S 6.151 Alarm concept for the logging function

Initiation responsibility: Top Management

Implementation responsibility: IT Security Officer, Head of Organisation, Head of IT

In order to react appropriately to security incidents within an information system, an alarm concept must be drawn up. An alarm concept includes a description of the alarming channel used to inform the persons in charge in the event of a security incident and a detailed description of the alarming process.

Different types of notification

It should be possible to trigger alarms in the event of IT security incidents using as many different notification mechanisms as possible. This is necessary in order to ensure that a security-relevant event is not overlooked. The selected forms of notification should be defined in the alarm concept. Supporting the following types of notification is ideal:

• After a security incident was detected, an IT early-warning system can trigger an alarm on the management console.
• The events can be sent to the respective person in charge via email. This is a very popular form of communication, but it cannot be ensured that the reported incident is handled immediately.
• Security-relevant incidents may also be sent to a mobile phone as an SMS or a pager of the responsible administrator. However, it must be noted that the messages may be delivered too late or not at all due to possible dead zones.
• If SNMP messages are sent, an IT early-warning system can be linked to a ticket system. This way, the security relevant incidents can be redirected directly to such ticket systems.
• If there are open and well documented programming interfaces, this provides high levels of flexibility regarding the connection to external processing systems.

Responsible persons

The alarm concept must mention the persons who must be informed in the event of an IT security incident. Mostly these are the administrators of the information system. To this end, contact lists with the addresses and phone number of the contact persons must be maintained. The specified persons should be informed, should know their respective tasks within the alarm concept and should regularly check the corresponding contact lists for correctness, e.g. the phone number stored.

Defining the alarm process

Defining an alarm process is an essential item regarding the alarm concept. Here, the entire process from the occurrence of a security incident to the incident being remedied completely is shown. All steps of the alarm process should be described in detail in order to avoid any misinterpretations in advance. It must be defined here when, how, to whom and by whom the alarms are to be triggered and which solutions exist for this problem.

Furthermore, the alarm concept must specify when an alarm is generated. For this, thresholds can be set on the centralised logging server. Once a value exceeds this threshold, an alarm is triggered. If the value is very close to the threshold, it is possible to trigger warnings indicating a possibly impending problem.

The alarm concept should be reviewed and updated regularly. This is the only way to properly and practicably implement the safeguards listed there in case of emergency.

Review questions:

• Is an alarm concept drawn up?
• Are alarms transmitted using different forms of notification?
• Does the alarm concept detail the persons to be informed in the event of a security incident, including their phone numbers and/or addresses?
• Were the persons listed in the alarm concept informed regarding their tasks?
• Does the alarm concept contain a detailed description of all steps of the alarm process?
• Is the alarm concept reviewed and updated regularly?