IT Baseline Protection Manual S 6.61 Escalation strategy for security incidents

-->

S 6.61 Escalation strategy for security incidents

Initiation responsibility: Agency/company Management, IT Security Management

Implementation responsibility: IT Security Management

Once the responsibilities for security incidents have been determined (see S 6.59 Specification of responsibilities for dealing with security incidents) and the procedural rules and reporting channels are familiar to all those concerned (see S 6.60 Procedural rules and reporting channels in case of security incidents), the next step is to determine how to proceed once reports have been received.

As a first step, the person receiving a report regarding a security incident must investigate and assess it (see also S 6.63 ). If it turns out to indeed be a case of a security incident, additional measures must be taken. The following questions arise:

Where escalation is required, i.e. the action chain is extended, who should be informed?

What cases require immediate escalation?

Under what other circumstances is escalation appropriate?

When should escalation occur (immediately, the next day, the next working day)?

What media should be used to pass on the report?

The answers to these questions must be specified in an escalation strategy and made known. The escalation strategy can be created in three stages, as follows:

Stage 1: Specification of escalation channels

Who is responsible for handling security incidents is specified in safeguard S 6.59 Specification of responsibilities for dealing with security incidents. Specification of the escalation channel should include defining who should send a report to whom. This is easy to see when the relevant hierarchy is presented in diagrammatic form. Both the regular escalation channels and also the channels to be used during staff absences should be considered.

Example

Stage 2: Decision aid for escalation

This stage entails firstly establishing in which cases escalation should be immediate before any further investigation or assessment is performed. An example of a tabular representation is shown below.

Event	To be informed immediately
Infection with a computer virus	Virus Protection Officer, Administrator
Fire	Entrance control staff, fire department
Wilful acts and suspected criminal acts	IT Security Officer
Suspected industrial espionage	IT Security Officer, executive board
Necessity to call in the police and criminal prosecution authority	Executive board
Existence-threatening damage	Executive board

Under what other circumstances escalation is required should then be specified. Possible grounds for escalation are as follows:

The expected level of damage exceeds the area of responsibility of the person who received the report.

The costs and resources required to control the damage exceed his area of competence.

The complexity of the security incident exceeds his competence or area of responsibility.

Stage 3: Manner of escalation It is now necessary to specify how the next level up in the escalation chain should be informed. The options are:

in person

written report

E mail

telephone, mobile phone

messenger with sealed envelope

The timescale within which notification should occur must also be specified. Examples are:

events which require immediate escalation: within one hour;

events which require immediate measures: within one hour;

events which may be under control but still require that the next escalation level is notified: the next working day.

This escalation strategy should be notified to all possible recipients of reports of security incidents so as to ensure a prompt response. To contain a security incident, it is usually necessary to take action promptly. It may be necessary to recall staff from other projects or to call them in out of working hours. Procedures must therefore be defined as to how the necessary additional work is to be handled and how to ensure that staff are on call (see also S6.59 Specification of responsibilities for dealing with security incidents).

Additional controls:

When was the escalation strategy last updated?

Have the escalation channels been tried out in exercises/practice runs?

last update:
Januar 2000

home