S 2.215 Error handling

Initiation responsibility: IT Security management, Head of IT Section

Implementation responsibility: Users, Administrator

All errors which affect IT systems or communications links must be reported and logged. Naturally this does not include error messages displayed following plausibility checking, i.e. which are caused through incorrect user inputs. Steps must be taken to ensure that the reported errors are resolved as quickly as possible.

Investigation and resolution of errors should only be carried out by appropriately trained staff. All users should be informed of whom they should notify when any errors or problems with IT systems occur. Moreover, the users should be informed of errors which can impede working with IT systems and how to fix them.

Logs of reported errors should contain the following information:

• name and version number of the IT systems and software concerned

• the time of the report

• a description whether or to what extent the use of the IT systems concerned is restricted

• the name of the person responsible for clearing up the problem

• the time at which the problem was cleared.

In some cases it can be sensible or necessary not to fix errors that have occurred, e.g. if no reliable patch is available or it is not possible to obtain a spare part. In such cases the log entry should note whether the IT component concerned can continue to be operated without restrictions on its functionality.

These logs should be examined at regular intervals to see whether they are up-to-date and whether all the errors reported have been cleared.

Errors should only be corrected by the persons who have been given responsibility for them. Error correction must be carried out within the framework of the IT security guidelines of the organisation concerned. If any patches or updates are necessary to fix the error, these should be obtained directly from the manufacturer or from a trusted source (see also S 4.107 Use of vendor resources). More extensive corrective actions should first of all be tested on systems that are not connected to the live network, as these actions could have undesired side-effects. Once the error has been resolved, the amended IT systems or components must undergo new acceptance tests and be released (see S 2.62 Software acceptance and approval procedure).

Additional controls:

• Is there a fixed procedure for error handling?

• Are errors dealt with only by the responsible technical office?