S 6.59 Specification of responsibilities for dealing with security incidents

Initiation responsibility: Agency/company Management, IT Security Management

Implementation responsibility: IT Security Management

When specifying the responsibilities for handling security incidents, it is worthwhile considering the sequence of events in a hypothetical security incident. The tasks and responsibilities of the person groups involved must be determined and an appropriate method of obligating and instructing them must be devised. To give an idea how this might be done, examples are set out below for some of the groups typically affected.

IT-users

Task:

As soon as IT-users become aware of a security-relevant irregularity, they must observe the appropriate procedural rules and report the irregularity.

Responsibility:

IT users must decide what the appropriate reporting channel is in the present case (see S 6.60 Investigation and assessment of a security incident).

Duty / information:

Every IT user should have a duty under the in-house security guidelines to report any security-relevant irregularities. Furthermore, all users should be given written instructions informing them of the actions they should take and to whom which incidents should be reported.

IT Administrator

Task:

The IT Administrator's task here is to receive reports regarding security-relevant irregularities relating to IT systems for which he is responsible. He must then decide whether to take corrective action himself or whether he should report the incident to the next higher escalation level.

Responsibility:

An administrator must be able to decide whether there is a security problem, whether he can deal with it himself, whether he should consult other persons immediately (in accordance with the escalation plan) and whom he should inform.

Duty / information:

This should be specified in the job description and in the "Policy for handling security incidents".

IT Security Officer / IT Security Management

Task:

The IT Security Officer receives reports on security incidents. He investigates and assesses the incident. He selects appropriate measures and arranges for them to be implemented where this does not lie outside his area of responsibility. If necessary, he assembles a Security Incident Team or informs line management for the purpose of escalation.

Responsibility:

He is authorised to undertake an assessment of a security incident and to escalate an incident up the management chain. In addition he has been granted the financial and personnel resources (e.g. DM 100,000 and 2 man-months) which he may use to handle incidents independently.

Duty / information:

IT Security Management develops the "Policy for handling security incidents". Therefore all IT Security Officers should be informed of their tasks and responsibilities in the handling of security incidents.

IT Security Auditor

Task:

The IT Security Auditor can be assigned the task of checking the effectiveness of the management system for security incidents at regular intervals. He can also be required to participate in the evaluation of security incidents.

Responsibility:

In agreement with line management, predefined checks can be initiated and performed.

Duty / information:

This should be specified in the job description and in the "Policy for handling security incidents".

Public Relations / Press Office

Task:

Where a serious security incident has occurred, no information should be divulged to the public except through the Press Office. The aim here is not to gloss over or play down the incident, but to present it in an objective manner so as to avoid any loss of image as a consequence of conflicting information.

Responsibility:

The Press Office must prepare information regarding the security incident together with the technical experts and agree this with line management prior to distribution.

Duty / information:

This should be specified in the job description and in the "Policy for handling security incidents".

Agency/company management

Task:

In cases of serious security incidents, management should be informed and if necessary should be required to make decisions.

Responsibility:

In its capacity as having overall responsibility, it can delegate responsibility to the above-mentioned groups. In addition it can call in the police and criminal prosecution authorities where criminal activity is suspected.

Duty / information:

Management must approve the "Policy for handling security incidents" and the escalation plans which are based thereon. As part of this, line management is also informed of its role in the handling of security incidents.

Security Incident Team

In addition to the above groups, where a difficult or serious security incident has occurred it may be necessary to invoke a Security Incident Team for a limited period to handle the incident. This is normally initiated by the IT Security Officer, who may involve line management in advance.

Even if the Security Incident Team only meets for a specific security incident, to ensure as fast a response as possible to the security incident, its members must be appointed and fully briefed of their assigned tasks in advance. The members of the Security Incident Team should be authorised to perform their assigned tasks on their own authority. The procedures necessary for this must be specified in writing and authorised by management. In particular, the person who heads the team must be specified.

Depending on the type of security incident, the members of a Security Incident Team can include the following, for example:

• Agency/company management

• IT Security Management / IT Security Officer

• Head of IT section

• Press office

• Data privacy officer

• Legal adviser

• Staff council / works council

If necessary, additional parties/departments must be called in, e.g.

• the specialist departments concerned (head of department, IT Procedures Officer),

• IT Administrators,

• the purchasing, site technical service, general service section, organisation, human resources departments and

• the fire protection officer.

It should be clarified in advance how the additional work caused by the occurrence of a security incident is to be performed, i.e. whether the provisions relating to working hours at the authority/company need to be expanded to include exceptional procedures to cover overtime, weekend working etc. in the event of a security incident. Steps must also be taken to ensure that this team can use the office premises outside of regular working hours should this be required.

Additional controls:

• Has a Security Incident Team been appointed?

• Have the members of the team been briefed as to their assigned tasks?

• Who co-ordinates which measures?

• When was the composition of the Catastrophe Management Team last updated?