S 6.123 Assembling a team of experts for handling security incidents

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: IT Security Officer

In order to competently guide security incidents through the entire life cycle of the security incident handling process, it is recommended to assemble a team of experienced and trustworthy specialists for precisely this purpose. External specialists can be added to this team when necessary in order to respond adequately to all types of security incidents. The trustworthiness of all members of the team of experts should be examined (see also S 3.33 Security vetting of staff).

It must be ensured in this case that all members of the team are suitably integrated into the escalation paths. In addition to assembling a team of experts, it is also necessary to ensure that this team will be provided immediately with the financial and technical resources necessary to handle a security incident if such an incident occurs.

Most teams of experts exist as virtual teams that are only called together to handle a security incident and which are headed by an experienced leader. The IT Security Officer usually assumes the role of the leader. The actual composition of the team members generally depends on the type of security incident and the systems and sites affected. Depending on the information system, the team may include SAP, Lotus Notes, Windows, database, Unix, or network specialists. The members of the team of experts must not only have extensive knowledge of the systems used, but also need to be trained in the analysis of security incidents on these systems. The members of the team of experts must receive additional training regularly in order to be able to respond correctly to the newest types of attack.

Review questions:

© Federal Office for Information Security. All rights reserved.