S 6.122 Definition of a security incident

Initiation responsibility: Top Management, IT Security Officer

Implementation responsibility: IT Security Officer

Similar to the definition of an emergency (see S 6.110 Specification of the scope and the emergency management strategy), it is essential for a company or government agency to have a clear idea of what a security incident is in order to be able to handle security incidents. In particular, it must be clear how security incidents can be distinguished from normal incidents (i.e. malfunctions) occurring in daily operation. This is the only way to make it possible to find a suitable starting point for the special measures of the security incident handling process in the framework of the normal incident management process. A primarily formal definition without too much room for interpretation can also make it easier to start this process. The definition of a security incident should be based on the protection requirements of the affected business processes, IT services, IT systems, and IT applications. In this manner, it is possible to define a threshold determining when an event becomes a security incident based on the protection requirements or the results of a business impact analysis of the systems directly or potentially affected by the incident. In addition, security management should be able to declare that an exceptional event is a security incident even when it does not correspond to the definition.

A security incident could be defined as follows, for example: "A security incident in our company/government agency refers to an event that impairs the confidentiality, availability, and integrity of our information, business processes, IT services, IT systems, or IT applications with high or very high protection requirements to the extent that considerable damage could be incurred by our company/government agency, customers, or business partners."

All employees involved in the security incident handling process must be familiar with the definition of a security incident. For logical reasons, the definition of a security incident should be compatible with the definition of an emergency.

Review questions:

• Does the definition of a security incident clearly distinguish it from a normal incident?
• Is the definition of a security incident compatible with the definition of an emergency?
• Are all employees involved in the security incident handling process familiar with the definition of a security incident?
• Were the protection requirements of the business processes, IT services, IT systems, and IT applications affected considered when specifying the definition of a security incident?
• Is it possible to easily and clearly distinguish normal incidents from security incidents during daily operations based on their definitions?