|
Initiation responsibility: Agency/company Management, IT Security Management
Implementation responsibility: IT Security Management
Experience suggests that security incidents are the result of a conjunction of different causes. As a consequence it is generally the case that the resulting potential damage involves several categories of damage (for example, impairment of physical integrity of a person, negative effects on external relationships, financial consequences, see also Section 2.2, Determination of protection requirements). It is therefore important to establish as far in advance as possible exactly where priorities lie with regard to dealing with problems. This priority assignment determines among other things the sequence in which problems should be tackled.
The assignment of priorities depends heavily on an organisation's particular circumstances. To assign priorities, the following questions should be considered:
In answering these questions, it can be helpful to work through a procedure for determining protection requirements from the IT baseline protection point of view (see Section 2.2). This procedure for determining protection requirements defines the damage categories which are relevant to the organisation.
Examples of relevant damage categories are as follows:
As part of the exercise of specifying the protection requirements, the extent of the damage is defined for each damage category.
Example: damage category "financial consequences"
Damage category: | financial consequences |
Damage / loss = medium | Damage or loss is less than DM 25,000 |
Damage / loss = high | Damage or loss is between DM 25,000 and DM 5 million |
Damage / loss = very high | Damage or loss is greater than DM 5 million |
1 = especially important,
2 = important,
3 = relatively unimportant
Alternatively, each damage category can be assigned a ranking.
Example
In this example the organisation concerned is a municipal authority which also offers services to the public over the Internet. The public can send requests to the municipal authority by E mail and see how their cases are progressing over the Internet. As an information service, this municipal authority provides the use of an Internet server.
An example of how the results of prioritisation might appear in this case is provided in the next table.
Damage category | Damage / loss = medium | Damage / loss = high | Damage / loss = very high |
Violation of laws, regulations or contracts | 2 | 2 | 2 |
Impairment of the right to informational self-determination | 2 | 2 | 1 |
Impairment of the right to informational self-determination | 2 | 1 | 1 |
Impairment of the physical integrity of a person | 3 | 3 | 2 |
Impaired performance of duties | 3 | 2 | 1 |
Financial consequences | 3 | 3 | 2 |
Example of how the results of prioritisation might appear where ranking is used:
Damage category | Damage / loss = medium | Damage / loss = high | Damage / loss = very high |
Violation of laws, regulations or contracts | 13 | 12 | 11 |
Impairment of the right to informational self-determination | 8 | 6 | 3 |
Impairment of the physical integrity of a person | 5 | 2 | 1 |
Impaired performance of duties | 15 | 14 | 7 |
Negative effects on external relationships | 17 | 9 | 4 |
Financial consequences | 18 | 16 | 10 |
This priority assignment must be approved by Management and put into effect. The approved priority assignment must be notified to all persons who would need to make decisions in connection with handling security incidents.
In the event that a security incident occurs, the priority assignment is used as follows. Once the security incident has been investigated and assessed, an estimate can be made of the expected damage. The resulting damage figures are then assigned to the known damage categories, following which they are allocated to the classes "medium", "high" and "very high". The priority assignment table indicates the order in which each type of damage should be addressed. However, the prior assignment of priorities should be viewed only as an initial guide. It may need to be adapted in individual cases.
Example
Damage category | Damage / loss = medium | Damage / loss = high | Damage / loss = very high |
Violation of laws, regulations or contracts | D1 | ||
Impairment of the right to informational self-determination | |||
Impairment of the physical integrity of a person | |||
Impaired performance of duties | D2 | ||
Negative effects on external relationships | D3 | ||
Financial consequences | D4 |
Suppose that in the above example, a hacker has succeeded in manipulating the information on the Internet information server so that the municipal authority appears in a bad light. This is spotted promptly, IT Security Management is called in and the above damage assessment is carried out. The results of the assessment might appear as follows:
Damage cases D1 to D4 are assigned the following priorities on the basis of the previous priority assignment:
Priority classification method: D1 = 2, D2 = 3, D3 = 1, D4 = 3
Priority rating method: D1 = 13, D2 = 15, D3 = 4, D4 = 18
In both cases it would be clear that damage limitation effort should initially be concentrated on damage case D3 (negative effects on external relationships) before any attempt is made to tackle the other types of damage. In the example, to limit the negative effects on external relationships, the Internet server which has been tampered with would be taken off the network as the prelude to other measures. If the damage resulting from negative effects on external relationships had been assigned a lower priority and greater importance had been attached to impairment of the municipal authority's ability to accomplish its work, disconnecting the Internet server might not be viewed as a measure which should be implemented immediately.
Additional controls:
© Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
last update: Januar 2000 |