Crisis Management
Crisis Definition
A crisis exists when a security incident:
- Threatens the operational capability of the organization
- Affects multiple systems or locations simultaneously
- Requires external communication with customers, authorities or media
- Exceeds the capacity of regular escalation channels
Crisis Team
| Role | Person | Task |
|---|---|---|
| Crisis team lead | Executive Management | Decision-making, resource allocation, external communication |
| Technical lead | CISO | Situational awareness, technical coordination of measures |
| IT Operations | IT Management | Recovery, system management |
| Communications | Executive Management / PR | Customer, authority and media communication (if applicable) |
| Legal / Data Protection | DPO / external counsel | GDPR reporting, criminal complaint, liability matters |
Crisis Process
Phase 1: Alerting (< 1 hour)
- CISO alerts crisis team via mobile phone (no email if systems are compromised)
- Initial situation report: What is known, what is affected, what is the immediate threat?
- Crisis team meeting (on-site or conference call via backup channel)
Phase 2: Situational Awareness (< 4 hours)
- Complete impact analysis
- Decision on communication strategy
- Prepare BSI report (if reportable incident)
- Prepare customer notification (if affected)
Phase 3: Response (days to weeks)
- Coordinated recovery per DR plan
- Regular crisis team updates (at least daily)
- Ongoing BSI communication
- Customer communication (status updates)
Phase 4: Return to Normal Operations
- Verification of all restored systems
- Formal end of crisis mode by executive management
- Handover to regular operations
Phase 5: Post-Incident Review (< 30 days)
- Comprehensive post-mortem analysis
- BSI final report
- Lessons learned and action plan
- Update of DR plan, playbooks and risk analysis
Exercise Types
| Exercise Type | Interval | Participants |
|---|---|---|
| Tabletop exercise | Annually | Crisis team + IT |
| Communication exercise | Annually | Crisis team |
| Technical DR simulation | Annually | IT team |
EXERCISE PLANNING
Crisis exercises should cover a variety of scenarios over time, including ransomware, data center outage, supply chain compromise and data breach. Each exercise should be documented with findings and improvement actions.