IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Communications Remarks
____________________________________________________________________ .........................................
Once the procedural rules have been specified, the reporting channels must
also be defined. We recommend proceeding on the following lines:
- In cases of force majeure such as fire, water, power failure, break-in and
theft, the relevant local services should be informed (fire department, site
technical service, entrance control staff, security guards etc.).
- In cases of hardware problems or irregularities in the operation of IT
systems, the responsible IT Administrator should be informed.
- In cases of suspected wilful action and events which cannot be explained
by any other means (e.g. manipulation of data, unauthorised exercise of
permissions, suspected espionage or sabotage), the IT Security Officer
and/or IT Security Management must be informed.
It is especially important here that all employees know whom to contact and
the reporting channels which apply to all types of security incident. For
example, a list of names, telephone numbers and e-mail addresses of the
relevant points of contact could be included in the internal telephone directory
or on the Intranet. However, it must not be difficult to report one's suspicions,
nor must this entail any longwinded procedure. Fast and secure
communication connections must be available for this purpose. The
authenticity of the communication partner must be assured and the
information reported concerning the suspicious occurrences must be treated as
confidential.
All staff should also be informed that information regarding the security
incident may only be divulged to third parties via IT Security Management
(see S 6.65 Notification of the parties affected).
Exercises or practice runs should be held sporadically to check whether the
procedural rules for security incidents are appropriate and can be implemented
and whether all staff are aware of them (see also S 6.68 Testing the
effectiveness of the management system for the handling of security incidents).
Experience of security incidents shows how important a good operating
environment and a healthy communications culture are for the prompt and
frank reporting of security incidents (see also S 3.8 Avoidance of factors
impairing the organisation climate).
One possible way of informing all employees affected of the procedural rules
and reporting plan is to issue an information sheet signed by the Management,
on which the most important information is summarised. This can be held at
the workplace and additionally on the Intranet. An example of such an
information sheet can be found in the help available on the IT Baseline
Protection Manual CD-ROM (directory ...\HILFSMI\15VERHAL.DOC). To
ensure that the information is actually available when the real thing happens,
we do not advise distributing this information sheet only in electronic form as
the electronic version itself could then be affected by the security incident.
All information sheets on potential security incidents must be immediately
updated whenever a relevant change takes place in the organisation, in order
that the procedural rules described in them remain applicable and the reporting
channels are correct.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
Make reporting channels
known
Perform practice runs
Leaflet containing
reporting plan and the
most important
procedural rules