T 2.62 Inappropriate handling of security incidents

In practice, it is impossible to completely eliminate the possibility of encountering security incidents. This is also true even when a number of security safeguards have been implemented. If appropriate action is not taken in response to an acute security incident, then the result could be large amounts of damage, and even a catastrophe under some circumstances.

Examples include:

• New computer viruses with damaging functions initially appear only sporadically, but eventually appear everywhere. If appropriate action is not taken promptly, then entire organisational units can cease to function under some circumstances.
• Altered content is found inexplicably on a web server. -If such an incident is not investigated as a possible indication of an attack by hackers, then further attacks to the server can also lead to a considerable loss of image under some circumstances.
• Suspicious entries are found in the log files of a firewall. If the entries are not examined for signs of a possible attempt to hack in to the system, then attackers could successfully attack and overcome the firewall without being noticed and penetrate the internal network of the organisation.
• The presence of new security gaps in the IT systems used is announced. If this information is not obtained promptly and the necessary countermeasures are not implemented quickly, then there is a danger that attackers could exploit the corresponding security gaps.
• There are signs of manipulation to corporate data. If such a discovery does not trigger an investigation into the cause of the manipulations, then undetected manipulations could result in severe consequential damage, for example incorrect inventory figures, incorrect accounts, or uncontrolled financial withdrawals.
• If the cause of the compromising of confidential corporate data is not investigated, then additional confidential data may become disclosed.

These examples illustrate how important it is to detect security incidents early and report them quickly to the persons responsible. It is extremely important in such cases to react quickly and inform anyone who may be affected in order to prevent or minimise the resulting damage.

Bad and hasty decisions may be made under stress when there is no prescribed procedure available for handling security incidents. Such decisions can lead to the following, among other things:

• Representatives from the press may receive incorrect information
• The affected systems and components may not be handled appropriately according to the situation and may be switched off too early or too late
• Third parties may incur damage to your systems
• There may not be any alternative or recovery measures planned, for example for exchanging compromised components or restoring data.