The Alliance for Cybersecurity has published a 3-page action catalogue for the introduction of emergency management with a focus on IT emergencies.

Download the document: https://www.allianz-fuer-cybersicherheit.de/SharedDocs/Downloads/ACS/Notfallkarte/Massnahmenkatalog_Notfallmanagement.pdf?__blob=publicationFile&v=7

Please note: in case of an IT emergency, please inform in any case the CISO of the TU Braunschweig and the Gauss IT Centre under the e-mail address informationssicherheit@tu-braunschweig.de and/or the IT Service Desk under telephone (0531-391-)555555.

From the preface:

The catalogue of measures for emergency management is primarily aimed at managing directors and IT managers in small and medium-sized enterprises – regardless of the extent of their existing IT expertise. With this help, you can shape your entry into emergency management. At appropriate points, attention is drawn to additional resources and contact possibilities – also in the event that you need support in dealing with IT emergencies.

Holistic emergency management is not limited to the failure of the resource information technology (IT), but also considers the failure of the resources personnel, infrastructure (e.g. buildings and facilities) and service providers. The catalogue of measures focuses on IT emergencies and divides the selected measures into the four phases of preparation, readiness, management and follow-up. All points are formulated in an action-oriented manner

In order to pursue a holistic cyber security strategy, you should establish an information security management system (ISMS) according to recognised standards. An ISMS is usefully complemented by an emergency management/business continuity management (BCM). This management process is the responsibility of the emergency officers and includes, among other things, the creation of

• a guideline on emergency management,
• development of an emergency preparedness concept and
• an emergency manual.

A complete emergency management/BCM is not limited to the failure of the resource information technology, but also considers the failure of the resources personnel, infrastructure (e.g. buildings and facilities) and service providers. The catalogue of measures is limited to IT emergencies and is primarily aimed at managing directors and IT managers in small and medium-sized enterprises who want to

• want to get started with this topic,
• want to face up to the various threats arising from advancing digitalisation, and
• want to increase the cyber resilience of their company through IT emergency management.

• Appoint representatives for information security and emergency management in your company, if possible not in one person. Both work closely together in IT emergencies.
• In this context, make sure that you have your individual and case-related initial measures in the event of an IT emergency (including alerting and reporting channels).
• Identify time-critical business processes and assets (crown jewels) within the framework of a structured process (recommendation: Business Impact Analysis (BIA)) and implement protective measures for these in a prioritised manner.
• Clarify with your IT service providers for which IT incidents support can be provided (distributed denial of service (DDoS), ransomware, online fraud, website hacking, etc.).
• Identify service providers who can support you in IT emergencies and contact them in advance.
• Make a list of all contact persons and make preliminary arrangements with them (e.g. accessibility, availability, service level agreement if necessary).
• Establish rules for internal and external communication. Successful press and public relations work during an IT emergency can considerably limit any damage to your image. Service providers offer support in this area. Check in advance whether you would like to make use of such offers and contact them at an early stage.
• If possible, implement active monitoring measures for your IT landscape. This could also be done by IT service providers (Security Operations Centre as a Service). Observe data protection regulations and make your measures transparent for the staff (works/staff council).
• Practise IT emergency scenarios of all kinds (IT failures, cyber attacks, etc.) and have your IT infrastructure tested for vulnerability (penetration test). Through practice, you will gain professionalism and competence.
• Train and sensitise your entire staff on how to deal with IT systems and cyber threats and how to behave in an IT emergency.
• Conduct in-depth training for those tasked with managing IT emergencies.
• Remember the basic protective measures for your IT infrastructure:
  • Install patches and security updates regularly.
  • Use programmes to protect against malware and update them regularly.
  • Use firewalls to protect your networks and computers from outside attacks.
  • In any case, change default passwords in any components and use strong passwords and, if possible, two-factor authentication.
  • Regularly create backups of your data to protect against loss and regularly test their recovery.
• Inventory and document your IT infrastructure (including a network plan).
• Assign restrictive user rights to your IT systems. Protect particularly privileged user accounts and administrator accounts, e.g. through two-factor authentication.
• Take an equally restrictive approach to networking your IT systems (network segmentation).
  Prepare reporting channels so that you can meet your reporting obligations in a timely manner during an IT emergency.

• Check the security status of your IT systems at regular intervals.
• Make sure that your staff know the right contact person for IT emergencies and are confident in their actions.
• At this point we recommend the use of the IT emergency card.
  • Determine the appropriate first contact for IT emergencies for your organisation. This can be your trained staff or an IT service provider.
  • Ensure accessibility during relevant working hours of your company. Cyber attacks are not infrequently detected on Friday afternoons.
• Remember that not every hardware or software malfunction is a cyber-attack. Nevertheless, the failure of an IT system can be due to a cyber attack.

Determining the point of entry (patient zero; the first compromised system) of a cyber attack is time-consuming, but valuable at the same time. Moreover, only a complete survey of the extent of the compromise and its complete elimination will ensure a safe restart of business processes.

• Keep calm.
• Immediately contact all the people in the organisation you need to deal with the situation.
• If necessary, question affected users about observations and activities.
• Contact an IT service provider who can help you deal with the emergency.
• It is best to collect and back up system logs, log files, notes, photos of screen contents, data media and other digital information before starting an analysis on the systems. This data is essential in the event of a forensic evaluation (including criminal charges).
• Document all facts related to the IT emergency on an ongoing basis.
• Check contacting the Central Contact Point for Cybercrime (ZAC) at the State Criminal Police Office of your federal state (only for companies) and filing a report.
• In addition, check a voluntary report of the IT emergency to the reporting office of the Alliance for Cyber Security.
• Observe reporting obligations: Data protection, CRITIS, etc.

• After a cyber attack, monitor and supervise your network and IT systems particularly intensively for unusual activities to ensure that your systems are functioning properly again and to detect a possible repeat attempt in good time.
• Lessons Learned; check if there are regulations, measures or processes that need to be optimised and secured.
• Always keep your emergency management documentation up to date.
• Close vulnerabilities and security gaps revealed by the IT emergency.
• Continuously develop your IT security architecture – your systems, networks and documents.