S 6.64 Remedial action in connection with security incidents
Initiation responsibility: Head of IT, IT Security Officer
Implementation responsibility: IT Security Officer, Head of IT, Administrator
When handling an incident within the framework of incident management, it is first checked if a similar incident has already occurred and if a suitable solution was found, for example by eliminating the cause of the error or eliminating or bypassing its symptoms using a workaround.
Since this process step has an iterative nature and the incident may be assigned to different support levels for analysis and diagnosis based on their level of expertise and knowledge, the roles and responsibilities as well as the flow of information must have been defined in advance together with security management.
The incident is therefore reviewed and compared to the following:
- problems detected
- known errors
- planned changes and/or changes already made to IT components
If a workaround was found, the necessary implementation measures must be initiated immediately. The goal of providing a workaround is to enable the users to continue to use the disrupted service, at least in a limited form (restart with limited operation). In addition, this also minimises the effects of the incident on the business processes and provides extra time to prepare a permanent solution.
As soon as the cause of a security incident has been identified, the necessary safeguards for handling the incident must be selected and implemented. To do this, it is necessary to localise and eliminate the problem first, and then return everything to its "normal" state (see S 6.133 Recovering the operating environment after security incidents).
Providing the expert knowledge needed
An essential prerequisite for the examination and elimination of a security gap is the availability of the corresponding expert knowledge. For this reason, the personnel must be trained accordingly or corresponding experts must be consulted. A list containing the contact data of the relevant internal and external experts for the various subject areas should be prepared so that this information can be consulted quickly when needed.
Such external experts include the following, among others:
- Computer Emergency Response Teams (CERTs) (see also S 2.35 Obtaining information on security weaknesses of the system),
- manufacturers and/or vendors of the IT systems affected (see also S 4.107 Use of vendor resources),
- manufacturers and/or vendors of the security systems used, for example of anti-virus programs, firewalls, access control systems, etc.
- external consultants with expert knowledge in the field of security.
A procedure for communicating with external experts must be defined and established in advance.
Response to deliberate acts
During a security incident triggered by an attacker, it is necessary first to decide if the attack discovered should be monitored or if countermeasures should be taken as quickly as possible. The organisation can naturally attempt to catch the attacker "in the act", but there is also a risk in this case that the attacker will be able to destroy, manipulate, or read data during this time.
In many cases, unfortunately, investigations of security problems determine that the incidents were caused by the organisation's own employees. They may be caused accidentally, due to incorrect workflows, or as the result of technical problems, but can also be caused by non-compliance with IT security safeguards or by deliberate acts.
For all security problems caused internally, it is necessary to find out what triggered the problem. In many cases, it will become clear that the problems arise from incorrect or hard-to-understand rules and regulations. In such cases, it is then necessary to change the rules accordingly or take additional safeguards, for example by introducing new technical safeguards.
Security problems caused deliberately or due to negligence should be followed by the appropriate consequences.
Review questions:
- Is a current list of internal and external security experts available who can be consulted to help answer questions in various subject areas?
- Have secure procedures for communicating with outside parties been established?
- Are the causes of all security problems triggered internally examined?