S 6.134 Documentation of security incidents

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: IT Security Officer, Administrator, Head of IT

When eliminating a security problem, all actions taken should be documented in detail, ideally using a standardised procedure, for the following reasons:

• to obtain an overview of the causes, effects, and safeguards taken,
• to understand the problems that have occurred,
• to be able to eliminate any errors in the countermeasures, which are possible due to the speed with which they are usually implemented,
• to be able to quickly eliminate any already known problems should they occur again,
• to close all security gaps and work out preventive measures, and
• to collect evidence in case criminal prosecution is desired later.

Such documentation should not only include descriptions of the actions performed together with the time each action was taken and who took it, but also the log files of the IT systems affected.

The confidentiality of all security incident documents must be adequately protected.

Incident management should ensure that the necessary information is entered in the corresponding documentation systems before the incident is closed. Quality assurance requirements should be defined in advance in co-operation with security management.

The form found in the Resources for IT-Grundschutz at the BSI website can be used as a standard documentation form for security incidents.

Review questions:

• Are all security incidents documented according to a standardised procedure?
• Is confidentiality guaranteed while documenting the information and archiving the reports?