540000 --> 0:14:16.600000 So even if you're trying to sort of identify and define responsibilities 0:14:16.600000 --> 0:14:21.100000 for, you know, employees in a small organization, this can work. 0:14:21.100000 --> 0:14:24.980000 So you can say someone is responsible for sales, who is responsible for 0:14:24.980000 --> 0:14:30.240000 marketing, who should be consulted, for marketing, you know, who should 0:14:30.240000 --> 0:14:31.100000 be kept informed. 0:14:31.100000 --> 0:14:35.860000 It's a really extremely powerful tool and it'll change the way you actually 0:14:35.860000 --> 0:14:42.520000 see or the way you actually measure, define and measure your team and 0:14:42.520000 --> 0:14:47.320000 you're able to identify areas of, you know, gray areas that you may not 0:14:47.320000 --> 0:14:48.580000 have been sure of. 0:14:48.580000 --> 0:14:51.820000 So with that being said, that's going to be it for this video. 0:14:51.820000 --> 0:14:54.200000 And I will be seeing you in the next video.