Good Practice Guide Reporting Security Incidents
Resilient e-Communications Networks
Questionnaires and forms,
Pre-defined categories for variables,
Web forms with pre-defined answers.
Standardized data input enables, on the one hand, sophisticated statistical analyses (see section 6.2),
and on the other hand, a number of specific follow-up procedures. Several respondents in our
research expressed the opinion that the larger the volume of reports submitted the greater the benefit
of formalization and automation.
Categorization enables prioritization. If the number of reports submitted is likely to be high, it might
exceed the capacity of human reviewers to assess each report individually. For these cases, the report
should contain a categorized variable (most likely, one of the incident impact variables) that would
attract the attention triggering a follow-up. (On prioritization, see section 5.2.)
Standardization enables automated processing. Similarly, if reaction to incidents requires immediate
processing of a considerable volume of reports, especially triggering alerts or distributing information
on an incident, standardized format will probably become necessary. In the cybersecurity area, many
CERTs use machine-readable formats to automatically collect and distribute data on incidents on a
daily or weekly basis. A corresponding software tool may be capable of working with several formats
simultaneously. In any scheme with emergency response aspect, automated alerts may be sent out to
stakeholders in reaction to reports containing critical levels of a certain variable.
is running an automated reporting tool which works as "a collection of
simple, but efficient, scripts.
The underlying engine
is responsible for fetching,
categorizing, sorting, and formatting the reported incidents according to predefined templates.
The engine also takes care of compiling the daily reports and emailing them out at predefined
times to addresses found in our contact list. Each data source is attached to the framework
through a tailor-made plug-in.
Autoreporter is able to handle sources where data is either
pushed (e.g., receiving data by email) or pulled (e.g., fetching the data from an external web
MIMER enables automated alerts in response to the messages
submitted. Messages are handled in a uniform manner and the format used is XML.
Standardization saves resources. Many operators are using automated network management tools on
their networks. Standardization makes it possible to install interfaces that tune the inner reporting
procedures of service providers with those of the public reporting scheme, thus allowing the operators
to save resources.
On the other hand, we should say that standardization not only brings advantages. A number of
respondents mentioned that standardization and formalization discourage the scheme's constituency
from reporting. That is not only so because the reporting parties may feel overburdened by the
reporting requirements, but also because standardization invites formalist attitudes:
Thomas Grenmann of CERT.FI at