Good Practice Guide Reporting Security Incident
Good Practice Guide - Reporting Security Incident
42
providers can be "educated" on certain threats so that, for instance, they accept that it was not
possible to restore the service earlier.
Clear rules on how the submitted information will be treated must be established
Emergency reporting must be separated from the information collected for regulatory
purposes.
Confidentiality on network topology and other information that might be used in business
competition must be maintained.
Information released to the public must be anonymous.
Incident reporting might be used as a channel to improve communication with customers.
4.5.2
Resources
Our research has shown that direct expenses of reporting are not the main concern of private
stakeholders, though covering some of the expenses may be used as an additional incentive. More
interesting, from the service provider's point of view, are resources for resiliency-related issues.
In the network fault area, service providers can be motivated to actively participate in reporting if they
see that public resources would be made available to aid response to emergencies or upgrade their
network resilience. Information sharing and peer-to peer cooperation is also seen as a way to improve
resilience without increasing the costs.
[Network Operator
: Sharing solutions with other operators helps in a situation where the
number of incidents grows, while resources stay the same. Especially companies with similar
networks and a lot of interdependencies may benefit from sharing with their competitors.
...
You also have to report when you request help from the public authorities or other operators.
[Regulator
: The operators are interested to see the regulator intervene so that they don't
have to bear all the costs.
But the main resource-related issue that emerged in the research concerned human resources
engaged in solving an incident on a service provider's premises. Respondents repeatedly pointed to
the importance of the staff not being overburdened with reporting duties while responding to an
incident. The usual practices to address this issue on the scheme organizers' side involve requiring a
brief report on the incident opening and a detailed report afterwards and introducing a single point of
contact to avoid parallel reporting to multiple authorities or stakeholders. In case of an incident, the
scheme would distribute the information to all concerned parties based on a single report. These
means will be discussed in the next section.