S 6.58 Establishment of a procedure for handling security incidents

Initiation responsibility: Top Management

Implementation responsibility: IT Security Officer

As the level of integration of information technology in the procedures of a government agency or a company increases, the organisation's dependence on properly functioning information technology increases accordingly. For this reason, one important task of security management is to adequately prepare for handling security incidents of all types. Security incidents can be triggered by many different events and, for example, result in loss of availability, integrity and/or the confidentiality of data, individual IT systems or the entire network.

Security incidents requiring special handling in the framework of security management are security incidents with the potential to cause extensive damage. Security problems that only cause or could cause minor local damage should therefore be resolved locally so that security management is not overloaded.

As part of information security management, the security incident handling pursues the following goals:

• The ability to respond so that security incidents and security problems are detected promptly and reported to the party responsible
• The ability to decide if the problem is a local security problem or a security incident
• The ability to take action so that the necessary measures can be taken and the required measures implemented in the event of a security incident
• Minimising damage by promptly informing any other areas potentially affected by the security incident
• Increasing effectiveness by training and monitoring the ability to handle security incidents

To reach these goals, a suitable procedure for handling security incidents must be established, which means sensible and proven processes for handling security incidents must be established. Rules and procedures should be clearly defined for each of the various types of security incidents. An essential prerequisite when defining the rules and procedures is the involvement of top management, and ultimately putting the procedures for handling security incidents into effect, in order to ensure the necessary level of awareness for information security is created, the authorities required to make decisions have been assigned, and the security objectives are supported.

Since handling security incidents is part of security management, the security policy or security concept of the government agency or company should specify how to handle security incidents.

It should be specified in the security policy or security concept that security incidents and security problems must be reported by the users and those affected to the corresponding person responsible for security. Furthermore, it is necessary to describe the decision-making process and motivate the employees to accept the need for security safeguards.

The handling of security incidents also needs to be co-ordinated with business continuity management because they have many similar procedures for handling security-related incidents that could also work well when handling security incidents. If a special incident management role has already been established in the organisation, then this person should also be involved.

In addition to specifying a procedure for handling security incidents, it is also necessary to specify suitable organisational structures for this purpose. This means it is necessary to specify who has which responsibilities in the event of a security incident. The following groups, among others, bear responsibility for performing the following examples of such tasks:

• User: Reporting security problems and incidents
• Administrator: Receiving reports and making an initial, preliminary decision as to whether a security problem or a security incident has occurred and initiating escalation, if necessary
• Person responsible for applications: Participation in making the corresponding decisions and selecting the measures to take since this person knows the protection requirements of the affected business processes and applications
• IT Security Officer or security management: Receive reports and decide if the event is a security problem or a security incident, trigger escalation, and implement the necessary measures
• A team for handling security incidents composed of the affected administrators, IT users, IT security officers, public relations department, and possibly members of management
• Emergency officer and business continuity management: Receive reports and decide if the event is a security problem or a security incident and escalation to business continuity management, if necessary
• Public relations department or press office: if necessary, preparation of the information policy regarding the security incident
• Revision: Examination of the management system and follow-up evaluation of security incidents
• Top Management Making final decisions

The responsibilities must be defined and allocated. More detailed information can be found in safeguard S 6.59 Specification of responsibilities for dealing with security incidents.

The more critical a security incident is, the more authorities are generally needed to handle the security incident. The authorities consequently needed can be so extensive that it is necessary to inform top management and get them involved so they can trigger the necessary measures (such as prohibiting the disclosure of information, calling the police, introducing costly replacement measures, etc.). A security incident may even need to be escalated to business continuity management as a result. However, it is necessary in advance to work out an escalation strategy that specifies who needs to become involved in which cases (see S 6.61 Escalation strategy for security incidents).

To be able to measure the effectiveness of a management system for handling security incidents and promote the execution of these management tasks, it is necessary to conduct exercises and planning games. Since this requires the involvement of a large number of people and can have a disruptive effect on normal business processes, such exercises should be restricted to the most important areas. Additional suggestions can be found in safeguard S 6.68 Testing the effectiveness of the management system for the handling of security incidents.

It makes sense to describe the individual processes, rules, and workflows in a document containing the procedures for handling security incidents. This document must be updated at regular intervals, and the persons affected must be informed of the document in a suitable manner.

Review questions:

• Are there clearly defined rules and procedures for the various types of security incidents?
• Is the procedure for handling security incidents documented?