IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Communications Remarks
____________________________________________________________________ .........................................
S 6.63 Investigation and assessment of a security
incident
Initiation responsibility: IT Security Management
Implementation responsibility: IT Security Management, IT Administrator,
IT Application Manager, Security Incident
Team
Not every security incident is recognised as such immediately. Especially
where targeted and wilful attacks are aimed at IT systems, many security
incidents only come to light days or weeks after the event. False alarms are
also a common occurrence, e.g. because hardware or software problems have
been wrongly interpreted as cases of infection with computer viruses.
However, in order to be able to investigate and assess a security-relevant
irregularity, it is necessary that certain preliminary assessments have already
been carried out. These include:
- ascertaining the existing IT structure and IT network,
- ascertaining the point of contacts and users of the IT systems,
- ascertaining the IT applications on the IT systems concerned, and
- defining the protection requirements of the IT systems.
These investigations are carried out as the first stage of using the IT Baseline
Protection Manual (see Section 2.2) and the results should therefore be
available to IT Security Management.
Following receipt of an incoming report, the above information can be used to
decide quickly which IT system is affected, and what IT applications and
protection requirements are involved. At the same time, since the point of
contact is known, this person can be called in quickly to assist with making
the appropriate decisions.
Should it transpire that an IT system or an IT application with a high-level
protection requirement is affected, then the matter should be regarded as a
security incident and the predefined steps required to handle it must be
implemented. On the other hand, if only IT applications and IT systems
having a low protection requirement are affected, an attempt can be made to
resolve the security problem locally.
If it appears that the security incident could have serious consequences and is
sufficiently complex, it may be appropriate to call in the Security Incident
Team without delay (see S 6.59 Specification of responsibilities for dealing
with security incidents).
The following factors should be ascertained as a first step to investigating and
assessing the security incident:
- What additional IT systems and IT applications could be affected by the
security incident?
- Could any consequential damage also occur through networking of the IT
systems?
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
How much is affected?
Mobilising the Security
Incident Team