NCSC - Validate/update our runbooks to cover how to handle security incident alerts

[SimonPPledger]

User Story

Following on from the review by NCSC, we need to know what to do in the case of a security incident, including:

• how to potentially revoke IAM and network access (we already have processes for this )
• how and what we communicate
• where we raise any subsequent ticket (eg should we use modernisation-platform or modernisation-platform-security.

Value / Purpose

This helps to minimise impact of any security threats by enabling us to respond quickly

Useful Contacts

No response

Additional Information

No response

Definition of Done

• [x] Review any existing document
• [x] Update any existing documents
• [ ] To be reviewed by team
• [x] Raise a new ticket to test the process

[ep-93]

Incident runbook is here - https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/manage-an-incident.html#incident-process

Will update

[ep-93]

how to potentially revoke IAM and network access -

IAM - https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/revoking-user-access.html

Network - https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/revoke-network-access.html

how and what we communicate - https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/manage-an-incident.html

where we raise any subsequent ticket - I have added links to mod platform security repo incident raising, and raised a test issue as asked.

[ep-93]

Test issue raised - https://github.com/ministryofjustice/modernisation-platform-security/issues/21

[mikereiddigital]

No team review has been undertaken but this can be organised separately. I will raise a follow-on ticket to cover this as @ep-93 is away on leave.