S 6.62 Specifying priorities for handling security incidents
Initiation responsibility: IT Security Officer, Top Management
Implementation responsibility: IT Security Officer
According to experience, security incidents occur due to a chain of events triggered by different causes. They typically affect different business processes, applications, and IT systems, and the types of damage resulting from security incidents can also vary greatly. For this reason, it is important to specify the priorities for eliminating the problems in advance if possible. The order in which the problems should be handled depends on the priority assignment, among other things.
Furthermore, the priority assignment is also highly dependent on the conditions prevalent in the particular organisation. The following questions must be answered for priority assignment:
- Which protection requirements categories and damage scenarios are relevant for the organisation?
- What are the protection requirements of the business processes and applications? What protection requirements can then be derived for the individual IT systems, rooms, and communication links?
- In which order should the damage in each of the protection requirements categories and damage scenarios be eliminated?
- Which general internal or external conditions must be taken into account during priority assignment?
A protection requirement determination performed according to IT-Grundschutz will help to find answers to these questions. In the protection requirement determination, the potential damage is assigned to each of the damage scenarios defined, and the information and business processes relevant to the organisation are categorised according to their protection requirement (see the corresponding chapter in the IT-Grundschutz methodology in BSI Standard 100-2).
Example: The following damage scenarios are relevant:
- Violations of laws, regulations, or contracts
- Impairment of the right to informational self-determination
- Impairment of the physical integrity of a person
- Impaired performance of duties
- Negative effects on external relationships
- Financial consequences
Likewise, the protection requirements categories are defined in the framework of the protection requirements determination based on the extent of the damage caused.
Example: "Financial consequences" damage scenario
| "Financial consequences" damage scenario | |
|---|---|
| Normal protection requirement | The financial loss is acceptable to the organisation. |
| High protection requirement | The financial loss is considerable, but does not threaten the existence of the organisation. |
| Very high protection requirement | The financial loss threatens the existence of the organisation. |
Table: Financial effects of damage
These definitions must be adapted individually to the specific conditions prevalent in the organisation and specified in more detail. A loss of ¿200,000 could be relatively trivial when compared to the sales volume and IT budget in a large company, but even a loss of ¿10,000 could threaten the survival of a small organisation. It is therefore often appropriate to express the limits as percentages of total sales, total profit, or on a similar base value.
In a sample company, the following concrete specifications may have been made:
| "Financial consequences" damage scenario | |
|---|---|
| Normal protection requirement | Damage is less than 25,000 |
| High protection requirement | Damage is between 25,000 and 5,000,000 |
| Very high protection requirement | Damage is higher than 5,000,000 |
Table: Detailed specification of the financial effects of damage
Based on these categories and scenarios, it is possible to assign the priorities for the most important business processes and IT systems as described in the following. First, the damage scenarios are entered in the first column of a table. The protection requirement categories "Normal", "High", and "Very High" are then entered in the headers of the next three columns. After that, every combination of a damage scenario and a protection requirements level is assigned a priority. The priorities can be divided into the following priority classes and then assigned:
1 = Especially important
2 = Important
3 = Less important
The priority can also be assigned using a ranking system.
Example:
In this example, the organisation examined is a city administration which also offers its services to its residents on the Internet. To request services, the residents send applications via e-mail to the city administration and can monitor the processing status of their applications on the Internet. The city administration also has an Internet server offering informational services.
| Damage scenarios | Normal protection requirement | High protection requirement | Very high protection requirement |
|---|---|---|---|
| Violations of laws, regulations, or contracts | 2 | 2 | 2 |
| Impairment of the right to informational self-determination | 2 | 2 | 1 |
| Impairment of the physical integrity of a person | 2 | 1 | 1 |
| Impaired performance of duties | 3 | 3 | 2 |
| Negative effects on external relationships | 3 | 2 | 1 |
| Financial consequences | 3 | 3 | 2 |
Table: Example of how the results of prioritisation might appear where classification is used
In the first table, the priorities are classified by specifying values between 1 (Especially important) and 3 (Less important). In the second table, the priorities were specified using a ranking system in which 1 represents the highest priority with the priorities decreasing successively to the lowest ranking of 18.
| Damage scenarios | Normal protection requirement | High protection requirement | Very high protection requirement |
|---|---|---|---|
| Violations of laws, regulations, or contracts | 13 | 12 | 11 |
| Impairment of the right to informational self-determination | 8 | 6 | 3 |
| Impairment of the physical integrity of a person | 5 | 2 | 1 |
| Impaired performance of duties | 15 | 14 | 7 |
| Negative effects on external relationships | 17 | 9 | 4 |
| Financial consequences | 18 | 16 | 10 |
Table: Example of how the results of prioritisation might appear where ranking is used
The priority assignment must be approved and put into effect by the top management of the organisation. All persons required to make decisions when handling security incidents must be informed of the priority assignment.
If a security incident occurs, then the priority assignment can be used as follows. After the investigation and assessment of the security incident, the damages that could be expected are estimated. These damages can then be assigned to the damage scenarios defined. After that, the expected damage to each of the affected business processes is classified as "Normal", "High", or "Very High". From the resulting overview in the table, you can then read the order in which the damage to each of the business processes affected should be eliminated. It should be noted in this case, though, that the priorities assigned in advance can only be used as a basic guide, and it may be necessary to modify the priorities in individual cases.
Example:
In the example of a city administration provided above, suppose that a hacker was able to manipulate the information on the Internet information server to make the city administration look bad. This is noticed quickly, security management is then called in, and the damage is estimated as described above. The result is that the city administration expects the following damage:
| Damage scenarios | Normal protection requirement | High protection requirement | Very high protection requirement |
|---|---|---|---|
| Violations of laws, regulations, or contracts | S1 | ||
| Impairment of the right to informational self-determination | |||
| Impairment of the physical integrity of a person | |||
| Impaired performance of duties | S2 | ||
| Negative effects on external relationships | S3 | ||
| Financial consequences | S4 |
Table: Categorisation of the damage
The damage categories S1, ..., S4 are assigned the following priorities based on the priority assignment:
Priority classification method: S1 = 2, S2 = 3, S3 = 1, S4 = 3
Priority ranking method: S1 = 13, S2 = 15, S3 = 4, S4 = 18
Both methods make it clear that efforts for limiting damage should concentrate on the class S3 damage (Negative external effects) first before handling any other damages. In the example, the organisation could then take the manipulated Internet server off the network in order to limit the damage caused by a negative image, and then take additional measures subsequently. If the organisation had assigned the damage cause by a negative image a lower priority and placed higher priority on impairment of the ability to perform their tasks, then the organisation may not have decided to switch off the Internet server as an immediate measure.
The priorities can be specified as shown in the example or using other methods. Regardless of the method used, it is important to consider the priorities of all of the most important business processes and IT systems before a security incident occurs so that the organisation can react quickly and effectively in the event of damage.
Review questions:
- Is a priority assignment for handling security incidents available? Is it up-to-date?
- Has the priority assignment been agreed with top management?
- Has the priority assignment been notified to all the decision makers in the management system for the handling of security incidents?
- Are the priority classes stored securely in the incident management?