Good Practice Guide Reporting Security Incident
Good Practice Guide - Reporting Security Incident
40
hand helps to build trust and confidence regarding the project, but on the other hand it also
adds value for the participating organizations. Many service providers are interested in
building relationships with public authorities, influencing national policies and coordinating
their reporting mechanisms with those public. Security experts within those private companies
may be looking forward to consultations with public authorities because they validate their
work.
[Network Operator]: One major international operator seems to have overcome many
issues in building trust with public authorities. The company currently sees as an
advantage to be involved in formulation of national policies and to have the possibility
to tune the company reporting templates with those national. It is happy to maintain
close contacts with relevant officials at the public authorities and to foster the
understanding of how the company solves network problems. The company
encourages its local subsidiaries to actively participate in national CERT communities
and to cooperate with the authorities.
Much of the trust-building effort involves addressing the concerns that reporting parties might
have about the introduction of a reporting scheme. These concerns are discussed further in
the next section.
Trust-building is the top priority for incident reporting. It requires a great deal of effort over an
extended period of time, but it is essential for most schemes, especially those focused on prevention
and response.
Build on previously existing trusted relationships.
Personal contacts in the reporting parties must be developed and maintained.
An individual, differentiated approach to the partner organizations must be used.
The reporting parties must be involved in the scheme's design and development.
4.5
Addressing Private Stakeholders' Concerns
Our research gave us insight into some concerns that the private companies might have with entering
an incident reporting scheme. The overview below puts emphasis on large operators and vendors to
whose opinions we've had privileged access. The feedback generally falls into two categories:
1.
Issues with confidentiality of the information submitted;
2.
Issues with resources necessary to participate in the scheme.
4.5.1
Confidentiality
First and foremost, private companies are concerned about the confidentiality of information that they
report to the organizing authority. Disclosure of what has been considered confidential information