S 6.131 Classifying and assessing security incidents

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Head of IT, Administrator, IT Security Officer

The more specifically a general incident or a security incident can be classified, the more precisely the processing and assessment of this incident can be controlled. For this reason, the effectiveness and appropriateness of the classification structure should be checked regularly. A standard classification procedure should be available for all types of incidents, including security incidents. This classification procedure must be specified by incident management in cooperation with security management.

The final classification may differ from the reported classification, because the users usually only report symptoms and not causes or because it is only noticed later on that the systems affected require protection. If the scale of a security incident expands and affects additional systems, it may be necessary to reclassify the security incident.

Additional information should be linked to the incident in addition to its classification, including:

• which applications, IT systems, and services are affected by the incident,
• which employees and/or work groups were assigned to handle the incident,
• whether there are other, already known errors and problems such as security gaps in IT products and IT configurations that could have a connection to the incident.

The tool used to record incidents should allow its users to enter incidents together with their classification and any additional information.

Review questions:

• Was a standard classification procedure specified for security incidents and general incidents?
• Was the classification procedure for security incidents coordinated between IT security management and incident management?