S 6.68 Testing the effectiveness of the management system for the handling of security incidents

Initiation responsibility: IT Security Officer

Implementation responsibility: Auditor, IT Security Officer

The management system for handling security incidents must be checked regularly to ensure it is up to date and effective. In addition, the safeguards formulated therein should be tested regularly for the following:

• Are the affected employees aware of the safeguards?
• Can the safeguards be taken when under stress, i.e. in the event of a security incident that causes disruptions to operations?
• Can they be integrated into operations?

In order to test their effectiveness, damage events should be simulated to check if the procedures specified for handling security incidents are followed or if it is even possible to follow these procedures at all. If not, the corresponding changes need to be made.

Announced as well as unannounced drills can be conducted for this purpose.

In no case should an unannounced drill trigger any actions that could lead to damage to IT systems, data, or other items that is impossible or difficult to repair. Likewise, business processes and IT operations should only be affected as little as possible.

It is necessary before starting every drill to carefully consider who needs to be informed of the drill in advance. It is absolutely essential to ensure that the drill has been authorised by the top management of the organisation. It can be useful sometimes not to inform certain groups of people, for example the gatekeepers or the administrators. However, it should be ensured that it will be possible to keep the situation under control at all times. The organisation should avoid alarming the police or fire department and cutting all network connections to the government agency or company, for example.

Examples:

• Call the reception desk of your company or government agency and pretend to be a computer expert who has discovered a vulnerability in your internal network that could be used by an attacker to gain access. You could also pose as a journalist claiming to have obtained information that a hacker has broken into the internal network and copied sensitive data. It is also possible to call the employees to which such cases are usually referred, for example the press officer or the head of IT. Making such a call can show whether or not panic breaks out in the organisation or if specific action appropriate to the situation is initiated.
• All of the tasks performed and reporting paths used in case of a virus infection can be tested in a single day. It is not absolutely necessary to inform all participants in advance in this case, but they must be informed of the test at the moment in which they are integrated into the action chain.

Another aspect of the efficiency test is the assessment of possible measurement parameters that could be checked when registering, reporting, and escalating security incidents. For example, the time between the initial report and the escalation and official confirmation of a security incident could be recorded and optimised after performing an evaluation. If a security incident is reported to the central service desk, the mechanisms for measuring efficiency already in place there may be used and evaluated after the test is complete.

Review questions:

• Is the management system for handling security incidents checked regularly to ensure it is up to date and effective?
• Are drills conducted to this end?
• Are the drills approved in advance by top management?
• Were measurement parameters for handling security incidents defined?