S 6.132 Limiting the effects of security incidents

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: IT Security Officer, Head of IT, Administrator

In addition to effectively analysing the causes of a security incident, it is also important to contain the damage resulting from the security incident. The direct effects of the security incident must be detected, estimated, and contained immediately so that the resulting damage does not reach a high or very high level or a level that threatens the existence of the organisation. For this, it is necessary for security management to have adequate information and an overview of the relationships between the IT processes and the business processes as well as an overview of the IT systems, IT applications, and other resources needed for these processes. This information may come from a structure analysis, a protection requirements determination, or business impact analysis, for example. This is the only way to make reliable statements regarding the extent and amount of eventual damage.

It is often easier to analyse a security incident when the IT systems or locations affected are isolated, and this also reduces the risk of the damage spreading to any areas not yet affected.

It will also be occasionally necessary to decide that containing the damage should take precedence over clarifying the security incident. For this reason, worst-case scenarios of selected security incident scenarios should be examined.

Review questions:

• Is there enough information available to allow the effects of a security incident to be estimated?
• Have worst-case scenarios been examined for selected security incident scenarios?