S 2.201 Documentation of the security process

Initiation responsibility: IT Security Officer

Implementation responsibility: IT Security Officer

The sequence of events in the security process, all major decisions made, and the results of the work done in each of the phases should be documented. Such documentation is an essential foundation for maintaining information security, and is therefore a decisive prerequisite for the efficient refinement of the process. It helps to find and eliminate the causes of malfunctions and failed procedures in information security. It is important not only to be able to access the current version, but also to archive the previous versions at a central location. It is only possible to follow and understand the developments and decisions made in the area of information security when continuous documentation is available.

There are other documents relevant to security management in addition to the documents on security management and the security process. The following types of documentation should be considered depending on the object and the intended purpose:

Reports to management

In order for the top management of a government agency or company to make the right decisions and ensure an adequate level of information security is available, it needs the information necessary to make these decisions. The IT Security Officer and the IS management team should produce regular management reports as well as event-based management reports on the status of information security (see also S 2.200 Management reports on information security).

Documents on the security process

The following types of documentation on the security process should be created:

• The top management of the government agency or company must specify and publish the policy on information security. This policy contains the security objectives and the security strategy, among other things.

• The security concept contains descriptions of the required security safeguards and specifies their implementation.

• There are also area-specific and system-specific security policies and rules for the proper and secure use of IT that are based on the security policy.
• The most important tasks of the IS management team should also be documented. This includes the minutes of meetings and the decisions made, for example.
• The results of audits and checks (e.g. checklists and interview documentation)

Documentation of workflows and procedures

Work procedures, organisational stipulations and technical security safeguards must be documented such that security incidents caused by a lack of knowledge or mistakes can be avoided.

In the event of disruptions or security incidents, it must be possible to recover the desired target states of the business processes and of the IT. Technical details and work procedures must therefore be documented such that this can be achieved within a reasonable amount of time.

Documentation of security incidents

Security-related events must be documented so that all processes and decisions made in this regard can be understood. Likewise, the documentation should also enable improvements to be made to the contingency strategies and ensure known errors are avoided. In order to process security incidents, it is also necessary to store and archive technical documents such as logs and system reports that are particularly relevant to the incident. The data protection rules must be followed in this context.

Technical documentation

This type of security-related documentation includes the following documents:

• installation and configuration manuals
• instructions for recovery after a security incident
• documentation of testing and release procedures
• instructions on how to respond to malfunctions and security incidents

Instructions for employees

Security safeguards must be documented so that employees can understand them. The employees need to have the following available to them for this reason:

• the currently valid security policies
• clear instruction sheets for handling internal information responsibly, for the secure use of IT systems and applications, and for how to respond to security incidents
• manuals and instructions for the IT systems and applications used

In rare cases, it may make sense or even be necessary to violate a security policy. All such violations must be approved by an authorised body, though. Exceptions should only be allowed after thorough examination and should only be granted in extremely rare cases. Afterwards, justification for the exception should be provided in writing and signed by the person responsible.

Information flow and reporting routes

Descriptions of the reporting paths as well as prompt updating of these paths and of the procedure for ensuring the flow of information are essential to maintaining the security process.

Documentation procedure

It is the task of the IT Security Officer and the IS management team to maintain current and informative documentation on information security at all times. For this reason, there should be a standard procedure for all documentation created in the framework of the security process. This includes ensuring the following points, for example:

• The documentation must be understandable. This also means that it must be designed specifically for the intended target group. Reports submitted to management have different requirements than technical documentation intended for administrators.

• The documentation must be up to date. It must be specified who will maintain the documentation. The documents must also be labelled and stored so that they can be found quickly when needed. The date of creation, version, sources, and authors should be specified in the documentation. Outdated documents must be immediately taken out of circulation and archived.
• A defined procedure should be available for integrating, evaluating, and implementing (when necessary) any suggestions for changes (including the creation of new documents).
• In addition to ensuring information can be passed quickly to authorised persons, it is also necessary to ensure the confidentiality of internal details of the organisation. Confidential content must be classified as such, and the corresponding documents must be stored and processed securely (see also S 2.217 Careful classification and handling of information, applications and systems).

A document management system can help to maintain and manage the large number of security-related documents (see also S 2.259 Introduction of a high-level document management system).

Documentation does not always need to be available in paper form. The documentation medium can be selected as needed. Overview diagrams (e.g. a network plan), brief meeting minutes (of the annual management meeting in which the security strategy is discussed, for example), handwritten notes, or software tools (for documenting the security concept, for example) can be used for the purpose of documentation.

Review questions:

• Is sufficient documentation available for all phases of the security process?
• Is there a procedure defined for the creation and archiving of documentation in the framework of the security process?
• Are there rules in place to protect the confidentiality of the documentation?
• Are all documents available up to date?