Good Practice Guide Reporting Security Incident
Good Practice Guide - Reporting Security Incident
We would like to remind again that data protection incidents, such as privacy breaches or
unauthorized data disclosures are considered outside of the scope of this document.
In the area of network faults, the incidents may affect users and other stakeholders who require
notification, but repairing the fault tends to be handled within the service provider and/or its
contractors. Therefore, the incident reporting procedures concerned with these network faults tend to
involve reporting from the network service providers. In contrast to cybersecurity, shared practices are
more difficult to find as reporting schemes in this area can follow various objectives. These schemes
are sometimes focused on emergency response, others on incident prevention, and yet others on
incident rectification, or on a specific mix of these.
Combining The Two
While many schemes focus on either cybersecurity or network faults, others cover both. Whichever
the choice in your case, the scheme should be designed with the specific choice of coverage in mind,
so that relevant stakeholders can be involved and effective procedures put in place to meet all
A decision on whether the scheme will address cybersecurity incidents, network faults, or both
must be taken.
In the cybersecurity area, CERTs and CERT-like structures might be utilised to receive reports in
order to coordinate incident response across the wide range of network operators, users and
In network faults area, attention should be paid to defining the scheme's purpose correctly to
suit scheme's objectives, as a focus on emergency response will lead to a different scheme than
one focused on prevention or rectification.
Purpose of Reporting
As noted above, reporting schemes tend to focus on one or more of three main objectives. These are:
Emergency or incident response,
It is important to understand the differences between the types, because much of the schemes' inner
organization depends on the choice of these purposes. On the other hand, most reporting schemes
would combine two or even all three purposes. Any new scheme would need to establish the major
and secondary purpose(s) and combine the reporting procedures accordingly.
Reporting Focused on Emergency Response
The first type of purpose to which incident reporting is commonly tuned is responding to emergencies.
These schemes aim at enabling real-time information sharing and coordination during emergency