Information for IT staff: Catalog of measures for emergency management - Focus on IT emergencies

From the foreword:

The catalog of measures for emergency management is primarily aimed at managing directors and IT managers in small and medium-sized companies - regardless of the level of existing IT expertise. You can use this help to get started with emergency management. Additional resources and contact options are pointed out at suitable points - also in the event that you need support for dealing with IT emergencies.

Comprehensive emergency management is not limited to the failure of information technology (IT) resources, but also considers the failure of personnel, infrastructure (e.g. buildings and facilities) and service providers. The catalog of measures focuses on IT emergencies and divides the selected measures into four phases: preparation, preparedness, management and follow-up. All points are formulated in an action-oriented manner

In order to pursue a holistic cyber security strategy, you should establish an information security management system (ISMS) in accordance with recognized standards. An ISMS is usefully supplemented by emergency management/business continuity management (BCM). This management process is the responsibility of the emergency response officers and includes, among other things, the creation of the following products

• a guideline on emergency management,
• development of an emergency preparedness concept and
• an emergency manual.

A complete emergency management/BCM is not limited to the failure of information technology resources, but also considers the failure of personnel, infrastructure (e.g. buildings and facilities) and service providers. The catalog of measures is limited to IT emergencies and is primarily aimed at managing directors and IT managers in small and medium-sized companies who want to

• -want to organize their entry into this topic,
• -want to face the many threats posed by advancing digitalization and
• -want to increase their company's cyber resilience through IT emergency management.

• Appoint representatives for information security and emergency management in your company, preferably not in the same position.
• Both work closely together in the event of IT emergencies.
• In this context, ensure that you have your individual and case-related initial measures in the event of an IT emergency (including alerting and reporting channels).
• Identify time-critical business processes and assets (crown jewels) as part of a structured process (recommendation: Business Impact Analysis (BIA)) and prioritize the implementation of protective measures for these.
• Clarify with your IT service providers for which IT incidents support can be provided (distributed denial of service (DDoS), ransomware, online fraud, hacking of the website, etc.).
• Identify service providers who can provide you with suitable support in the event of IT emergencies and contact them in advance. Prepare a list of all contact persons and make preliminary arrangements with them (e.g. reachability, availability, service level agreement if applicable).
• Establish rules for internal and external communication. Successful press and public relations work during an IT emergency can significantly limit any damage to your image. Service providers offer support in this area. Check in advance whether you would like to take advantage of such offers and contact them at an early stage.
• If possible, implement active monitoring measures for your IT landscape. This could also be done by IT service providers (Security Operations Center as a Service). Observe data protection regulations and make your measures transparent for the workforce (works council/staff council).
• Practice IT emergency scenarios of all kinds (IT failures, cyber attacks, etc.) and have your IT infrastructure tested for vulnerability (penetration test). Practice will help you gain professionalism and competence.
• Train and sensitize your entire staff in dealing with IT systems and cyber threats and on how to behave in the event of an IT emergency.
• Provide in-depth training for those who are responsible for dealing with IT emergencies.
• Think about the basic protective measures for your IT infrastructure:
  • Install patches and security updates regularly.
  • Use programs to protect against malware and update them regularly.
  • Use firewalls to protect your networks and computers from external attacks.
  • Always change default passwords in all components and use secure passwords and, if possible, two-factor authentication.
  • Create regular backups of your data to protect it from loss and regularly test their recovery.
• Inventory and document your IT infrastructure (e.g. network plan).
• Assign restrictive user rights to your IT systems. Protect particularly privileged user accounts and administrator accounts, e.g. with two-factor authentication.
• Take an equally restrictive approach to networking your IT systems (network segmentation).
• Prepare reporting channels so that you can meet your reporting obligations in a timely manner during an IT emergency.
• Check the security status of your IT systems at regular intervals.
• Make sure that your staff know the right contact person for IT emergencies and are confident in their actions.
• At this point, we recommend using the IT emergency card.
  • Determine the appropriate first point of contact for IT emergencies in your company. This can be your trained staff or an IT service provider.
  • Ensure that you can be reached during your company's relevant working hours. Cyber attacks are often detected on Friday afternoons.
• Remember that not every hardware or software malfunction is a cyber attack. Nevertheless, the failure of an IT system may be due to a cyber attack.

Determining the entry point (patient zero; the first compromised system) of a cyber attack is time-consuming but valuable. In addition, only a complete assessment of the extent of the compromise and its complete elimination will ensure that business processes can be restarted safely.

• Keep calm.
• Immediately get in touch with all contacts in the organization that you need to deal with the situation.
• If necessary, ask affected users about their observations and activities.
• Contact an IT service provider who can help you deal with the emergency.
• It is best to collect and back up system logs, log files, notes, photos of screen contents, data carriers and other digital information before you start an analysis on the systems. This data is essential in the event of a forensic evaluation (including criminal charges).
• Continuously document all facts related to the IT emergency.
• Consider contacting the Central Contact Point for Cybercrime (ZAC) at the State Office of Criminal Investigation in your federal state (only for companies) and filing a report.
• You should also consider voluntarily reporting the IT emergency to the Alliance for Cyber Security reporting office.
• Observe reporting obligations: Data protection, KRITIS, etc.
• After a cyber attack, monitor your network and IT systems particularly closely for unusual activity to ensure that your systems are working properly again and to detect a possible repeat attempt in good time.
• Lessons learned; check whether there are regulations, measures or processes that need to be optimized and secured.
• Always keep your emergency management documentation up to date.
• Close vulnerabilities and security gaps uncovered by the IT emergency.
• Continuously develop your IT security architecture - your systems, networks and documents.