S 6.121 Drawing up a policy for handling security incidents

Initiation responsibility: Top Management, IT Security Officer

Implementation responsibility: IT Security Officer

Many security incidents only become bigger problems when they are responded to incorrectly. This is the case when hasty decisions are made, for example when an administrator impulsively deletes data that would be needed to reconstruct the sequence of events in the security incident.

To instruct every employee how to respond correctly in the event of a security incident, it helps to create policies for handling security incidents that are tailored to specific target groups. This also enables all persons involved in an exceptional situation to remain calm and act prudently.

There should be technical instructions available in the management system for handling security incidents for the administrators and for the employees in security management. The users need to become involved early on as well. Similarly, the policy should also regulate how incident management handles security problems and security-related service requests. It is recommended to publish a policy in the company or government agency that describes the appropriate procedure in the event of a security incident and illustrates the mandatory processes as well as the mandatory reporting and escalation paths to all employees of the organisation. When developing the policy, it should be ensured that it is complete and can be applied in practice. The tasks of all people involved must be clearly formulated in the policy. Conduct that deviates from the policy should only be permitted in exceptional cases, and these cases must be documented accordingly.

A distinction must be made in this case between generally valid codes of conduct that apply universally to all security incidents and the codes of conduct specifically related to IT. The following general codes of conduct can be defined for all types of security-related irregularities:

• All persons affected by the incident should remain calm and should not take any measures in haste.

• Irregularities should be reported immediately to the appropriate parties according to a reporting plan.
• Countermeasures should only be taken when requested by authorised persons.

• All surrounding circumstances must be explained openly, transparently, and without sparing any details to those affected so that they can contribute to minimising the damage.

• Based on personal experience, an initial estimate of the possible extent of the damage, the consequential damage, the internal and external personnel potentially affected, and the possible consequences should be made.
• Information on the security incident may not be disclosed to any unauthorised third parties.

All employees of a government agency or company who could be affected by a security incident must be informed in a suitable manner of these general codes of conduct.

Furthermore, specific codes of conduct could be given to those affected, and especially to those who receive the reports of security incidents and who need to make the initial decisions or trigger the initial response measures. Such persons include administrators, the people responsible for applications in IT, and security management. The codes of conduct and procedures to be followed include those described in the following safeguards:

• S 6.23 Procedures in the event of malware
• S 6.31 Procedural patterns following a loss of system integrity
• S 6.48 Procedures in case of a loss of database integrity
• S 6.54 Procedures in case of a loss of network integrity
• S 6.102 Procedures in the event of WLAN security incidents

An example of how every employee affected can be informed of the codes of conduct and the reporting plan described in the policies (see S 6.61 Escalation strategy for security incidents) is to hand them an information sheet signed by top management where the most important information is collected and which can be made available at the place of work and, in addition, on the intranet. An example of such an information sheet can be found in the Resources for IT Grundschutz. To insure the information required is also available in an emergency, it is not recommended to provide this information sheet in electronic form only because it is possible that the security incident will affect precisely this information.

All information sheets for potential security incidents must be updated immediately after every relevant change to the organisation, the business processes, or the IT so that the codes of conduct described there are still applicable and the reporting paths are still correct.

Review questions:

• Are there policies for handling security incidents that are tailored to specific target groups?
• Is the policy for security incidents applicable in practice and can every person involved determine what they need to do from the policy?
• Does the policy cover all aspects of security incident handling?
• Has this policy been co-ordinated with the head of IT and IT operations? Has the top management of the organisation adopted the policy?
• Are there clearly defined codes of conduct for the various types of security incidents?
• Are all employees (especially those in IT operations and in first level support at the service desk) aware of this policy?
• Are the codes of conduct in the policy updated regularly?
• Were areas that overlap with other areas of management such as emergency management taken into account?