Good Practice Guide Reporting Security Incident
Good Practice Guide - Reporting Security Incident
cooperate with national and/or regional crisis management centres, and to bring in the
representatives of other sectors as well, either directly or through mediation of the public
crisis management. More on this kind of cooperation will be said in sections 5.3.2 and 5.3.3
: The Disaster Information Reporting System (DIRS), run by the Federal
Communications Commission, is a voluntary reporting scheme that collects reports on
network outages during major emergencies. It supplies information to the national
emergency communication network (National Communications System, NCS) and other
federal agencies in charge of emergency response.
: The National Emergency Alert for Telecoms (NEAT) arrangements in the UK
can be connected, if necessary, to the national emergency response framework the
Concept of Operations, CONOPS. The framework defines a hierarchy of regional,
sector-specific, and nation-wide public responding agencies and makes it possible for
an incident report to be quickly escalated to a corresponding authority.
The following must at least be ensured for reporting focused on emergency response: a)
cooperation of major CI providers, b) use of efficient communications tools, c) coordination
with public crisis management, and d) coordination across sectors.
Reporting Focused on Preventing Failures
The second type of reporting focuses on reducing outages in public eCommunications networks as a
means of guaranteeing a certain service to the customers. Schemes of this type aim at collecting
sector-wide information on threats and putting it to use so that failures are prevented. There are two
alternative approaches that can be used, each using a set of means.
CERTs and CERT-like institutions put emphasis on peer-to-peer cooperation, the priority being
to facilitate information sharing on threats. The organizers distribute statistics and updates on
current incidents, mediate consultations, organize expert forums and regular stakeholders'
meetings. Of the many CERT-like structures collecting information on incidents, national
CERTs, and GovCERTs are most likely to have reporting schemes that qualify for the scope of
: The Federal Office for Information Security (BSI) is operating CERT-Bund
as an example of GovCERT. It collects reports on data security incidents and network
outages in government institutions and on selected networks that are regarded as part
of the national CI. Among its main methods in the GovCERT function is raising
awareness among the constituency, offering assistance to the afflicted parties,
facilitating informal exchange of experience in trusted groups.
Regulatory and supervisory bodies focus on a different priority in failure prevention. They
tend to impose a duty to systematically report incidents to a single authority. Based on
this, analyses and audits are carried out in order to discover potential threats and