Good Practice Guide Reporting Security Incidents
Resilient e-Communications Networks
13
It should also be mentioned that for the purposes of this report, data security breaches are excluded
from cybersecurity-focused reporting.
2.1.3
Authorities Managing the Scheme
Finally, the research found that the reporting schemes tend to differ according to the host
organization, i.e. the organization that develops and manages the scheme. Among the types of host
organisations identified were:
Telecoms regulatory authorities,
National or GovCERTs,
CIP-related authorities,
Other CERTs.
This distinction comes into play especially when the scheme's organizers consider expansion into new
areas. This is due to the fact that different starting positions offer different evolution paths. Details
and consequences of this distinction will be discussed in section 6.3.2 below.
2.2
Incident Reporting Lifecycle
Planning and implementing an incident reporting scheme are challenging goals. To achieve success, it
is necessary to: a) carefully and diligently proceed through many individual steps, b) working out a
huge amount of detail in the process, while balancing the sensitivities of various organizations and
individuals with whom you will have to work; and c) coordinate, and cooperate in both establishing
and then managing the scheme. These numerous steps together form the lifecycle of the incident
reporting scheme.
2
The lifecycle could be depicted as a four-stage process. It begins with identifying the incident reporting
need and setting the basic goals of your scheme. The lifecycle then proceeds to engaging cooperation
of the potential reporting parties which in fact is an ongoing effort that shouldn't stop as long as the
scheme is running. The reporting procedures are then defined, enabling the launch of the scheme.
Finally, every scheme needs an ongoing management that would, on one hand, provide feedback that
enables adjustment of the reporting procedures, and on the other hand enable longer-term
improvement and evolution of the scheme. Thus the lifecycle may naturally flow into a re-assessment
of the incident reporting needs and to establishing additional reporting arrangements. Relationships
between the four stages are summarized in the following figure.
2 For the purposes of this guide, incident reporting scheme lifecycle, or shortly incident reporting lifecycle, is a summary of the
activities necessary to establish, run and manage an incident reporting scheme in eCommunications. Thus it is clearly distinct
from the "incident lifecycle" an established term describing incident response processes within a CERT.