Good Practice Guide Reporting Security Incident
Good Practice Guide - Reporting Security Incident
unless the organizers have at their disposal either a large volume of human resources, or an
automated reporting tool (see section 5.1.1 on automation).
Finally, organizers need to be aware of the burden they are imposing on reporting parties,
and consider whether that is reasonable given the likely level of commitment they will obtain
from reporting parties. If the threshold is too low, reporting parties will likely resist and fail to
submit all reports or submit only incomplete data.
The targeted reporting thresholds should be adjusted to the scheme's purpose, such as higher
thresholds for emergency response and lower thresholds for statistics, failure prevention.
A large volume of reports should be avoided when there is a lack of extensive human resources
High thresholds are recommended in the beggining, and once the scheme and staff are in
place and working effectively, organizers can consider whether lower thresholds would be
Depending on the purpose and area of reporting, the following indicators may be used as thresholds
for requiring a report. As most schemes combine several purposes, you might also wish to combine
the threshold criteria.
Need of assistance. In the cybersecurity area and in emergency response, the minimum functionality
of a reporting scheme is to react where the reporting parties declare they cannot manage the situation
themselves. Upon the report, the scheme's organizers may start arranging assistance in removing the
problem. According to a similar logic, the reporting parties may also be asked to also submit reports or
alerts on threats that are manageable on their own network but might be beyond other operator's
: Threshold set for the mandatory reporting is when the ISPs cannot handle
the incident or might see a potential risk for others.
: Sharing information between operators on an emergency communications bridge
enables the operators to share information on the extent of the emergency and ask for
assistance (mobile exchanges etc.) for handling incidents if they don't have sufficient resources
at hand. Operators participating on this call are signatories to a Memorandum of
Impact on critical infrastructure or on other CI providers. In emergency reporting schemes, the
decisive factor may be whether certain critical services are affected (e.g., the emergency call number)
by the incident, and whether other CI providers (hospitals, airports, water suppliers etc.) are affected
by it. This may result in a list of critical services and customers to be taken into consideration by the
reporting parties. Unavailability of a service may also be reported by the end-users.