S 6.65 Notification of parties affected by security incidents

Initiation responsibility: IT Security Officer

Implementation responsibility: Administrator, Head of IT, IT Security Officer, Press Office

When a security incident occurs, all internal and external parties affected must be informed of the incident promptly. This especially includes those parties who could suffer damage as a direct result of the security incident, those who need to take countermeasures, or those who prepare information on security incidents and can help to prevent or recover from such an incident. The general public should also be informed, if necessary, but especially if information on the incident has already leaked out.

A clear, individual concept must be developed to this end for the security incident, stating who needs to be informed by whom and how detailed the information provided should be. For this reason, it must be ensured that information on the security incident can only be provided by the persons appointed to be responsible for this, for example security management or the press office. It should also be documented who passed which information on to whom and when this information was handed over. This is important for the follow-up evaluation of the incident, but such documentation may also have legal relevance.

Who will receive which information and in which level of detail naturally depends on their technical background in particular. No falsified or whitewashed information should be released since this can lead to confusion, misjudgements, and a loss of image.

The following example is intended to illustrate which parties usually need to be informed, and what this information should contain:

Internal parties:

If it is still unclear whether or not the incident is a security incident and how serious it is, the internal personnel potentially affected by the incident should be asked to check their work areas for possible irregularities.

If the countermeasures required for a given security incident are known, the internal parties affected must be informed promptly of what they need to do to minimise the effects of the security incident or to restore secure operations.

In this case, the following groups must be taken into account, among others:

• heads of IT,
• heads of affected specialised departments
• IT users,
• IT administrators,
• IT user services / service desk,
• change management (to document the execution of the safeguards taken)
• building services,
• monitoring personnel,
• internal security personnel, and
• gatekeepers.

External parties

If the security incident is not confined to the organisation alone, all external parties who are or could be affected should be informed as to which security problem has arisen, which countermeasures are necessary, and how they can minimise its effects.

If this information is not passed on and the incident becomes public later on, the result could be permanent damage to all further, constructive co-operations and a loss of trust in the organisation.

The following groups must be taken into account in this case:

• customers,
• suppliers,
• freelance employees,
• subcontractors,
• IT service providers,
• parties to which the organisation has communication links,
• software development companies, and
• network operators.

Depending on the type of incident, it may also be necessary to contact the police or consult a legal advisor.

The general public

In the case of large-scale or complex security incidents, it may be necessary to inform the general public. In such cases, all contact with the press must go through the Press Officer. To this end, it is necessary to ensure that the Press Officer is adequately informed in advance of the security incident, the amount of damage caused, any countermeasures required, and which other parties were informed.

The information provided to the public should be made abstract enough so that it does not encourage imitators.

It is important to check the identities of any parties wishing to obtain information on security incidents so that attackers will not be able to monitor the success of their attacks.

Security community

If the security incident resulted due to a security gap that was unknown until that time, the organisation should not hide this knowledge and should forward it to other parties to warn others of the security gap and enable the development of countermeasures. The following parties are typically provided with such information:

• the manufacturer of the computer virus scanning program if the organisation suspects that a new type of computer virus or other malware has infected their IT systems the virus scanner has not detected,
• the manufacturer of the operating system or application software if the security gap was found to be in this software,
• an outside Computer Emergency Response Team (CERT, see also S 2.35 Obtaining information on security weaknesses of the system) if the security incident is the result of system- or application-specific security gaps,
• the IT and security trade press, or
• public agencies responsible for information security such as the BSI.

Example:

An organisation notices that data stored on the PCs is being manipulated or lost at irregular intervals. After reporting this and subsequently investigating the incidents, it was discovered that a previously unknown computer virus was the cause. This virus spread itself in files attached to emails. The following parties should be informed immediately in this case:

• heads of IT,
• IT users,
• IT administrators,
• IT user services,
• all parties data has been exchanged with since the first appearance of the computer virus,
• the manufacturer of the computer virus scanner because the virus scanner did not detect the virus, and
• a Computer Emergency Response Team.

Review questions:

• Is it guaranteed that all affected internal and external parties will be informed promptly when a security incident occurs? Is it guaranteed that they will be informed of which measures they need to take to minimise the effects of the security incident and restore secure operations?
• Has it been specified who will pass information on security incidents to third parties?
• Has it been ensured that no unauthorised persons will disclose information on the security incident?
• Are there descriptions for the most recent security incidents stating who was informed by whom in which order and in which level of detail?