3.8 Handling of security incidents


To maintain IT security in ongoing operations, it is necessary to have developed and practised a policy for the handling of security incidents. A security incident refers to an event whose impact could cause significant loss or damage. To prevent or contain any loss or damage, security incidents should be dealt with swiftly and efficiently. If there is a predefined procedure available to be invoked, then reaction times can be minimised. The possible loss or damage which could occur in a security incident can affect both the confidentiality and integrity of data and also its availability.

A special part of security incident handling is the contingency planning concept (see Section 3.3). In a contingency planning concept, the effects of failure of critical components in particular IT systems are analysed in advance and a procedure for ensuring that availability is maintained or can be restored is specified.

Security incidents can, for example, be triggered by

All types of security incident must be tackled in an appropriate manner. This applies both to security incidents against which it is possible to take specific protective measures, e.g. computer viruses, and also to security incidents which affect the organisation unexpectedly.

This chapter presents a systematic approach as to how to draw up a policy for the handling of security incidents and how to ensure that this is implemented and integrated within an organisation. The effort involved in preparing and implementing such a policy is not trivial. Therefore this chapter should be considered mainly where relatively large IT systems are used and/or for systems on which the organisation is especially reliant.

Threat Scenario

Security incidents can be triggered by a number of threats. The catalogue of threats contains a large collection of threats which can cause major or minor security incidents.

A great deal of damage can be triggered by these threats if no suitable procedures have been developed as to how to handle them. This chapter therefore considers the following threat as representative of all the threats which can occur in the field of security incidents:

Recommended Countermeasures (S)

For the implementation of IT baseline protection, selection of the required packages of safeguards ("modules"), as described in Sections 2.3 and 2.4, is recommended.

To establish an effective system for handling security incidents, a number of steps must be taken. These steps are described in safeguard S 6.58 Establishment of a management system for handling security incidents and are explained in the safeguards which follow it. Hence it is best to start with implementation of safeguard S 6.58.

The safeguards relating to the area of "Handling of security incidents" are listed below.

Contingency Planning

© Copyright by Bundesamt für Sicherheit in der Informationstechnik 2000

Last Update on 29 June 2000