Evidence and Customer Relation

Customer Communication and Security (CCS)

Evidence and Customer Relation		Vulnerability Management, Management of Security Information, Events and Incident as well as secure communication with customers
IT Security Standard	Abbr.	IT components and major areas
Customer Communication and Security	CCS	All procedures that establish the communication with customers and all means used to secure this electronic communication. Included here are non-disclosure agreements and encryption technology for e-mails.

Scope and Content:

When the IT service provider is conducted to provide IT services for customers, sensitive or confidential information is exchanged between the two parties. Such information comprises business-related information and other internal facts about the customer as well as details on the supplying party and its IT service delivery considered as intellectual property and what is to be kept confidential.
When the IT service provider takes over IT service delivery from customers, data and IT is often transferred to the IT service provider in the so-called transition phase.
When the IT service provider provides IT services for customers, information needs to be exchanged for effective service delivery management in order to make changes, treat possible problems and foster the cooperation.

Goals and Objectives:

Essential interests of both the IT service consuming party and the IT service provider shall be respected, maintained, considered and balanced. This requires appropriate transparency as well as clear statements and regulations, usually expressed in written or even signed agreements.
The parties are reminded that definitions of security and IT-related terms may differ in various organizations. Hence, adaption of understanding and practices is an essential prerequisite for comprehensive security. Complex services usually require elaboration of a security conception based on ESARIS measures, practices and processes.
The parties shall agree on the classification of information before the information exchange takes place. Non-disclosure and other agreements may be signed. The level of communication-trust systems, such as telephone, fax and media exchange should be discussed and agreed on.
Appropriate means shall be provided and used to securely exchange customer data, documents and emails. Here all phases of the cooperation (starting from the bid phase) shall be considered when specific circumstances are to be taken into account. For example, security reporting may require a means for secure data delivery, encryption, masking or pseudonymization.
Measures have to be taken during migration of systems or data in order to ensure the protection of the migrated systems and data of the customer. A security concept or plan shall be developed, which is to be valid during the migration processes and shall appropriately consider applicable security policies and regulations. Such a concept or plan should define scope, actions, milestones, responsibilities, expected results and validation methods, agreements on risk transfer and treatment, trouble shooting and recovery planning, planning of technical process steps, including freezing and testing, finalization and approval as well as possible rework scenarios.
Hired or subcontracted personnel or companies must appropriately be informed, be possibly trained and be obliged to adhere to the applicable security policies. If security-policy breaches occur, they must be must be logged, pursued and may be subject to civil or criminal legal consequences in certain cases. Note that contractor relations are subject to “Systems Acquisition and Contracting (SAC)”.

Primary External Support:

None

Vulnerability Assessment and Mitigation Planning (VAM)

Evidence and Customer Relation		Vulnerability Management, Management of Security Information, Events and Incident as well as secure communication with customers
IT Security Standard	Abbr.	IT components and major areas
Vulnerability Assessment and Mitigation Planning	VAM	All activities relating to regular security testing and scanning of systems software and their configuration, CERT services, evaluation of impacts and planning of corrective actions.

Scope and Content:

IT systems and components as well as IT security solutions implemented for protection purposes, may have vulnerabilities that open doors for attacks. Vulnerabilities may result from flaws in design, missed patches/updates, unanticipated changes of usage and operating environment, or technical advances which may encourage new attack methods. IT systems and components may also be misconfigured or the configuration itself may have been tampered with. Moreover, incorrect changes might be made through applying patches that are untested or not properly serialized.
There are various sources for the appearance of vulnerabilities needed to be identified and assessed before remedial measures can be taken.

Goals and Objectives:

Means and processes shall be applied for the identification of vulnerabilities. Vulnerability notification services and other sources such as announcements and release notes of manufacturers shall be utilized for gathering information. Tools and testing shall be used to regularly search for vulnerabilities in IT systems and components. This may include integrity scanning, detection of unauthorized or incorrect changes to software or configurations, version and patch status verification, automatic or manual testing of configurations and functions, identification and tracking of intrusions and possible misuse.
Means and processes shall be applied for the assessment of vulnerabilities. Here, one determines if and what part of the IT environment is affected. The possible impact on operations and possibly the business is also determined. A risk-based approach may be applied in such a case. This assessment is needed for prioritizing the shielding and remediation tasks that follow. It is important to identify the root cause for intrusions, misuse and attacks, regardless whether the attempts are successful or not. The use of log and event data can be required for providing a comprehensive picture for analysis.
Means and processes shall be applied for the planning and implementation of corrective actions that either remediate or at least mitigate the vulnerabilities identified and assessed beforehand.

Primary External Support:

The Vulnerability Assessment and Mitigation Planning (VAM) initiates the remediation activities either by Change and Problem Management (CPM) or by Incident Handling and Forensics (IHF). Risk Management (RMP) is notified about risk-profile changes, especially when critical vulnerabilities or vulnerabilities which cannot be treated as desired. – several vulnerabilities are eliminated by Security Patch Management (SPM) and Hardening, Provisioning and Maintenance (HPM):

Vulnerability Assessment and Mitigation Planning uses services and results from “Security Patch Management (SPM)” several vulnerabilities are remedied by software component updates.

Vulnerability Assessment and Mitigation Planning uses services and results from “Hardening, Provisioning and Maintenance (HPM)” because numerous vulnerabilities are remediated by the adjustment of configuration parameters, the disablement of services and the de-installation of software components.

Logging, Monitoring and Security Reporting (LMR)

Evidence and Customer Relation		Vulnerability Management, Management of Security Information, Events and Incident as well as secure communication with customers
IT Security Standard	Abbr.	IT components and major areas
Logging, Monitoring and Security Reporting	LMR	All activities and tools used for central log management and analysis, monitoring of systems, measurement and information provisioning to customers. It includes Security Information Management (SIM) with Log Management, data collection, analysis and reporting of log data, Privileged User and Resource Access Monitoring as well as Security Event Management (SEM) with Real Time Log and Event Data Processing, correlation and analysis of events.

Scope and Content:

IT systems, components and IT security solutions implemented for protection purposes may have vulnerabilities and may be attacked or misused. Systems are to be monitored in order to gain information on possible attacks and abuse and provide information on the security status of IT systems and components so as to demonstrate adherence to policies and compliance with regulations and policies.

Goals and Objectives:

Log data are generated by virtually all IT systems and components. They are analyzed to determine if they allow system troubleshooting and if the compliance with security policies and regulations for responding to security incidents and the performance of security investigations (forensics) is properly checked. Pattern recognition, normalization, classification and tagging as well as correlation analysis are typical examples of automated log data assessment. Such tasks should be performed on a different system level and centrally consolidated in order to generate a best possible overall picture.
User monitoring covers the investigation of user access (rights and policies) and activity. It is important for threat management, fraud detection, breach discovery and compliance reporting. Applications need to be monitored in addition; other resource access monitoring may also be required.
An improved threat management may require the ability of real-time data collection that enables immediate analysis. The most important data needed to be collected and analyzed go as security critical events. They should be correlated while aggregating monitoring and alerting, and notification should be supported for security events (such as threats or incidents) in near real-time.
Incident management and workflow shall appropriately be supported so that operations personnel is able to handle and respond to security incidents, which is seen as part of the daily business and can be done by single IT operations departments, possibly requiring a specific escalation or business critical notification to customers or regulators. The details are determined by the incident management process.
Customers shall appropriately be informed about the security status of the IT service they consume (and about the IT systems and components applied for production as appropriate). In particular, customers shall be informed whether, and to what extent, contractual security promises are kept. This usually includes adherence to policies and regulations.

Primary External Support:

None

Incident Handling and Forensics (IHF)

Evidence and Customer Relation		Vulnerability Management, Management of Security Information, Events and Incident as well as secure communication with customers
IT Security Standard	Abbr.	IT components and major areas
Incident Handling and Forensics	IHF	All procedures and means used to handle and respond to security-related circumstances that may have a significant impact and require timely resolution by the implementation of workarounds or by the removal of the root cause.

Scope and Content:

The IT service provider supplies IT services to customers. The IT systems and components may have vulnerabilities. These may be taken advantage of and may have an adverse effect on customers’ businesses. Such attacks may lead to a loss of availability, e.g., as a result of a denial-of-service attack. Other attacks may violate confidentiality, privacy and other requirements if safety, physical, environmental, or personnel security measures are circumvented. Theft and espionage are examples of these attacks.
The sole appearance or knowledge of vulnerabilities can already significantly change the anticipated risk, and therefore, require notification and timely action. Furthermore, power and other technical failures, fires, floods and the like can cause incidents of significant impact. In such cases, provider and customer alike may be required to handle such an incident in a coordinated manner.
In case that any serious attack, misuse or violation of a policy, such as privacy regulations is detected, a thorough analysis may be required to determine the root cause and identify the people responsible for the incident.

Goals and Objectives:

Means and processes shall exist that allow recognition and consideration of changes of the risk profile (e.g., as a result of compiled knowledge) that may lead to a significant higher impact on the customer’s business. Indicators are vulnerabilities that are not remedied, malicious activity and the like. The sources of such indicators (e.g., vulnerability management, user help desk) shall be known and used.
Means and processes shall exist that allow for recognition and consideration of security breaches that occurred and are expected or already have a significant impact on the customer’s business. The sources of such indicators (e.g., logging and monitoring, restricted service delivery) shall be known and used.
Means and processes shall be applied towards making a sound decision if reported incidents are to be handled or rejected. They are categorized, understood and assigned for remediation.
Means and processes shall be applied for dealing with incidents and for resuming a status with an accepted level of risk. Actions have the purpose of mitigating the impact or minimizing the impact of secondary damage.
In the event only the risk profile changed are actions then aimed at improving security measures for preventing future security breaches or mitigating their impact. Actions are to be aimed at improving response plans and security measures in order to prevent future security breaches or mitigate their impact. Note that the possible actions can vary tremendously and are not a subject of elaboration in this standard. This is a matter usually performed by Problem Management or Risk Management.
Means and processes shall exist for receiving information from the customer and for starting the coordinated action of both the IT service provider and its customer, if required.
Means and processes shall be applied to facilitate the forensic analysis, which detects root cause and the offender’s identity, together with any accounting data and evidence required.
Note that this standard focuses on security incidents resulting from a failure or breach of security measures subject to and monitored under this set of IT Security Standards.

Primary External Support:

Involvement of a special relationship with the following IT Security Standards:

Incident Handling and Forensics uses the services and the results of “Vulnerability Assessment and Mitigation Planning (VAM)”, which are to be notified on changes of the risk profile, particularly on vulnerabilities not able to be treated as desired.

Incident Handling and Forensics uses the services and the results of “Logging, Monitoring and Security Reporting (LMR)”, which are to be notified on major incidents and be further informed.

Incident Handling and Forensics uses the services and the results of “Risk Management (RMP)”, which are to be notified of emerging risks that may be the source of future incidents. Conversely, Incident Handling and Forensics will provide trend information in order to allow for risk-profile changes.

Incident Handling and Forensics (IHF) will deliver input to the change process described in Change and Problem Management (CPM) in order to create a Request for Change (RfC) for resolving the security issues. In addition, the Change and Problem Management (CPM) fills the database of known errors which is used by the Incident Management process:

Incident Handling and Forensics utilizes the services and the results of “Change and Problem Management (CPM)” for obtaining information on known errors.

The Standard