Good Practice Guide Reporting Security Incident
Good Practice Guide - Reporting Security Incident
For engaging commitment to the reporting scheme, it may be necessary to increase awareness of
threats that the scheme is facing. Sadly enough, a great help there are disasters, which bring the public
opinion and the service providers to realize the impact of incidents, the profundity of cross-sector
dependencies, etc. We have seen throughout the research that several reporting schemes started
after major attacks on national infrastructure, especially after 9/11, and the April/May 2007 DDoS
attacks in Estonia. If the scheme organizers can react to an incident and show the significance of their
services, it is a great asset.
: As a lesson learned during the 2009 Conficker crisis, GovCERT.at has begun to
assemble a "voluntary fire brigade" from its contacts within the public administration i.e., a
team of technicians that could reset all computers of an organization as soon as possible in
case of an emergency. This backup capacity can be requested by any affected organization or
by the CERT staff in case of need.
As the interconnection of eCommunication networks advances, the industry recognizes the need to
share information. Awareness of the threats and of reporting as a way to help face them has been
IT Vendor [USA]: We observe over the years that talks in the IT sector have been shifting from
"why we can't share information" to "what information we need to share".
Relying on sudden events and general trends of course would not be enough. Awareness can be
cultivated only through pro-active communication focusing on two key levels in the reporting
organizations: top-level management and the potential reporting staff.
On one hand, it is important that the C-level management understands and supports the goals of the
scheme. For that purpose, regular meetings and consultations may be used.
On the other hand, we also heard during the research that the staff responsible for reporting within
the participating organizations (network managers etc.) might not report either because they are not
aware of the existence of a threat, or because they do not prioritize incidents in their day-to day
business. To avoid such problems, the respondents recommended workshops for experts and middle-
range managers, newsletters, web pages with reference information, even using instruction DVDs.
: In fulfilling the function of GovCERT, the Federal Office of Information Security
(BSI) holds meetings at the CIO level three times a year to discuss BSI's services and the
participants' concerns. It also organized a project group composed of middle-range managers
directly responsible for the reporting; the group meets four to five times a year to discuss
technical arrangements of the reporting scheme. In addition to that, BSI is publishing a regular
IT security newsletter with statistics, expert assessments, recommendations, advice, user
comments, etc. Pitching the feedback and deliverables to convince the reporting parties of the
benefits of reporting for themselves is considered "difficult but crucial".
Learning from experiences of major incidents is useful, but not enough. Advantages of the
scheme should also be demonstrated to the participants.