Covid-19 (Coronavirus) and IT: When the Chief Information Security Officer, central security engineers and the data protection team fail

published on 10 March 2020 | reading approx. time 3 minutes

The role of a security officer, or the role of key central security technicians and the team responsible for data protection is generally already understaffed and not sufficiently staffed. What does a failure of one of these central functions mean for a company?

One might think that, due to the distribution of tasks within an IT team, one could do without these central security and data protection roles for a certain time. After all, the substitution plan usually ensures the loss of a functionary. But as Murphy's law says, it does not stop at one disaster. And it is precisely these central roles in the company that often have a little distributed knowledge of the security and protection mechanisms within and in relation to third parties in the company. If partial or complete failures are to be expected, emergency operation must be ensured here as well. Here, concrete preparations must be made for three phases:

• Preparation Phase »

• Phase in Case of Crisis »

• Post-Processing Phase »
  

 

In the following, we would like to provide valuable information on how the company should behave.

 

Preparatory Phase

Depending on the size of a company, the above roles vary in content and capacity. In quite a few companies, the roles are implemented on a part-time basis. In corporate groups, there may also be several distributed responsibilities, which in turn does not facilitate a uniform and centralized guarantee of tasks.

 

In concrete terms, this means that within the preparatory phase, the partial or complete loss of these roles must also be included in the risk assessment. If this has not been the case so far, the risk analysis should be extended or corrected by these dimensions.

 

It follows from this that, if the risk assessment is adjusted, the emergency plans existing in the company will also take adequate account of a partial or complete failure of these roles, or an adjustment will also be necessary here.

 

In concrete terms, this means in any case:

• Classification of the function holders, if necessary distributed within the company/group, into risk classes according to their significance for the individual IT services in the own company;
• Evaluation of partial and complete failures with regard to the defined or yet to be defined substitution and emergency plans;
• Determination and integration of a responsibility with regard to these roles in the corporate crisis management team;
• Determination of the occurrence of an emergency (i.e. in the event of failure also of the predominant number of representatives).

 

Depending on the tasks of the above roles in an emergency (including loss of representation) and in combination with a security or data protection incident, this means further:

• Establishment of a coherent substitution plan, especially in the case of the necessary sensible spatial separation of the function holder from the substitute.
• Clarification of how to deal with security and data protection incidents in the responsibility in case of loss of persons, so that the protection as such is ensured and no fines are to be expected, especially with regard to data protection.
• Dealing with the selection, control and monitoring of third parties in the field of security and data protection during the crisis/emergency.
• Dealing with the clarification of technical security incidents occurring during the period of the crisis/emergency.
• Clarification to ensure the rights of those affected within the framework of data protection in the period of the crisis/emergency.

 

If the company lacks the capacity and know-how for the preparation phase or for representation, it is recommended to involve the Rödl & Partner crisis team.

  
Crisis Phase

If, according to definition, an emergency or crisis arises from preparations and one or more functionaries and representatives are affected, measures are initiated in line with the defined emergency plans.

 

Depending on the extent of the loss of the functionaries and their representatives, the crisis management team must make decisions on a case-by-case basis. These could be:

• Involvement of a third party as an external service provider to monitor the security measures (so-called managed security);
• Engagement of a lawyer in the context of a data protection incident;
• Security assessment of an emergency solution from the failure of an IT service by specialists;
• Etc.

 

Here too, multiple emergencies could threaten the ability of the crisis team to perform its tasks.

 
Postprocessing Phase

It can be assumed that, in the context of the loss of functionaries and representation, some monitoring and control tasks were no longer implemented. It is therefore necessary to

• Here, too, the individual crisis situation is re-embedded in the concepts as a lesson-learned solution,
• to make up for the essential controls relating to the emergency period (checking of rights assignments, admin rights usage, unusual network activities, etc.),
• analogous to the monitoring of the business partners, also to restore the correctness with regard to the internal control system, the assignment of rights by the emergency operation, etc. and to check the successful establishment and
• to check whether the emergency measures have restored the level of data and information security to an optimal level.

 

Since the resources within the functionaries are usually not abundant, the question of the involvement of third parties arises. In this case it is also advisable to involve the Rödl & Partner crisis team.