Good Practice Guide Reporting Security Incidents
Resilient e-Communications Networks
31
MELANI
Switzerland
: MELANI is a reporting scheme covering national CII in Switzerland. Any
member of the scheme may report an incident that in his/her opinion impacts other users and
request a communication bridge to be opened. The reports may be submitted by CII providers
but also by the end-users from other CI sectors.
Impact on customers. Failure-prevention-focused and rectification-focused schemes tend to be
focused on the impact of an incident on users of the service, so the reporting thresholds would also be
based on the impact on those users. The criteria tend to be more or less complex, but in the most
recommendable cases, three aspects are taken into consideration:
a.
The number of customers afflicted;
b.
The area afflicted (region, a certain number of municipalities and towns);
c.
Duration of the outage.
NORS
USA
requires reports, i.e., on outages of 30+ minutes that affect at least 900,000 user
minutes (calculated as outage duration x No of customers); or at least 1,350 DS3 minutes
(calculated as outage duration x No of actual calls at the moment of outage).
5
FICORA
Finland
is currently proposing a new categorization of outages ranging from Class A
(highest priority) to Class D (lowest priority). In telephone and broadband, the thresholds range
as follows.
Class A: 100,000+ telephone service users or 200,000+ broadband service users or
60,000+ km2 area affected. Etc... down to:
Class D: less than 1,000 telephone or broadband users, less than 10 base stations of a
wireless network.
In addition to that, outages in wholesale services may be included for their effect on end-users.
ComReg
Ireland
requires reports on both access tier and wholesale services. The reporting is
mediated through the incumbent, which in turn reports to ComReg.
Social, political etc. impact of the incident. Predicted or perceived importance of an incident for
social, political and economic life of the country may be used as a threshold, too. That is most likely to
happen in a rectifying schemes, where the organizing authority might request reports on publicly
sensitive cases. Similarly, the service providers might spontaneously submit report on a sensitive case
in order to avoid later criticism for not having acted upon it.
The need of assistance might be considered as a criterion for emergency response and
cybersecurity.
The impact on CI providers might be considered as a criterion for emergency response.
5
See the Code of Federal Regulations, Title 47, Volume 1, Part 4, Sec. 4.5-4.9, 4.13 for details.