S 6.68 Testing the effectiveness of the management system for the handling of security incidents

Initiation responsibility: IT Security Officer

Implementation responsibility: Auditor, IT Security Officer

The management system for handling security incidents must be checked regularly to ensure it is up to date and effective. In addition, the safeguards formulated therein should be tested regularly for the following:

In order to test their effectiveness, damage events should be simulated to check if the procedures specified for handling security incidents are followed or if it is even possible to follow these procedures at all. If not, the corresponding changes need to be made.

Announced as well as unannounced drills can be conducted for this purpose.

In no case should an unannounced drill trigger any actions that could lead to damage to IT systems, data, or other items that is impossible or difficult to repair. Likewise, business processes and IT operations should only be affected as little as possible.

It is necessary before starting every drill to carefully consider who needs to be informed of the drill in advance. It is absolutely essential to ensure that the drill has been authorised by the top management of the organisation. It can be useful sometimes not to inform certain groups of people, for example the gatekeepers or the administrators. However, it should be ensured that it will be possible to keep the situation under control at all times. The organisation should avoid alarming the police or fire department and cutting all network connections to the government agency or company, for example.

Examples:

Another aspect of the efficiency test is the assessment of possible measurement parameters that could be checked when registering, reporting, and escalating security incidents. For example, the time between the initial report and the escalation and official confirmation of a security incident could be recorded and optimised after performing an evaluation. If a security incident is reported to the central service desk, the mechanisms for measuring efficiency already in place there may be used and evaluated after the test is complete.

Review questions: