S 6.65 Notification of the parties affected

Initiation responsibility: IT Security Management

Implementation responsibility: IT Security Management, Head of IT Section, Administrator, Press Office

When a security incident has occurred, all the internal and external parties affected by it must be informed. This is especially important for departments or agencies which could sustain damage as a direct result of the security incident and need to take countermeasures or for any parties which process information about security incidents and can assist in preventing or resolving them. If necessary, the public should also be informed, especially if information has already leaked out.

A clear concept of who should inform whom, in what sequence and in how much detail must be developed for the particular security incident concerned. In this connection steps must be taken to ensure that information regarding the security incident is only given out by appointed responsible persons, such as, for example IT Security Management or the Press Office.

Who receives information and in how much detail naturally will depend primarily on the technical background. No incorrect or embellished information should be passed on, as this could lead to confusion, false assessments and loss of image.

An example is presented below of which departments/agencies should typically be informed of what information.

Internal departments

If it is still unclear as to whether a security incident has occurred or how serious it is, the internal staff potentially affected should be asked to examine their areas of work for possible irregularities.

If the countermeasures required to deal with a security incident are known, the internal departments concerned should be informed promptly as to what they must do in order to minimise the effects of a security incident or to restore secure operations.

The parties who should be considered include the following:

• Head of IT Section

• heads of specialist departments concerned,

• IT users,

• IT Administrators,

• IT user service,

• site technical service

• surveillance staff,

• internal security staff and

• entrance control staff.

External parties

If the impact of the security incident is not confined simply to the organisation, all external parties which are also affected or could also be affected should be informed of the security problem which has occurred, what countermeasures are necessary and how the effects can be contained.

If this information is not passed on but the incident subsequently becomes known, an existing co-operative relationship based on trust between the organisation and the external party could be permanently impaired.

The following groups should be considered here:

• customers,

• suppliers,

• freelance staff,

• subcontractors,

• IT service providers,

• parties to which there are communication links,

• companies developing software and

• network operators.

Depending on the type of incident, it may also be necessary to call in the police and/or take legal advice.

The public

Where major or complex security incidents have occurred it may be necessary to inform the public. Press statements should only be issued through the Press Officer. Care must be taken here to ensure that the Press Officer is adequately briefed on the security incident, the extent of the damage, any necessary countermeasures and the parties which have been informed.

However, the information provided to the public should be kept non-specific so as to avoid encouraging copycat attacks.

It is important to check the identity of anyone seeking information about security incidents so that perpetrators are not kept up-to-date about the success of their attacks.

IT security community

If the security incident is due to a security weakness which is not already familiar, this fact should not be kept secret but should be forwarded to other parties so that they can be warned about the security weakness and countermeasures can be developed. Typically the following parties should be informed:

• vendors of anti-virus programs where infection by a new computer virus is suspected but this was not detected by the virus scanner;

• vendor of any operating system or application software within which the security weakness was resident;

• Computer Emergency Response Teams (CERTs) (see also S 2.35 Obtaining information on security weaknesses of the system), where the security incident is attributable to system- or application-specific security weaknesses;

• the IT specialist press or

• public agencies concerned with IT security, such as the BSI.

Example

It is noticed that data is sporadically tempered with on PCs or goes missing. After this was reported and subsequently investigated it transpired that the problems were caused by a previously unknown macro-virus. This virus is spread via E mail attachments. In this case, the following departments and parties should be notified immediately:

• Head of IT Section,

• IT users,

• IT Administrators,

• IT user service,

• all parties with whom data has been exchanged since the computer virus first appeared,

• vendor of the anti-virus program which failed to detect the virus,

• a Computer Emergency Response Team.

Additional controls:

• Who passes information about security incidents to third parties?

• What steps are taken to ensure that no unauthorised persons are passing on any information about the security incident?