The checklist is split into organisational and technical aspects, some of which can be processed in parallel. It is structured in the form of guidelines and guiding questions. Individual steps should be repeated in cycles, if necessary.

Framework conditions

1. This 'organisational' checklist for dealing with IT emergencies cannot replace safeguards or appropriate emergency management.
2. As the checklist is designed for widespread use in different IT emergencies covering very heterogeneous environments, a large number of the points can only covered in generic terms.
3. The checklist is aimed primarily at small and medium-sized enterprises that have not yet had the opportunity to prepare for an IT emergency thoroughly and serves as a tool for dealing with an emergency in a structured manner. However, individual aspects can be applied across the board.

The document ' Ransomware: Erste Hilfe bei einem schweren IT-Sicherheitsvorfall Version 1.2' [First aid in the event of a serious IT security incident] describes these aspects in more detail and provides additional background information.

Organisational checklist

Keep calm and do not act hastily.

Has everyone who needs to know about the suspected IT emergency internally been informed?

1. Has the IT security officer, the Data Protection Officer, and the IT Operation Department been informed? An example of what should be reported here is shown in the BSI's emergency IT map.
2. Have management been informed?
3. Do other internal bodies need to be informed?

Get organised. Set up a crisis team (or a project group). Assign roles and responsibilities.

1. Who makes the relevant decisions?
2. Who does what and by when?

Gather as much information as quickly as possible to allow informed decisions.

1. What actually happened?
2. How did it come to light?
   Was it reported by external parties? If so, maintain contact with them, if this is requested, to prevent the incident from being publicised prematurely out of a sense of neglect.

3. What impact can it have directly on the company, its core services or on essential production processes?

   • Does continued operation have to be guaranteed at all costs? Does it have a potential negative impact on forensic evidence gathering and analysis results?
   • Is there sufficient time to analyse and manage the problem in more depth?
   • Is prosecution anticipated? Does this mean that evidence must be preserved? This usually requires a more prudent and elaborate approach.

4. What impact can it have on customers, partners or the public?

   • Does this result in a need for additional action?
5. Why did it happen to us? Are there indications of a targeted course of action? Are we just one of many potential victims?

What communication aspects need to be considered?

1. If not already in place, create the role of a responsible communication expert, press spokesperson or similar to distribute information in a coordinated, targeted and focused manner, but also to receive it.
2. Comprehensive explanations can be found in the 'Leitfaden Krisenkommunikation' [Guidelines on Crisis Communication] published by the Federal Ministry of the Interior (BMI). This was primarily developed for the federal administration and public administrations, but contains helpful principles, especially in Chapters 5 and 6 as well as in Appendix 3.
3. Do not forget to notify your employees internally, using appropriate messaging as necessary.
4. Check who should or must be informed.

5. Do notification obligations exist?

   • In the event of a related relevant data protection breach, the IT incident must be reported to the competent data protection supervisory authority. Additional information can be found in the info sheet 'Meldung von Datenschutzverstößen' [Notification of Data Protection Violations] and in the context of the Telecommunications Services Act (TKG) in the "Leitlinien zur Melde- bzw. Benachrichtigungspflicht' [Guidelines on the Duty to Report or Notify].
   • If you are an operator of a critical infrastructure, you can find more information here.
6. Do you have contractual information obligations in the event of IT incidents or comparable compliance rules, for example towards clients, business partners, contractors or insurance companies?
7. Include your customers and the public in your considerations.
8. Do you want to report the IT incident voluntarily (anonymised/pseudonymised if necessary) to enable other parties who may be affected to be warned? The reporting form on the BSI website Melde- und Informationsportals is available for this purpose.

9. Do you want to file a criminal complaint?

   • You can find the responsible Central Cybercrime Contact Points for Business (ZAC) here.
   • Additional information can be found in the BKA brochure 'Cybercrime -- Handlungsempfehlungen für die Wirtschaft' [Cybercrime - Recommended Actions for Business].

Is external support needed? If so, where can I find it?

1. Your Chamber of Industry and Commerce can provide a local contact person.
2. Your Chamber of Trades also provides an overview of 'IT security ambassadors'.

3. The BSI provides various overviews of suitable service providers.

   • List of certified IT security service providers in the areas of IS auditing and IS penetration tests
   • Liste der qualifizierten APT-Response-Dienstleister; Stand: 25.06.2024
   • Liste qualifizierter DDoS-Mitigation-Dienstleister; Stand: 05.06.2024
   • List of IT security service providers in the area of eavesdropping countermeasures
4. In individual cases, the BSI will support you in an advisory or supportive capacity within the scope of available resources.

Evaluation

1. Learning from the IT incident
2. Preparing for the next IT incident

Go to technical aspects