|
Initiation responsibility: Agency/company Management, IT Security Management
Implementation responsibility: IT Security Management
Once the responsibilities for security incidents have been determined (see S 6.59 Specification of responsibilities for dealing with security incidents) and the procedural rules and reporting channels are familiar to all those concerned (see S 6.60 Procedural rules and reporting channels in case of security incidents), the next step is to determine how to proceed once reports have been received.
As a first step, the person receiving a report regarding a security incident must investigate and assess it (see also S 6.63 ). If it turns out to indeed be a case of a security incident, additional measures must be taken. The following questions arise:
The answers to these questions must be specified in an escalation strategy and made known. The escalation strategy can be created in three stages, as follows:
Stage 1: Specification of escalation channels
Who is responsible for handling security incidents is specified in safeguard S 6.59 Specification of responsibilities for dealing with security incidents. Specification of the escalation channel should include defining who should send a report to whom. This is easy to see when the relevant hierarchy is presented in diagrammatic form. Both the regular escalation channels and also the channels to be used during staff absences should be considered.
Example
Stage 2: Decision aid for escalation
This stage entails firstly establishing in which cases escalation should be immediate before any further investigation or assessment is performed. An example of a tabular representation is shown below.
Event | To be informed immediately |
Infection with a computer virus | Virus Protection Officer, Administrator |
Fire | Entrance control staff, fire department |
Wilful acts and suspected criminal acts | IT Security Officer |
Suspected industrial espionage | IT Security Officer, executive board |
Necessity to call in the police and criminal prosecution authority | Executive board |
Existence-threatening damage | Executive board |
Under what other circumstances escalation is required should then be specified. Possible grounds for escalation are as follows:
Additional controls:
© Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
last update: Januar 2000 |