S 6.65 Notification of parties affected by security incidents

Initiation responsibility: IT Security Officer

Implementation responsibility: Administrator, Head of IT, IT Security Officer, Press Office

When a security incident occurs, all internal and external parties affected must be informed of the incident promptly. This especially includes those parties who could suffer damage as a direct result of the security incident, those who need to take countermeasures, or those who prepare information on security incidents and can help to prevent or recover from such an incident. The general public should also be informed, if necessary, but especially if information on the incident has already leaked out.

A clear, individual concept must be developed to this end for the security incident, stating who needs to be informed by whom and how detailed the information provided should be. For this reason, it must be ensured that information on the security incident can only be provided by the persons appointed to be responsible for this, for example security management or the press office. It should also be documented who passed which information on to whom and when this information was handed over. This is important for the follow-up evaluation of the incident, but such documentation may also have legal relevance.

Who will receive which information and in which level of detail naturally depends on their technical background in particular. No falsified or whitewashed information should be released since this can lead to confusion, misjudgements, and a loss of image.

The following example is intended to illustrate which parties usually need to be informed, and what this information should contain:

Internal parties:

If it is still unclear whether or not the incident is a security incident and how serious it is, the internal personnel potentially affected by the incident should be asked to check their work areas for possible irregularities.

If the countermeasures required for a given security incident are known, the internal parties affected must be informed promptly of what they need to do to minimise the effects of the security incident or to restore secure operations.

In this case, the following groups must be taken into account, among others:

External parties

If the security incident is not confined to the organisation alone, all external parties who are or could be affected should be informed as to which security problem has arisen, which countermeasures are necessary, and how they can minimise its effects.

If this information is not passed on and the incident becomes public later on, the result could be permanent damage to all further, constructive co-operations and a loss of trust in the organisation.

The following groups must be taken into account in this case:

Depending on the type of incident, it may also be necessary to contact the police or consult a legal advisor.

The general public

In the case of large-scale or complex security incidents, it may be necessary to inform the general public. In such cases, all contact with the press must go through the Press Officer. To this end, it is necessary to ensure that the Press Officer is adequately informed in advance of the security incident, the amount of damage caused, any countermeasures required, and which other parties were informed.

The information provided to the public should be made abstract enough so that it does not encourage imitators.

It is important to check the identities of any parties wishing to obtain information on security incidents so that attackers will not be able to monitor the success of their attacks.

Security community

If the security incident resulted due to a security gap that was unknown until that time, the organisation should not hide this knowledge and should forward it to other parties to warn others of the security gap and enable the development of countermeasures. The following parties are typically provided with such information:

Example:

An organisation notices that data stored on the PCs is being manipulated or lost at irregular intervals. After reporting this and subsequently investigating the incidents, it was discovered that a previously unknown computer virus was the cause. This virus spread itself in files attached to emails. The following parties should be informed immediately in this case:

Review questions: