S 6.59 Specification of responsibilities for dealing with security incidents

Initiation responsibility: IT Security Officer, Top Management

Implementation responsibility: IT Security Officer

Suitable organisational structures must be in place in order to be able to handle security incidents appropriately. Depending on the type of organisation, but also on the type of security incident, it will be necessary to activate other groups of people under certain circumstances. To correctly identify the corresponding people, it is recommended to consider the chronological sequence of events of a hypothetical security incident and think about who would be needed in the various phases of a security incident. The tasks and responsibilities granted to the groups of people taking action must be defined as well as how these people are informed or instructed of what they are required to do. Examples of some of the groups typically affected by security incidents are described in the following.

IT users

Task:

As soon as an IT user notices a security-related irregularity, the user must follow the corresponding procedures and codes of conduct as well as report the situation.

Responsibility:

IT users must decide which reporting path should be taken for the case at hand (see S 6.60 Specification of reporting paths for security incidents).

Duty/information:

The security policy of the organisation should specify that every IT user is required to report security-related irregularities. Furthermore, clear and understandable instructions in written form should be handed out to all users that specify how they should respond and to whom they should report which incidents. The instructions for handling security incidents should be defined in the policy for handling security incidents.

Administrators

Task:

The administrators' task here is to receive reports of security-related irregularities that have occurred in connection with the IT systems they are responsible for. Afterwards, they must decide whether they will eliminate the irregularities themselves or whether they need to inform the next higher escalation level of the irregularities.

Responsibility:

Administrators must be able to decide whether there is a security problem, whether they can deal with it on their own, whether they should consult other persons immediately (according to the escalation plan), and whom they should inform.

Duty/information:

This should be specified in the job description and in the policy for handling security incidents.

Service desk

Task:

The central point of contact for IT operations (the service desk) receives reports of incidents. These reports are examined to determine if a security incident has occurred when the incidents are classified. Security management is then informed when a security incident is discovered. In most cases, and especially in large organisations, the users contact the service desk directly instead of contacting an administrator first.

Responsibility:

The service desk must be able to decide whether the security management team needs to be contacted and informed that the occurrence of a security incident is suspected. To make this decision, the service desk should have access to documented causes and indicators of past security incidents.

Duty/information:

The employees of the service desk also need to be made aware of issues relating to information security and be able to detect signs of possible security incidents.

Change management team

Task:

The change management team receives IT change requests. In the case of security incidents, these requests contain the measures required to close the security gaps which have to be implemented by the team of experts for handling security incidents.

Responsibility:

The change management team ensures that the necessary measures are implemented quickly, efficiently, and without affecting the quality of the IT services.

Duty/information:

The security incident handling policy should specify that change requests for eliminating problems in connection with security incidents must be treated as emergency changes and need to be handled with corresponding priority in the change management process.

IT Security Officer/security management

Task:

The IT Security Officer receives reports of security incidents. He/she investigates and assesses the incident. He/she selects the necessary measures, and initiates their implementation through the change management team if this does not exceed the responsibilities of the IT Security Officer. If necessary, the IT Security Officer assembles a security incident team and informs management for the purpose of escalation.

Responsibility:

The IT Security Officer is authorised to declare a current event a security incident, perform an assessment of the security incident, and escalate an incident to a higher level. Furthermore, the IT Security Officer is to be allocated the financial and personnel resources or special purchasing rights needed and be allowed to use them on his/her own accord to take remedial action in connection with security incidents. Depending on the size of the company or government agency, the IT Security Officer could be allocated 100,000 Euro and 2 person-months, for example.

Duty/information:

Security management develops the procedures and the security incident handling policy. For this reason, all IT Security Officers should be informed of their tasks and responsibilities when handling security incidents.

Audit department

Task:

The audit department can be assigned the task of checking the effectiveness of the security incident management system at regular intervals. Furthermore, they could also be required to become involved in the follow-up evaluation of a security incident.

Responsibility:

In agreement with the management, the audit department can initiate and perform audits.

Duty/information:

This should be specified in the job description and in the security incident handling policy.

Public relations department/press office

Task:

In the case of security incidents, the general public should only receive information from the press office. The incident should not be played down or glossed over and should instead be presented factually so that the organisation does not suffer a loss of image if information to the contrary becomes available.

Responsibility:

The press office must prepare information on the security incident together with the technical experts and obtain approval of the content from management before releasing it.

Duty/information:

This should be specified in the job description and in the security incident handling policy.

Top management

Task:

They are informed of all serious security incidents and need to make corresponding decisions when necessary.

Responsibility:

Since it bears the overall responsibility, top management can delegate the responsibility to the groups mentioned above. Furthermore, they can call in the police and criminal prosecution authorities when they suspect criminal activity has occurred.

Duty/information:

The top management of the government agency or company must approve the security incident handling policy as well as the escalation plans based on it. The management is also informed of their role in handling security incidents.

Team of experts for handling security incidents

Task:

In addition to the groups above, it may be necessary in the case of difficult or serious security incidents to assemble a team of experts to perform system- or site-specific identifying, ensuring, analytic and reactive actions (see also S 6.132 Assembling a team of experts for handling security incidents.

Responsibility:

The members of the team of experts have access to the suspicious systems and access to the locations affected by the security incident. They should be authorised to perform the tasks assigned to them on their own responsibility.

Duty/information:

The members of the team of experts act strictly according to the security incident handling policy and the instructions of the IT Security Officer and of the security incident team. All communication with external and internal parties regarding the security incident must go through the IT Security Officer or a person designated by the IT Security Officer.

Security incident team

In large organisations, it may make sense to assemble a security incident team in addition to appointing an IT Security Officer. This team (in contrast to the team of experts for handling security incidents technically) functions as a co-ordinator and enables the organisation to make decisions quickly. This team is also a virtual team, but must be able to make strategic decisions quickly. For this reason, the members of this team must be appointed by name, and their contact data must be stored at suitable locations.

Even if the security incident team only meets when a concrete security incident has occurred, the members of this team must be appointed in advance and instructed how to perform their tasks so that the response to the security incident can be initiated as quickly as possible. The members of the security incident team should be authorised to perform the tasks assigned to them on their own responsibility. The rules and regulations required for this purpose must be specified in writing and authorised by the top management of the organisation. In particular, it is necessary to specify who will be the leader of this team.

The following people can belong to a security incident team (depending on the type of security incident), for example:

If necessary, additional areas will need to be included such as the following, for example:

It must be clarified for all of the different organisational forms for handling security incidents who will co-ordinate which safeguards when an incident occurs.

It should be clarified in advance how the additional work required in connection with security incidents will be handled, i.e. if the working hours of the government agency or company need to be extended by adding exceptions for overtime, weekend working hours, etc., in the event of a security incident. Furthermore, it must also be ensured that this team will be able to use offices outside of regular working hours when this is necessary.

Review questions:

© Federal Office for Information Security. All rights reserved.