IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Communications Remarks
____________________________________________________________________ .........................................
Example of how the results of prioritisation might appear where ranking is
used:
Damage category Damage /
loss =
medium
Violation of laws, regulations or
contracts
Impairment of the right to
informational self-determination
Impairment of the physical integrity
of a person
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
Damage /
loss = high
Damage /
loss = very
high
13 12 11
8 6 3
5 2 1
Impaired performance of duties 15 14 7
Negative effects on external
relationships
17 9 4
Financial consequences 18 16 10
This priority assignment must be approved by Management and put into
effect. The approved priority assignment must be notified to all persons who
would need to make decisions in connection with handling security incidents.
In the event that a security incident occurs, the priority assignment is used as
follows. Once the security incident has been investigated and assessed, an
estimate can be made of the expected damage. The resulting damage figures
are then assigned to the known damage categories, following which they are
allocated to the classes "medium", "high" and "very high". The priority
assignment table indicates the order in which each type of damage should be
addressed. However, the prior assignment of priorities should be viewed only
as an initial guide. It may need to be adapted in individual cases.
Example
Suppose that in the above example, a hacker has succeeded in manipulating
the information on the Internet information server so that the municipal
authority appears in a bad light. This is spotted promptly, IT Security
Management is called in and the above damage assessment is carried out. The
results of the assessment might appear as follows:
Approval by
Management