S 2.215 Error handling

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: User, Administrator

All errors which affect IT systems or communications links must be reported and logged. Naturally this does not include error messages displayed following plausibility checking, i.e. which are caused through incorrect user inputs. It must be ensured that the reported errors are resolved as quickly as possible.

Investigation and resolution of errors should only be carried out by appropriately trained personnel. All users should be informed of who they should notify when any errors or problems with IT systems occur. Moreover, the users should be informed of errors which can impede working with IT systems and how to eliminate them.

Logs of reported errors should contain the following information:

• name and version number of the IT systems and software concerned
• the time of the report
• a description of whether or to what extent the use of the IT systems concerned is restricted
• the name of the person responsible for eliminating the problem
• the time at which the problem was eliminated.

In some cases, it can be sensible or necessary not to eliminate errors that have occurred, e.g. if no reliable patch is available or if it is not possible to obtain a replacement part. In such cases, the log entry should note whether it is possible to continue the operation of the IT component concerned without restrictions on its functionality.

These logs should be examined at regular intervals to see whether they are up-to-date and whether all the errors reported have been eliminated.

Errors should only be corrected by the persons who have been given responsibility for them. The elimination of errors must be carried out within the framework of the IT security policies of the organisation concerned. If any patches or updates are necessary to eliminate the error, these should be obtained directly from the manufacturer or from a trusted source (see also S 4.107 Use of vendor resources). More extensive corrective actions should first of all be tested on systems that are not connected to the live network, as these actions could have undesired side effects. Once the error has been eliminated, the amended IT systems or components must undergo new acceptance tests and be released (see S 2.62 Software acceptance and approval procedure).

Review questions:

• Are errors affecting IT systems or communication links logged and reported to the body responsible?
• Is it ensured that any errors are eliminated as quickly as possible by personnel appointed and trained accordingly?
• If an error cannot be eliminated: Is it noted in the log if and under what restrictions it is possible to continue the operation of the IT component concerned?
• In the event of major corrective actions: Are changes tested in advance in a separate test environment?