S 6.54 Procedures in case of a loss of network integrity

Initiation responsibility: Information Security Management, Head of IT

Implementation responsibility: User, Administrator

If the network does not respond in the intended manner (e.g. servers are not available, access to network resources is not possible, network performance is permanently poor), it is possible that a loss of network integrity could have occurred. This can be due to misuse of the network, e.g. due to changes in the configuration of the active network components or damage to them.

In this case, users should observe the following points:

• Save the work results and terminate any programs still running

• The administrator must be informed by the users using a suitable escalation level (e.g. user help desk). It must be ensured in this case that the ability of the administrators to do their work is not significantly impaired by the notification process.

The network administrator should take the following steps:

• Narrow down the incorrect response to a network segment and/or network component
• Check the configuration of the active network components available (this also includes password checks)

• Back up all files that could provide clues as to the type and cause of the problems occurred (for example if the database system has actually been attacked, and if so, how the attacker was able to penetrate the system). This includes in particular backing up all relevant log files.
• Restore the original configuration data if necessary (see S 6.52 Regular backup of configuration data of active network components)
• Check the hardware used (cabling, plug connectors, active network components etc.) for defects if necessary.
• Inform the users with a request to check their work areas for any irregularities.

If there is any indication of a deliberate attack on the network, then immediate action must be taken to minimise the resulting damage and prevent any further damage from occurring. To accomplish this, it is necessary to create an alarm plan containing a list of the steps to be taken and specifying who needs to be informed of the incident (see also S 6.60 Specification of reporting paths for security incidents). If necessary, the alarm plan also contains information on if and how the Data Protection Officer and the legal department are to be involved.

Review questions:

• Is it ensured that certain authorities (e.g. Administrator, Security Officer) are informed according to a defined escalation process/alarm plan if the network integrity is lost?
• Is their a defined for determining the causes as well as minimising the resulting damage and preventing any further damage from occurring if the network integrity has been lost?