S 6.60 Specification of reporting paths for security incidents

Initiation responsibility: IT Security Officer, Top Management

Implementation responsibility: IT Security Officer

In addition to specifying the roles, responsibilities, and procedures in case of security incidents, it is also necessary to define the corresponding reporting paths. The following serves as an example:

• In the case of force majeure-type threats such as fire, flooding, power failures, burglary, and theft, the task forces available locally and the technical task force leaders must be informed (fire department, building services, gatekeepers, security service, etc.).
• In the case of technical hardware problems or irregularities detected during operation of the IT systems, the corresponding administrator or user support must be informed.
• In the case of large-scale failures or of other scenarios listed in the emergency handbook, the Emergency Officer and the head of the crisis team must be informed.
• In the case of suspected deliberate acts and other uncategorisable events (e.g. data manipulations, unauthorised use of rights, suspicion of espionage or sabotage), the IT security officer and security management must be informed.
• If there is a central point of contact for reporting general incidents or security incidents (see S 6.125 Establishment of a central contact point for reporting security incidents), then this party should be added to the reporting path so that the security incidents can be documented and additional reports correlated, if this is necessary.

It is especially important in this context for all employees to know the contact persons and the reporting paths for all types of security incidents. This could be achieved, for example, by placing a list containing the names, telephone numbers, and e-mail addresses of the particular contact persons in the internal telephone directory or on the Intranet. It must not be difficult or time-consuming for employees to report suspected incidents. Fast and secure communication connections must be available for this purpose. The authenticity of the communication partner and the confidentiality of the information reported on the suspected incident must be ensured.

All employees should be informed that only security management is allowed to pass on information about a security incident to third parties (see also S 6.65 Notification of parties affected by security incidents).

The employees of the press office and public relations department must agree in advance to use specific terminology and phrases to ensure that no information will be released to the public without authorisation and that no false information will be released (see also S 6.59 Specification of responsibilities for dealing with security incidents).

Exercises should be conducted sporadically to check if the procedures for security incidents are adequate and feasible and if all employees are aware of these procedures (see also S 6.68 Testing the effectiveness of the management system for the handling of security incidents).

The importance of having a good working climate and a healthy communication culture has been demonstrated time and time again, especially in the case of security incidents, and they also ensure that security incidents are reported immediately and dealt with openly (see also S 3.8 Avoidance of factors impairing the organisation climate

Review questions:

• Are the current configuration parameters of Novell Netware servers documented in the corresponding documentation?
• Has the procedure for recovery of a Novell Netware server been agreed with the responsible persons?
• Does the business continuity handbook comprise all steps required for recovery of the Novell Netware servers?
• Is the recovery plan for Novell Netware servers tested at regular intervals and are the results documented?