T 2.62 Inappropriate handling of security incidents

In practice, the possibility of a potentially extremely damaging security incident can never be eliminated, even where extensive security measures have been implemented. If appropriate action is not taken in response to a security incident, considerable damage or loss could occur or the situation could even develop into a catastrophe.

Examples include:

• New computer viruses containing damaging functionality at first occur on a sporadic basis but afterwards they are found on a wide scale. Without an appropriate and rapid response, entire organisational units can be put out of action. This is what happened when the "Melissa" virus appeared.

• The material held on a Web server changes inexplicably. If this is not investigated as a possible sign of a hacker attack, further attacks on the server could result in considerable loss of image.

• Inconsistencies are found in the log files of a firewall. Unless this is investigated as a hacking attempt, external adversaries could actually penetrate the firewall.

• New security weaknesses in the used IT systems become known. If this information is not obtained in good time and the necessary countermeasures are not taken speedily, there is a danger that the security weaknesses will be misused by either internal or external perpetrators.

• There are signs that corporate data has been manipulated. If the opportunity to follow up the manipulations is overlooked, undetected manipulations could result in extensive consequential damage, such as, for example, incorrect stock levels, false book-keeping or unchecked outflows of funds.

• Failure to take action when there is evidence that confidential corporate data has been compromised could result in additional confidential information being leaked.

These examples illustrate how important it is that security incidents are reported promptly to the responsible persons, action is taken quickly and those potentially affected are informed of how to minimise the damage or prevent it.

Again, in the absence of defined appropriate procedures for handling security incidents, it is possible for incorrect decisions to be made with the result, for example, that

• representatives of the press obtain incorrect information;

• the systems or components affected are not switched off even though there are serious security weaknesses;

• systems or individual components are switched off completely even though the security weaknesses concerned are relatively minor;

• there is no provision for backup measures, e.g. for replacement of compromised components, cryptographic procedures or keys.