Lesson 17 of 33
In Progress

Communication Process

1                  Introduction

1.1              Purpose

This document describes the overall process and spectrum of responsibility that the KPMG Global GSOC (GSOC) will adhere to while communicating with the external entities in case of incidents of evident concern and also as part of standard operations.

1.2              Scope

This document covers the Communication process for the KPMG Global GSOC to communicate with external entities.

1.3              Ownership

The responsibility of ownership and ongoing management of this document, including the processes contained therein, rests with the Global GSOC Manager.

1.4              Audience

The intended audience for this document is the KPMG GSOC personnel.

1.5              Change Management Cycle

The document must be reviewed periodically in line with the Document Management Process.

1.6              Exceptions

All requests for exceptions to processes contained within this document should be directed to the Global GSOC Manager who, depending on the nature and the scope of the request, may liaise with the wider Security Management Team / Security Board to authorize or reject the request. Any such exceptions should be deemed valid only if granted in writing (e.g. communicated via email) and are valid for a period of maximum of 1 year only when they will automatically expire unless extended or renewed in the interim.  Only one extension is permitted which is allowed for a maximum of half the time of the original authorisation.

1.7              Reporting Violations

Any violations to this policy should be reported directly to the following email address:

<< GSOC -Manager@kpmg.com >>

1.8              Key Definitions

There are no specific definitions introduced within this document.

2                  Communications Process

2.1              Process Overview

This document is a process guide and aims to serve as a reference for KPMG GSOC personnel to adhere to while communicating with external parties.

The scope of communications include any direct or indirect contact that is required to be made with entities outside the KPMG GSOC and the corresponding roles within the GSOC that are responsible for these communication interfaces. The document does not include internal communications as they are covered under the Triage and the Escalation processes.

The document includes a Responsibility Assignment Matrix to elaborate the flow and content of information between the GSOC and the external entities including the associated procedures.

2.2              Communication Risks

Inadequate or inappropriate communication runs the risk of wrong message being delivered or the correct message being misunderstood. Due diligence must be performed before releasing any information – the standard communication process covers all normal scenarios and the GSOC Manager, GSOC Assistant Manager and Level 3 Analyst(s) in their stated order are responsible for authorizing action for any adhoc scenarios. A few such non-exhaustive examples are provided below for reference purposes only:

2.3              Communication Audit Trail

It must be ensured that an auditing process is maintained for all communications. RSA Archer SecOps maintains an audit trail for all communications by default. An audit trail must be maintained for all communication performed outside the bounds of RSA Archer SecOps by following up all in-person dialogues and telephone conversations through an email and attaching a copy of that email to the corresponding Security Incident within SecOps, where possible. RSA Archer SecOps notes capability is utilised, where appropriate, to directly record follow up conversations and actions.

2.4              Communication Channels

The details of the communications channels pertaining to GSOC reporting is covered in detail within the Reporting Process. The following matrix is provided for guidance only to provide an understanding of the likely channel to be utilised for communication under certain scenarios:

RSA Archer SecOpsSecurity Incident Logging, Notification, Investigation Support, Remediation Support, Operational Metrics, Incident Detection Service Report, Content Changes, etc.
Microsoft SharePointGSOC Security Report, Threat Advisory, Attack Spot Report, Threat Landscape Report, etc.
EmailInvestigation Support, Threat Advisory, Attack Spot Report, Threat Landscape Report, Communication with CISOs and NITSOs, Corporate Communications, Advisory Consultancy to Change Authorisation Board, etc.
TelephoneIncident Logging, Investigation Support, Remediation Support, Communication with CISOs and NITSOs, Corporate Communications, Advisory Consultancy to Change Authorisation Board, etc.

2.5              Classification

The requirements for the handling of communications produced by the GSOC follows the standard KPMG information classification methodology, reflected within the following matrix:

KPMG PublicNot applicable to GSOC
KPMG ConfidentialAll communications produced by the GSOC are by default classified as KPMG Confidential. This is in line with the KPMG Information Classification Policy. The examples of information includes:
KPMG Highly ConfidentialAll reports and communications produced by the GSOC for the following are explicitly classified as Highly Confidential:

2.6              Release Authorisation

The release authorisation for any GSOC communication is driven by the corresponding Information Classification attached to the artefact. The information classification for each communication artefact is proposed by the corresponding Analyst and agreed by the Assistant GSOC Manager. For regular communications and automated reports, the classification will be agreed in advance at the time of their design and implementation. Ad-hoc communications including specific Threat Intelligence will require classification prior to circulation.

The following matrix provide another perspective into various types of information elements that are to be shared by the GSOC based on the Member Firms need. Some of the elements, for example, are compulsory to be shared with the Member Firms while in other cases the information need to be filtered before it can make its way outside the GSOC. Following are a few examples of such information elements along with their default implications. Please note these default implications may be overridden through appropriate consultation on need basis as defined within the matrix below:

ActionInformation Elements
Always CommunicateThe default position for standard updates – such as standard Threat Intelligence, Regular pre-approved reports, updates on P2 or higher incidents, GSOC Service Performance, Planned service outages, etc.
Never CommunicateThe default position for items of highly sensitive nature – such as Advanced Persistent Threat related information, Suspected data breach information, etc. The default position can be overridden under special circumstances through authorization, e.g. when APT has a potential to compromise a Member Firm.
Seek GuidanceIncludes item that refer to borderline cases, e.g. filtered APT related TI which may be the root-cause of a problem at a Member firm.

2.7              Roles

The following roles have responsibility for elements of this process.  Please note that these are not comprehensive listing of responsibilities of each of the following roles, but only represent high level role specific responsibilities to support the Communication process.

A broader description about each of the role within the Communications process is provided below.

2.7.1          Level 1 Analysts

2.7.2          Level 2 Analysts

2.7.3          Level 3 Analysts

2.7.4          Threat Analysts

2.7.5          Tooling Engineers

2.7.6          GSOC Manager

2.7.7          GSOC Assistant Manager

3                  Appendix – Constraints and Assumptions

The GSOC Communication Process will continuously evolve overtime to ensure it stays current with the ground reality to help build out GSOC capability to respond to the service Member Firms requirements as appropriate.

GSOC personnel are expected to use their best judgment when minor adaptations are needed for execution. Any significant exceptions to this process should follow the instructions in Section 2.6 (Exceptions) of this document.

The limitations recorded below persist at the time of writing this document and should be reviewed as the KPMG GSOC matures and certain constraints change or assumptions are disproven:

3.1.1          Malware/Forensic Analysts (Advanced L2 Analysts)

3.1.2          GSOC Service Desk Personnel