Good Practice Guide Reporting Security Incident
Good Practice Guide - Reporting Security Incident
46
Contributing Factors.
The variables use the following range of possible cases: Cable damage, Design fault (Firmware
/Hardware /Software), Environment (External /Internal), Hardware failure, Power failure,
Procedural fault (Service Provider /System Vendor /Other Vendor), Simplex condition, Spare
capacity failure, Traffic or system overload, Other or insufficient data or unknown.
Furthermore, special variables are added to indicate whether, and to which extent was the
outage caused by:
Lack of diversity in network design;
Malicious activity.
8
Incident impact assessment is crucial for deciding upon follow-up, be it in emergency response or
rectification mode. The variables usually eligible to measure impact of an incident are the list of
network components affected; services or applications unavailable; special services such as emergency
calls unavailable; customers and geographic area(s) affected by the outage. It is also possible to
introduce a variable that would summarize economic social and economic impacts for the reporting
party or for broader society.
Incident handling description. Finally, the report should contain a summary of the actions taken to
remove the failure and possibly also to prevent its recurrence. As an attachment, this field may contain
the lists of third parties contacted, documentation including forensic evidence, or in cybersecurity log
files of actions taken by the reporting party.
The reporting format that a scheme would be using then would represent a specific combination of
most or all of the abovementioned fields.
FICORA
Finland
: "In a notification to FICORA on a fault or disturbance in a communications
network or communications service the telecommunications operator shall, where possible,
give an account of the reasons for the fault or disturbance. The operator shall also submit
information about the number of subscribers whose communications service was affected,
other harmful consequences caused by the fault or disturbance and the repair time. The
operator shall also inform about the measures it has taken or is going to take to repair the
fault or disturbance in order to prevent such faults or disturbances or the harmful
consequences."
Depending on the scheme's objectives, a list of reportable information must be prepared which
includs: contact information; time and location of the incident; status information; incident
description; incident impact; and incident handling description.
Standardization and Automation
The next question, directly following that of which information has to be submitted by the reporting
parties, is whether the report should stick to strict formatting. As a means of formalizing and
standardizing the report, the organizing authorities may use one or more of the following:
8
Network Outage Reporting System User Manual, Version 6 (April 2009),