Blog Feed Post

Incident Management for Regulated Industries

Being on-call is already a demanding and sometimes very unforgiving responsibility. If you are working in a regulated industry, however, the demands that incident management places on your organization are likely to be even greater and even less forgiving. In this article, we’ll discuss some of the basic principles of software-related incident management in regulated industries.

Incidents, Regulations, and Compliance

First, however, let’s take a quick look at what a software-related incident means in a regulated industry. If you were to ask most people in software development or IT to define “incidents”, they may talk about them in terms of downtime or poor application response time. Another important factor could be security — break-ins, data theft, failure to protect sensitive data, etc. 

But in regulated industries, the term “incident” has a scope that goes far beyond downtime and security issues; it can be anything which places the organization or its products or services out of compliance with regulations. For a water company, that might be the presence of E. Coli bacteria in the water supply. For a bank, it could be the loss of customer financial data. For a hospital, it could be the failure of critical life-support systems. Incidents involving public safety, the loss of crucial data, or interruption of key services, when regulatory compliance is at stake, may be at least as important as those involving ordinary downtime.

Compliance — What’s at Stake

One of the most fundamental issues for any organization involved in a regulated industry is the need to stay in compliance with applicable regulations. Depending on the industry and the nature of the incident, being out of compliance can result in:

  • Fines, fees, or other civil or administrative penalties
  • Lawsuits or other legal action by organizations or individuals affected by the incident
  • Suspension or loss of licenses or other certification required to work in the industry
  • Loss of reputation within the industry or in the eyes of the general public
  • In extreme cases, criminal charges, conviction, and jail time for the responsible individuals

In other words, the stakes can be very high; you do not want to be in the position of explaining your incident management procedures to a judge.

Necessary and Best Practices

How do you manage incidents under such strict conditions? The best incident management is prevention — to take care of all potential incidents before they become compliance issues. That isn’t always possible under real-world conditions, so it is important to have incident-response plans which meet both legal requirements and practical necessities. To do this, it’s important to take into account the following factors:

  • Regulatory requirements and guidelines. Always follow regulatory agency requirements with regard to incident management, prevention, and response. These vary, depending on the industry and the agency involved, but they will often include a formal incident response plan, an IT incident response team, and formal documentation of incident response procedures and actions. 

Organizations operating under the Health Insurance Portability and Accountability Act (HIPAA) or the Payment Card Industry Data Security Standard (PCI DSS), for example, must have a documented security-response plan and a response team; the Federal Information Security Management Act (FISMA) likewise includes detailed incident management and response guidelines for federal agencies. Find out which agencies and which requirements your organization is subject to, if you do not already know, and make sure that you are in complete compliance with all requirements.

  • Industry guidelines and best practices. These also vary, depending on the industry. An industry-wide professional organization will often be able to provide a set of recommended practices.

If there are no specific guidelines for your industry, the Common Criteria and Common Evaluation Method documents provide a useful framework for understanding general IT security and public-safety issues.

General Considerations

There are some basic considerations which apply to all regulated industries and all regulatory frameworks:


Identify all sensitive systems (applications, networks, services, etc.) in which a failure or other malfunction could lead directly or indirectly to a compliance problem. A database containing client medical records, for example, or a program that manages the distribution of power for a public utility, is likely to fall under this heading. Your company’s bookkeeping software, as important as it may be, is probably not a sensitive system in this context.


Your first line of incident management defense is to prevent any of the systems which you have identified as sensitive from even approaching a state of failure. This means that your incident response team should be alerted not only for any failure in these systems, but for any condition which has the potential to lead to a failure. For security-sensitive systems, this might be any activity which suggests an attempted break-in, or any degradation in performance of the security software itself. For systems where public safety is at stake, this could include any anomalous behavior in any key metric. Needless to say, prevention includes full backups of data, and where necessary, full backup systems on standby.

Catching problems before they turn into regulatory compliance failures also requires an incident response team completely in sync, armed with full context from all information sources. In these situations, every second counts! For that reason, it’s vital to have responders defined ahead of time, clear escalation policies, and access to metrics from multiple systems pulled together into a unified view of the issue.


You will in effect need to add another level of priority to your existing incident management triage, giving all compliance-related incidents overriding priority. This means that if your bookkeeping and inventory systems both crash completely, and at the same time, your medical records database starts to act like it’s just a bit under the weather, your accounting staff and warehouse crew may need to stand around until your emergency response team takes care of the database if you don’t have enough IT people on hand to attend to everything. And if public safety is involved, your response team may need to be ready to keep crucial systems going in the immediate aftermath of a major disaster.

All of this may sound formidable, and expensive as well. But the cost of a major incident can be much higher, particularly if a regulatory agency or a judge determines that your company has failed to adequately comply with regulations. The bottom line for you and your company is that preventative incident management is by far the best protection you can have.

If you’re looking for a resource to improve your incident response processes and workflows, check out our open-sourced incident response documentation as well as our financial services solutions brief for an example of how PagerDuty helps regulated industries.

The post Incident Management for Regulated Industries appeared first on PagerDuty.

Read the original blog entry...

More Stories By PagerDuty Blog

PagerDuty’s operations performance platform helps companies increase reliability. By connecting people, systems and data in a single view, PagerDuty delivers visibility and actionable intelligence across global operations for effective incident resolution management. PagerDuty has over 100 platform partners, and is trusted by Fortune 500 companies and startups alike, including Microsoft, National Instruments, Electronic Arts, Adobe, Rackspace, Etsy, Square and Github.

Latest Stories
Today most companies are adopting or evaluating container technology - Docker in particular - to speed up application deployment, drive down cost, ease management and make application delivery more flexible overall. As with most new architectures, this dream takes significant work to become a reality. Even when you do get your application componentized enough and packaged properly, there are still challenges for DevOps teams to making the shift to continuous delivery and achieving that reducti...
SYS-CON Events announced today that Daiya Industry will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Daiya Industry specializes in orthotic support systems and assistive devices with pneumatic artificial muscles in order to contribute to an extended healthy life expectancy. For more information, please visit https://www.daiyak...
SYS-CON Events announced today that Nihon Micron will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Nihon Micron Co., Ltd. strives for technological innovation to establish high-density, high-precision processing technology for providing printed circuit board and metal mount RFID tags used for communication devices. For more inf...
SYS-CON Events announced today that Massive Networks, that helps your business operate seamlessly with fast, reliable, and secure internet and network solutions, has been named "Exhibitor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. As a premier telecommunications provider, Massive Networks is headquartered out of Louisville, Colorado. With years of experience under their belt, their team of...
SYS-CON Events announced today that Suzuki Inc. will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Suzuki Inc. is a semiconductor-related business, including sales of consuming parts, parts repair, and maintenance for semiconductor manufacturing machines, etc. It is also a health care business providing experimental research for...
"Our strategy is to focus on the hyperscale providers - AWS, Azure, and Google. Over the last year we saw that a lot of developers need to learn how to do their job in the cloud and we see this DevOps movement that we are catering to with our content," stated Alessandro Fasan, Head of Global Sales at Cloud Academy, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Enterprises are moving to the cloud faster than most of us in security expected. CIOs are going from 0 to 100 in cloud adoption and leaving security teams in the dust. Once cloud is part of an enterprise stack, it’s unclear who has responsibility for the protection of applications, services, and data. When cloud breaches occur, whether active compromise or a publicly accessible database, the blame must fall on both service providers and users. In his session at 21st Cloud Expo, Ben Johnson, C...
21st International Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Me...
Many organizations adopt DevOps to reduce cycle times and deliver software faster; some take on DevOps to drive higher quality and better end-user experience; others look to DevOps for a clearer line-of-sight to customers to drive better business impacts. In truth, these three foundations go together. In this power panel at @DevOpsSummit 21st Cloud Expo, moderated by DevOps Conference Co-Chair Andi Mann, industry experts will discuss how leading organizations build application success from all...
SYS-CON Events announced today that mruby Forum will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. mruby is the lightweight implementation of the Ruby language. We introduce mruby and the mruby IoT framework that enhances development productivity. For more information, visit http://forum.mruby.org/.
Cloud-based disaster recovery is critical to any production environment and is a high priority for many enterprise organizations today. Nearly 40% of organizations have had to execute their BCDR plan due to a service disruption in the past two years. Zerto on IBM Cloud offer VMware and Microsoft customers simple, automated recovery of on-premise VMware and Microsoft workloads to IBM Cloud data centers.
Why Federal cloud? What is in Federal Clouds and integrations? This session will identify the process and the FedRAMP initiative. But is it sufficient? What is the remedy for keeping abreast of cutting-edge technology? In his session at 21st Cloud Expo, Rasananda Behera will examine the proposed solutions: Private or public or hybrid cloud Responsible governing bodies How can we accomplish?
Today traditional IT approaches leverage well-architected compute/networking domains to control what applications can access what data, and how. DevOps includes rapid application development/deployment leveraging concepts like containerization, third-party sourced applications and databases. Such applications need access to production data for its test and iteration cycles. Data Security? That sounds like a roadblock to DevOps vs. protecting the crown jewels to those in IT.
SYS-CON Events announced today that Cedexis will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Cedexis is the leader in data-driven enterprise global traffic management. Whether optimizing traffic through datacenters, clouds, CDNs, or any combination, Cedexis solutions drive quality and cost-effectiveness.
Elon Musk is among the notable industry figures who worries about the power of AI to destroy rather than help society. Mark Zuckerberg, on the other hand, embraces all that is going on. AI is most powerful when deployed across the vast networks being built for Internets of Things in the manufacturing, transportation and logistics, retail, healthcare, government and other sectors. Is AI transforming IoT for the good or the bad? Do we need to worry about its potential destructive power? Or will we...