Good Practice Guide Reporting Security Incidents
Resilient e-Communications Networks
may do substantial damage to their will to cooperate. To overcome that issue, the general good
practice is to give a clear idea of what will happen with the information that the participants submit,
and provide guarantees that this procedure will be respected. The research has indicated several
issues that the private-sector participants tend to be especially concerned about, including:
Communication with large customers.
Service providers are concerned with any regulatory interventions that their reports could trigger. This
might lead to serious consequences in emergency reporting; therefore, many respondents
recommend separating the reporting loop from official communication with authorities charged with
regulatory or punitive functions. More details on this issue will be discussed in the next section.
Service providers might feel comfortable to share certain information with the organizing authority
but at the same time they would be anxious not to reveal this to the competitors. That goes
particularly for topology of services, and for the service provider's capacity (or not) to provide services
in a certain area. On the other hand, the service providers are interested in sharing best practices and
solutions even with competitors.
: A case was quoted to us when a service provider felt uncomfortable
about the unexpected disclosure of the location of several of its core network components,
which information the operator felt could give its competitors an advantage in winning certain
With respect to public communication, the reporting parties regularly wish to be in control of any
information about their operations that goes to the media. To respect this concern, the respondents
recommend either consultation with the reporting parties, or at least anonymizing any information
that the organizing authority communicates to the public.
: In all media relations, one regulator stated that it refrains from revealing any
information on companies or private persons, unless the party concerned has made that
: One national CERT anonymizes the information submitted to the media,
never naming individual companies. The purpose is to keep the trust of the ISPs.
[Incident Reporting Scheme Manager
: "If publications or press inquiries concern a member,
this will be of course discussed with those responsible (for example the news service) of the
The operators may be interested in participating in order to improve relations with their big
customers. Some customers perceive participation in an emergency response scheme as an indication
of the provider's commitment and ability to quickly restore services. Further, customers who are
participating in a reporting scheme or an information sharing platform together with the service