Recovery from security incidents

All security incidents are addressed in a consistent manner to improve security based on what has happened.

In the incident treatment process:

• the reported incident is confirmed (or found unnecessary to record)
• the type and cause of incident is documented
• the risks associated with the incident are documented
• the risks are re-evaluated and treated if that is necessary after the incident
• risk mitigation measures or a decision their acceptance is documented
• people who need to be informed of the results of the incident treatment are identified (including external ones)
• possible need for a post-incident analysis is determined

Sometimes an unexpected event, such as a fire, flood, or equipment failure, can cause downtime. In order to be able to continue operations as quickly and smoothly as possible, continuity planning is carried out, i.e. planning the operations in advance for these exceptional situations.

Each continuity plan shall contain at least the following information:

• Event for which the plan has been made
• Goal for recovery time
• Responsible persons and related stakeholders and contact information
• Planned immediate actions
• Planned recovery steps

The organisation should regularly, at least annually, test and review its information security continuity plans to ensure that they are valid and effective in adverse situations.

Testing of continuity plans shall involve, as appropriate, stakeholders critical to each plan. The organisation should identify and document the necessary contacts with suppliers and partners

In addition, the adequacy of continuity plans and associated management mechanisms should be reassessed in the event of significant changes in operations.

The organisation regularly develops its continuity plans by analyzing the testing of the plans, training and their actual use in real situations.

The organization shall have procedures in place to communicate effectively with stakeholders and other participants during continuity plans and survival procedures.

Communication plans related to continuity plans shall include:

• Responsible persons, related stakeholders and other necessary contact information
• Clear criteria for the situation where continuity communication will be implemented
• A clear description of the staff implementing the continuity communication in each situation and the recipients to whom the communication will be sent
• References to the templates and tools to be used

If it is difficult to identify the source of a security incident based on the primary treatment, a separate follow-up analysis is performed for the incident, in which the root cause is sought to be identified.