IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Communications Remarks
____________________________________________________________________ .........................................
S 6.68 Testing the effectiveness of the management
system for the handling of security incidents
Initiation responsibility: IT Security Management
Implementation responsibility: IT Security Management, IT Security Auditor
The management system for handling security incidents must be checked at
regular intervals to ensure that it is up-to-date and effective. In addition, the
measures incorporated within it should be regularly tested to see whether
- they are known to the staff concerned,
- it is feasible to implement them under stress, i.e. in the event of a security
incident which prevents operations from running in the proper manner, and
- they can be integrated into operating procedures.
To test the effectiveness of the management system, damaging events should
be simulated in order to review whether defined procedures are being adhered
to or whether it is actually feasible to implement them. If they are not actually
implementable, appropriate changes must be made.
To test this, both announced and unannounced exercises/practice runs can be
held.
When exercises/practice runs are carried out unannounced, under no
circumstances must any actions be triggered which could result in any damage
to IT systems, data or otherwise, either of a permanent nature or which can
only be rectified with difficulty.
Before beginning any exercise/practice run, careful consideration should be
given as to who should receive advance notice of it. It is essential to ensure
that the exercise/practice run is authorised by Management. It can sometimes
be useful not to inform certain person groups, e.g. entrance control staff or
administrators. However, steps should be taken to ensure that this does not
prevent the situation from remaining under control. Alarming the police or fire
department or cutting back the network connections of the authority/company
should thus be avoided.
Examples:
- Phone the switchboard of your company/authority and pretend to be a
hacker who has broken into the internal network. Alternatively, you could
pretend to be a journalist who claims to have heard that a hacker has
broken into the internal network and copied sensitive data. The staff who
would typically be called in in such cases, such as the Press Officer or the
Head of the IT Section, could also be phoned. The aim of such a phonecall
should be to find out whether internal panic breaks out or whether actions
which would be adequate for such a case are implemented in a purposeful
fashion.
- All the actions and reporting channels which are supposed to be employed
in a case of infection with a computer virus could be tested in one day.
Those involved should not necessarily all be informed in advance, but at
the latest at the point where they are integrated into the action chain.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
Review of the
management system
Practice runs must not
result in any damage
Simulated damaging
events