S 6.66 Evaluation of security incidents

Initiation responsibility: IT Security Officer, Top Management

Implementation responsibility: Auditor, IT Security Officer

Something can be learned from every security incident. In order to achieve the maximum learning effect from a security incident, it is essential to perform a follow-up evaluation. In many cases, it is possible to derive improvements to the handling of security incidents or deduce the effectiveness of the security management process or of the existing security safeguards from the evaluation. The following aspects must be taken into account in this case, among others:

Response time

It should be examined how quickly the security incident was detected and which information was available for assessment. Here, it should be checked whether it is necessary to introduce additional technical detection safeguards.

Furthermore, the question of how long it took for the report to travel through the required reporting path also needs to be answered. Finally, it is necessary to consider how fast the decisions regarding the measures to implement were made, how long it took to implement them, and when the internal and external parties affected were informed.

When tracing the reporting path, it should also be checked whether everyone knew the reporting path to be used or if additional information and awareness-raising measures are necessary.

Effectiveness of the escalation strategy

Based on the specific security incident, it should be examined if the escalation strategy specified was followed, which additional information is required, and if it is necessary to modify the escalation strategy.

Effectiveness of the examination

When reviewing the incident, it should be examined if the amount of damage estimated for the security incident was assessed correctly, if the priorities specified were adequate, and if a suitable security incident team was assembled for the investigation of the incident.

Notification of parties affected

It should also be checked whether all affected parties were actually informed and whether they were notified quickly enough. Under certain circumstances, it may be necessary to find faster ways of informing these parties.

Feedback to the reporting party

The parties who discovered the security incident and reported it to the corresponding experts should be informed as to when the handling of the security incident was successfully completed, what damage occurred, and which measures were taken. This demonstrates that such reports are taken seriously and boosts motivation.. In addition, it might also be appropriate to praise or reward cases of properly reported incidents to send a signal to the personnel demonstrating the importance of the reporting system for security incidents.

Motivation of the perpetrator

If it is discovered that the security incident was due to deliberate action, the possible motivation of the perpetrator should be examined. If the perpetrator is an insider, the motivation behind the incident is particularly important. If it is determined that a poor work climate was the cause, the management should also be informed of this fact, because it can be expected that such mistakes or deliberate acts will occur again.

Report

The management of the organisation should be given a report that is prepared at least once per year containing the total number of security incidents, their causes, and their effects. Depending on the relevance of the results of the follow-up evaluation, management should be informed immediately so they can make improvements or take appropriate action. For this reason, it may make sense to have an organisational unit that is not part of the reporting plan perform the follow-up evaluation.

Development of an instruction manual

Within the framework of the follow-up evaluation of a security incident, it is useful to create an instruction manual or revise an existing one based on the experience gained stating how to proceed in the event of a comparable security incident. Since real problems were solved, the resulting instructions can be even more effective than instructions created on a theoretical basis. Furthermore, the fact that the security incident occurred indicates that there is a need for instructions for this specific type of security incident. The relevant groups must then be informed in a suitable manner of the instructions created. Under some circumstances, it may make sense to update the emergency documentation as well.

Review questions:

• Were standardised follow-up evaluations of the most recent security incidents performed?
• Was it examined how quickly the security incidents were noticed and dealt with? Was it examined if the reporting paths work properly, if adequate information was available for assessment, and if the detection measures were effective? Were the safeguards and actions taken efficient and effective?
• Was the experience gained from previous security incidents used to develop instructions for comparable security incidents?
• Are the instructions given to the relevant groups of people?
• Are the instructions updated regularly to reflect any new knowledge gained?
• Is management informed annually of the security incidents?