DER.4 Emergency Management
In emergencies, institutions must continue to be able to access information in order to restore a business process, an IT system, or a specialist task...
Description
Introduction
In emergencies, institutions must continue to be able to access information in order to restore a business process, an IT system, or a specialist task. To be able to maintain information security even in an emergency, the corresponding processes should therefore be planned, established, and reviewed.
Only when a planned and organized approach is taken is optimal emergency preparedness and emergency management possible. A professional emergency management process reduces the impact of an emergency and thus secures the operation and continued existence of the institution. Appropriate measures must be identified and implemented that make time-critical business processes and specialist tasks more robust and resilient on the one hand, and that enable an emergency to be managed quickly and purposefully on the other.
Maintaining information security in an emergency must be embedded in an overarching emergency management system — ideally an emergency management system. Emergency management, however, has its own process owner, the Emergency Officer, who coordinates with the ISO.
Objective
The objective of this building block is to describe requirements for ensuring information security in institutions even in critical situations. For this purpose, the corresponding measures must be embedded in a holistic emergency management system. In addition, all aspects must be considered that are necessary to maintain information security even in the event of damage or emergencies. This ranges from the planning to the review of all processes.
Scope and Modeling
The building block DER.4 Emergency Management is always to be applied once to the entire information network.
When a damaging event occurs, the right information must be available completely and correctly. The present building block does not elaborate on any criteria or processes by which those responsible can decide whether an emergency exists or not. The decision is made during security incident handling (see DER.2.1 Security Incident Handling).
Crises are addressed within the framework of separate crisis management and are only treated as an interface in this building block, for example in the context of further escalation of emergencies. Further information on the individual phases of emergency management and the demarcation of emergency management from crisis management is contained in BSI Standard 100-4 “Emergency Management”.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information networks, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular importance for building block DER.4 Emergency Management.
Personnel Failure
If personnel fail, this can quickly mean that an institution can no longer carry out its specialist tasks and business processes. The reasons for personnel failure can be varied. Contamination in a cafeteria or a strike can, for example, cause many employees to be absent simultaneously. The death of an employee can also lead to outages or impairment of important business processes or specialist tasks. In addition, relevant information for restarting the business process or IT systems may no longer be accessible. Individuals often possess specific expert knowledge (key person dependencies), so that damage can occur even when the number of absent employees is very small.
IT System Failure
If components of an IT system fail — for example due to defective hardware or a power outage — the entire IT operations can be disrupted. This jeopardizes the availability of the respective information and thus also the respective business process. In addition, important information needed for recovery measures may not be available.
Failure of a Wide Area Network (WAN)
The causes of a Wide Area Network (WAN) failure can be varied. It is therefore possible that a network failure affects only individual users, a single provider, or a specific region. Such outages often only cause brief disruptions and then only affect business processes and specialist tasks that require a correspondingly high level of WAN availability. However, there are also recurring longer outages that can cause massive problems in communication and reachability.
Failure of a Building
Buildings can become unexpectedly unusable — for example, because they have been partially or completely destroyed by fire, storm, flooding, earthquake, or an explosion. A building can also become unusable because the police or fire department cordons off the surrounding area and the building can no longer be entered or must be evacuated — for example, because power, water, wastewater, heating, or air conditioning have ceased to function for a period of time.
Failure of a Delivery or Service
If institutions are dependent on services, this can quickly lead to interruptions in their own operational continuity if the service-providing or delivery institution partially or completely fails. For example, if a specific raw material delivery is needed for production and that delivery fails, the entire production may be at risk. However, the failure of an externally provided service, such as cloud services or email, can also severely restrict or even completely interrupt the institution’s own operations. This particularly endangers critical business processes and specialist tasks.
Requirements
The following are the specific requirements of building block DER.4 Emergency Management. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO MUST always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. These should be filled insofar as this is reasonable and appropriate.
| Responsibilities | Roles |
|---|---|
| Primary responsibility | Emergency Officer |
| Additional responsibilities | Information Security Officer (ISO), Supervisors, Top Management, HR Department |
Exactly one role should be primarily responsible. In addition, there may be additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural does not indicate how many people should fill these roles.
Basic Requirements
The following requirements MUST be fulfilled as a priority for this building block.
Standard Requirements
Together with the basic requirements, the following requirements represent the state of the art for this building block. They SHOULD generally be fulfilled.
DER.4.A1 Creation of an Emergency Manual (S)
An emergency manual SHOULD be created containing the most important information on:
- Roles,
- Immediate measures,
- Alerting and escalation, and
- Communication plans, general business continuity plans, restart plans, and recovery plans.
Responsibilities and authorities SHOULD be assigned, communicated, and recorded in the emergency manual. It SHOULD be ensured that appropriately trained personnel are available in an emergency. It SHOULD be regularly verified through tests and exercises whether the measures described in the emergency manual function as intended.
It SHOULD be regularly checked whether the emergency manual is still current. It SHOULD be updated as necessary. It SHOULD also be accessible in an emergency. The emergency manual SHOULD be supplemented with behavioral guidelines for specific situations, such as fire. The guidelines SHOULD be made known to all employees.
DER.4.A2 Integration of Emergency Management and Information Security Management (S) [Information Security Officer (ISO)]
The processes in security management SHOULD be coordinated with emergency management (see DER.2.1 Security Incident Handling).
Requirements for High Protection Needs
The following are exemplary proposals for requirements that go beyond the level of protection corresponding to the state of the art for this building block. The proposals SHOULD be considered when there are elevated protection needs. The specific determination is made within the framework of an individual risk analysis.
DER.4.A3 Definition of the Scope and the Emergency Management Strategy (H) [Top Management]
The scope of the emergency management system SHOULD be clearly defined. Top Management SHOULD establish an emergency management strategy that sets out the intended objectives and the risk acceptance level.
DER.4.A4 Emergency Management Policy and Assumption of Overall Responsibility by Top Management (H) [Top Management]
Top Management SHOULD adopt an emergency management policy. This SHOULD contain the key cornerstones of emergency management. The emergency management policy SHOULD be regularly reviewed and revised if necessary. It SHOULD be made known to all employees.
DER.4.A5 Establishment of a Suitable Organizational Structure for Emergency Management (H) [Top Management]
The roles for emergency management SHOULD be defined appropriately for the institution’s circumstances. This SHOULD be documented in writing together with the tasks, duties, and competencies of the roles. Qualified employees SHOULD be designated for all roles in emergency management. The organizational structure in emergency management SHOULD be regularly reviewed to determine whether it is practical, effective, and efficient.
DER.4.A6 Provision of Adequate Resources for Emergency Management (H) [Top Management]
The financial, technical, and personnel resources for the intended objectives of emergency management SHOULD be adequate. The Emergency Officer or the emergency management team SHOULD have sufficient time for emergency management tasks.
DER.4.A7 Creation of an Emergency Concept (H) [Top Management]
All critical business processes and resources SHOULD be identified, for example using a Business Impact Analysis (BIA). The most important relevant risks for critical business processes and specialist tasks and their resources SHOULD be identified. For each identified risk, it SHOULD be decided which risk strategies are to be used for risk treatment. Continuity strategies SHOULD be developed that enable the restart and recovery of critical business processes within the required time. An emergency concept SHOULD be created. Emergency plans and measures SHOULD be developed and implemented that enable effective emergency management and a quick resumption of critical business processes. The emergency concept SHOULD take information security into account and corresponding security concepts SHOULD be developed for emergency solutions.
DER.4.A8 Integration of Employees into the Emergency Management Process (H) [Supervisors, HR Department]
All employees SHOULD be regularly sensitized to the topic of emergency management. A training and awareness concept SHOULD be created for emergency management. Employees in the emergency management team SHOULD be regularly trained to build the required competencies.
DER.4.A9 Integration of Emergency Management into Organization-Wide Processes and Procedures (H) [Top Management]
It SHOULD be ensured that aspects of emergency management are taken into account in all business processes and specialist tasks of the institution. The processes, specifications, and responsibilities in emergency management SHOULD be coordinated with risk management and crisis management.
DER.4.A10 Tests and Emergency Exercises (H) [Top Management]
All essential immediate measures and emergency plans SHOULD be regularly tested and practiced in an appropriate manner, both on a scheduled and event-driven basis. The time frame and subject-matter coverage of all exercises SHOULD be documented comprehensively in an exercise plan. In emergency management, sufficient resources SHOULD be provided for the planning, design, conduct, and evaluation of tests and exercises.
DER.4.A11 DISCONTINUED (H)
This requirement has been discontinued.
DER.4.A12 Documentation in the Emergency Management Process (H)
The course of the emergency management process, the work results of the individual phases, and important decisions SHOULD be documented. An established procedure SHOULD ensure that these documents are regularly updated. Furthermore, access to the documentation SHOULD be restricted to authorized persons.
DER.4.A13 Review and Control of the Emergency Management System (H) [Top Management]
Top Management SHOULD regularly inform itself about the status of emergency management by means of management reports. In this way, Top Management SHOULD regularly review, evaluate, and where necessary correct the emergency management system.
DER.4.A14 Regular Review and Improvement of Emergency Measures (H) [Top Management]
All emergency measures SHOULD be regularly reviewed — or reviewed after major changes — to determine whether they are still being adhered to and correctly implemented. It SHOULD be checked whether they are still suitable for achieving the defined objectives.
In doing so, it SHOULD be investigated whether technical measures have been correctly implemented and configured, and whether organizational measures have been effectively and efficiently implemented. If deviations are found, the causes of the deficiencies SHOULD be determined and improvement measures should be initiated. This summary of results SHOULD be approved by Top Management. A process SHOULD also be established that controls and monitors whether and how the improvement measures are implemented. Delays SHOULD be reported to Top Management at an early stage.
Top Management SHOULD have established how the reviews are coordinated. Reviews SHOULD be planned in such a way that no relevant area is omitted. In particular, the reviews conducted in the areas of auditing, IT, security management, information security management, and emergency management SHOULD be coordinated with one another. For this purpose, it SHOULD be regulated which measures are reviewed when and by whom.
DER.4.A15 Assessment of the Performance Capability of the Emergency Management System (H) [Top Management]
The performance capability and effectiveness of the emergency management system SHOULD be regularly assessed. Measurement and assessment criteria, such as key performance indicators, SHOULD be defined as the basis for this. These metrics SHOULD be regularly determined and compared with appropriate previous values, at minimum with the values from the previous year. If values deviate negatively, the causes SHOULD be identified and improvement measures defined. The results of the assessment SHOULD be reported to Top Management.
Top Management SHOULD decide what measures are to be used to further develop emergency management. All decisions of Top Management SHOULD be documented and the existing records updated.
DER.4.A16 Emergency Preparedness and Emergency Response Planning for Outsourced Components (H) [Top Management]
For emergency preparedness and emergency response planning for outsourced components, the emergency management of the delivering or service-providing institution SHOULD be regularly reviewed in the signed contracts. The processes for emergency tests and exercises SHOULD also be coordinated with the delivering or providing institution and, where appropriate, conducted jointly.
The results and evaluations SHOULD be regularly exchanged between Top Management and the delivering institutions or service providers. The evaluations SHOULD also contain any improvement measures.
Additional Information
Good to Know
The International Organization for Standardization (ISO) provides requirements for ensuring information security in an emergency in standard ISO/IEC 27001:2013 “Information technology - Security techniques - Information security management systems - Requirements” in Annex A17 “Information security aspects of business continuity management”.
The International Organization for Standardization (ISO) provides a framework for Business Continuity Management (BCM) in standard ISO/IEC 22301:2012 “Societal security - Business continuity management systems - Requirements”, into which the requirements from the above-mentioned standard ISO/IEC 27001:2013 can be integrated, for example.
BSI Standard 100-4 “Emergency Management” describes how BCM can be established, maintained, and continuously improved.
The implementation framework for emergency management according to BSI Standard 100-4 (UMRA) published by the BSI contains further tools to facilitate the establishment of a BCMS.
In addition, the web course “Emergency Management” based on BSI Standard 100-4 provides an introduction to the topic.
The Information Security Forum (ISF) provides requirements on business continuity in the category BC - Business Continuity - of its standard “The Standard of Good Practice for Information Security”. Among other things, it requires there that the continuity strategy be aligned with the information security strategy.
The National Institute of Standards and Technology (NIST) provides in its Special Publication 800-34, Rev. 1, “Contingency Planning Guide for Federal Information Systems” a guide for creating a continuity plan for (federal) information systems that also takes information security into account. In addition, this document also provides information on the relationships between such a continuity plan for information systems and other types of security- and emergency-management-related continuity plans, such as a Business Continuity Plan.