Documentation fundamentals
1. Documentation fundamentals
Documentation is critical to the quality of cloud security for any organization. In a security context, key documentation includes precise and accurate incident reports, evidence logs, and action plans. These documents are foundational to the cybersecurity integrity of organizations across all industries. In this video, you’ll learn the fundamentals of documentation so you can be prepared for your role as a security professional. Documentation provides insight into what has happened in the past, direction on what to do now, and what should be done in the future. Well-documented incidents serve as teaching tools for future events that enable you and your team to improve processes, playbooks, and security posture to adapt to increasing threats. There are a few types of security documentation you’ll learn more about shortly. These include incident reports, evidence logs, action plans, playbooks, and logbooks. Security operations teams commonly record evidence in these documents. As a security professional, you’ll find common types of information in the documents you'll encounter. Similar types of information might include system events, timestamps, conversations, and changes observed during the incident investigation. And in high-quality documentation, the information is accurate, clear, consistent, and timely. Documentation is also essential for preserving evidence for the purposes of legal investigation. Information like file access and integrity, chain of custody, and actions taken are all critical to maintaining the integrity of the evidence. In the example of digital forensics, files are very easy to change. To maintain the integrity of files so they can be used in legal proceedings, evidence handlers must carefully document the details of the file including how it was created, how it was secured, when it was transferred to law enforcement, and more. Preservation of evidence is also critical when the incident documentation includes sensitive information like system vulnerabilities, recent security breaches, and users with elevated privileges. All of your documented evidence needs to be preserved. The quality and integrity of your documentation will determine whether or not it can be used in the incident investigation. As a security professional, Google Cloud is a useful tool for preserving evidence. Google Cloud provides secure evidence storage solutions that depend on proper authorization and access privileges. BigQuery and Chronicle SIEM use secure identity and access management to ensure evidence preservation. Whether they're large datasets that need to be analyzed or logs that need to be aggregated and correlated, that evidence is preserved within those platforms. In addition to preserving documentation, teams use documentation to help guide their operations. A playbook is a manual that provides details about any operational action. By using secured services and tools that work alongside the well-defined procedures and processes in playbooks, security teams improve the likelihood for success when responding to incidents. Now, let's explore those tools in an example. Imagine you’re investigating unauthorized access to a Google Cloud Storage bucket. First, you create an incident report with the initial events, their timestamps, and all impacted systems. Next, you document the evidence, including logs from Cloud Logging, and store them securely. Finally, you put a plan into action to mitigate the incident's impact, ensuring that the team has access to your findings. Throughout the investigation, you communicate with your team along the way. By applying this best practice, you ensure that everyone is aware of what’s happening and can act quickly. By understanding and applying the fundamentals of documentation in an incident investigation, and using tools to help secure and preserve your documentation, you will set up your team for success.2. Let's practice!
Create Your Free Account
or
By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.