Good Practice Guide Reporting Security Incident
Good Practice Guide - Reporting Security Incident
Obligation is not enough. Even where reporting is mandatory, the experts we interviewed emphasized
the need to engage stakeholders' support and to build trust with the reporting parties. Unless
convinced of the purpose of the scheme, and confidential handling of the information submitted, the
reporting parties might not cooperate as much as necessary for the scheme to run smoothly.
: The participation is voluntary. The coordinator and co-financer of the
scheme is the Swedish regulatory authority PTS, which has the power to impose obligations on
service providers. The scheme has been put in operation through several years of consultations
and joint coordinated development, implementation, testing and evaluation. The partners have
been aware of the fact that MIMER was a possibility for the eCommunications sector to
develop a joint solution tuned to the prerequisites of the sector; unless they acted together, a
demand might arrive later from the society and result in a regulatory decree.
In emergency response-focused and failure-focused reporting, much of success depends on a
trustworthy relationship with the reporting parties. The organizers may begin building cooperation
and trust even without a legal obligation to report. Later in the lifecycle of the reporting scheme, they
may consider improving the legal anchorage of the scheme.
: Estonia has a track record of efficient informal cooperation among the key
players in IT security incidents. Recently the country has introduced legal codification of CIIP,
including the obligation to report incidents. On the system level, the benefit is to bring critical
infrastructure protection on a common platform with longer-term goals. With respect to the
reporting scheme itself, the organizers hope to improve crisis communication, raise awareness
of threats, and expand coverage of the scheme.
: The Federal Chancellery (Bundeskanzleramt, BKA) is still waiting for legal
updates that would improve its position to cooperate and share information with other
organization as a GovCERT. Nevertheless, the organizers have already begun with building
expert communities, spreading awareness of the threats and establishing their status as a
Article 13 of the recently adopted reform of the Telecommunication Package mandates competent
national authorities to establish and manage national incident reporting schemes. "The Commission,
taking the utmost account of the opinion of ENISA, may adopt appropriate technical implementing
measures with the view to harmonizing policies at pan European level." This means that the schemes
should be mandatory.
Legal backing for rectification-focused reporting must be ensured.
The legal obligation must be formulated in general terms; follow up with specific
Obligation is not enough to ensure an effective scheme on its own; co-operation with reporting
parties must be maintained.