|
|
Initiation responsibility: Agency/company Management, IT Security Management
Implementation responsibility: IT Security Management, IT Security Auditor
Something can be learned from every security incident. To obtain the maximum training benefit from a security incident, evaluation should not be neglected. Often this will result in improvements in dealing with security incidents or permit conclusions to be drawn as to the effectiveness of IT Security Management or the existing IT security measures. The aspects to be considered here include the following:
Time taken to react
Information should be sought on how quickly the security incident was detected. It is necessary here to check whether the technical measures in place for the detection of such incidents require improvement.
The question of how long it took for the report of the incident to travel through the relevant reporting channel should also be examined. Additional aspects which should be considered include how soon decisions were made as to what measures were required, how long they took to implement and when the internal and external parties affected by the incident were informed.
When tracing back the reporting channels used, consideration should be given to whether the reporting channel was known to everyone or whether additional measures are necessary to create the necessary awareness and provide additional information.
Effectiveness of the escalation strategy
The particular security incident should be used to examine whether the defined escalation strategy was adhered to, what additional information is necessary and whether the escalation strategy requires modification.
Effectiveness of the assessment
When looking back on the incident, consideration should be given to whether the extent of the damage caused was correctly assessed, whether the priorities considered were appropriate and whether a Security Incident Team suitable for the investigation was used.
Notification of parties affected
It is necessary here to consider whether all the parties affected were actually notified and whether such notification occurred soon enough. It may be necessary for faster notification channels to be found.
Feedback to the person who reported the incident
Once the problem has been resolved, the parties who discovered the security incident and reported it to the responsible experts should also be informed of the damage which occurred and the measures which were taken. This will demonstrate that such reports are taken seriously and encourage reporting of similar cases in the future. It might also be appropriate to praise or reward correct reporting in order to bring home to staff just how important it is to report security incidents.
Motivation of perpetrator
If it turns out that the security incident was due to deliberate action, the perpetrator's motivation should be investigated. The motivation is especially important when an insider is involved. If it transpires that the cause lies in the organisation environment, this should be notified to Management as it can then be expected that mistakes and/or deliberate action will occur again.
Depending on the relevance of the evaluation results, Management should be informed so that it can arrange for improvements. It can therefore be sensible to have this evaluation performed by an organisational unit which is not part of the reporting plan.
Development of instructions on actions to be taken
As part of the evaluation of a security incident it is useful to use the results to prepare instructions on actions to be taken or to review the procedures to be followed in the event that a similar security incident occurs again. Once practical experience of the problems is available, instructions on actions to be taken can be developed more efficiently than when the authors are working purely on a theoretical basis. The security incident which occurred also shows that there is a specific need for instructions on the actions to be taken for this type of security incident. Instructions so prepared should be notified to the relevant groups of persons in an appropriate manner.
Additional controls:
| © Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
last update: Januar 2000 |