3.8 Handling of security incidents

Description

To maintain IT security in ongoing operations, it is necessary to have developed and practised a policy for the handling of security incidents. A security incident refers to an event whose impact could cause significant loss or damage. To prevent or contain any loss or damage, security incidents should be dealt with swiftly and efficiently. If there is a predefined procedure available to be invoked, then reaction times can be minimised. The possible loss or damage which could occur in a security incident can affect both the confidentiality and integrity of data and also its availability.

A special part of security incident handling is the contingency planning concept (see Section 3.3). In a contingency planning concept, the effects of failure of critical components in particular IT systems are analysed in advance and a procedure for ensuring that availability is maintained or can be restored is specified.

Security incidents can, for example, be triggered by

• user errors which result in loss of data or alteration of sensitive system parameters,
• the appearance of security loopholes in hardware or software components,
• large-scale infection by computer viruses,
• hacking of Internet servers,
• disclosure of confidential data,
• loss of personnel resources or
• criminal action (break-in, theft or blackmail relating to IT equipment).

All types of security incident must be tackled in an appropriate manner. This applies both to security incidents against which it is possible to take specific protective measures, e.g. computer viruses, and also to security incidents which affect the organisation unexpectedly.

This chapter presents a systematic approach as to how to draw up a policy for the handling of security incidents and how to ensure that this is implemented and integrated within an organisation. The effort involved in preparing and implementing such a policy is not trivial. Therefore this chapter should be considered mainly where relatively large IT systems are used and/or for systems on which the organisation is especially reliant.

Threat Scenario

Security incidents can be triggered by a number of threats. The catalogue of threats contains a large collection of threats which can cause major or minor security incidents.

A great deal of damage can be triggered by these threats if no suitable procedures have been developed as to how to handle them. This chapter therefore considers the following threat as representative of all the threats which can occur in the field of security incidents:

• T 2.62 Inappropriate handling of security incidents

Recommended Countermeasures (S)

For the implementation of IT baseline protection, selection of the required packages of safeguards ("modules"), as described in Sections 2.3 and 2.4, is recommended.

To establish an effective system for handling security incidents, a number of steps must be taken. These steps are described in safeguard S 6.58 Establishment of a management system for handling security incidents and are explained in the safeguards which follow it. Hence it is best to start with implementation of safeguard S 6.58.

The safeguards relating to the area of "Handling of security incidents" are listed below.

Contingency Planning

• S 6.58 (1) Establishment of a management system for handling security incidents
• S 6.59 (1) Specification of responsibilities for dealing with security incidents
• S 6.60 (1) Procedural rules and reporting channels for security incidents
• S 6.61 (1) Escalation strategy for security incidents
• S 6.62 (1) Specifying priorities for handling security incidents
• S 6.63 (1) Investigation and assessment of a security incident
• S 6.64 (1) Remedial action in connection with security incidents
• S 6.65 (1) Notification of parties affected
• S 6.66 (2) Evaluation of security incidents
• S 6.67 (2) Use of detection measures for security incidents (optional)
• S 6.68 (2) Testing the effectiveness of the management system for the handling of security incidents