S 6.68 Testing the effectiveness of the management system for the handling of security incidents

Initiation responsibility: IT Security Management

Implementation responsibility: IT Security Management, IT Security Auditor

The management system for handling security incidents must be checked at regular intervals to ensure that it is up-to-date and effective. In addition, the measures incorporated within it should be regularly tested to see whether

• they are known to the staff concerned,

• it is feasible to implement them under stress, i.e. in the event of a security incident which prevents operations from running in the proper manner, and

• they can be integrated into operating procedures.

To test the effectiveness of the management system, damaging events should be simulated in order to review whether defined procedures are being adhered to or whether it is actually feasible to implement them. If they are not actually implementable, appropriate changes must be made.

To test this, both announced and unannounced exercises/practice runs can be held.

When exercises/practice runs are carried out unannounced, under no circumstances must any actions be triggered which could result in any damage to IT systems, data or otherwise, either of a permanent nature or which can only be rectified with difficulty.

Before beginning any exercise/practice run, careful consideration should be given as to who should receive advance notice of it. It is essential to ensure that the exercise/practice run is authorised by Management. It can sometimes be useful not to inform certain person groups, e.g. entrance control staff or administrators. However, steps should be taken to ensure that this does not prevent the situation from remaining under control. Alarming the police or fire department or cutting back the network connections of the authority/company should thus be avoided.

Examples:

• Phone the switchboard of your company/authority and pretend to be a hacker who has broken into the internal network. Alternatively, you could pretend to be a journalist who claims to have heard that a hacker has broken into the internal network and copied sensitive data. The staff who would typically be called in in such cases, such as the Press Officer or the Head of the IT Section, could also be phoned. The aim of such a phonecall should be to find out whether internal panic breaks out or whether actions which would be adequate for such a case are implemented in a purposeful fashion.

• All the actions and reporting channels which are supposed to be employed in a case of infection with a computer virus could be tested in one day. Those involved should not necessarily all be informed in advance, but at the latest at the point where they are integrated into the action chain.

Additional controls:

• What exercises/practice runs were last carried out?

• Are exercises/practice runs agreed with Management in advance?