Good Practice Guide Reporting Security Incident
Good Practice Guide - Reporting Security Incident
48
[Government Authority
: Follows the maxim that it is better to have the operators "think while
reporting" rather than blindly follow a procedure.
For that reason, some organizers avoid strict requirements and stimulate spontaneous reporting
instead. This approach might be particularly suitable for schemes focusing on emergency response or
for the schemes processing lower numbers of reports. If possible, it is also advantageous to apply
lower requirements on new entrants who are only learning to participate in the scheme.
In any case, even if the reporting structure is not standardized, it doesn't mean that the reporting
parties will not need the organizers' assistance in compiling the reports. Our respondents particularly
mentioned informal discussions of the scheme's purpose and functioning with the constituency,
reporting guidelines published on the web site, and follow-ups and clarifications on the reports
submitted.
[Regulator]: "The experience is, the more informal the format, the more reports one gets."
Therefore, the authority prefers not to overstretch formal requirements on the reporting
parties. Based upon their first reporting, one can educate them on the desired format and
suggest improvements for the next reports.
BSI
Germany
: A list of "guidance questions" covering what should be reported is provided to
the constituency.
Pros and cons of reporting formats should be balanced when making a decision, especially on
the benefits of flexibility vs. standardization.
Over-formalization should be avoided: emergency response and low number of reports may not
require formalization, while flexible formats can allow the easier sharing of whatever
information the reporting party deems relevant.
If a large number of reports is expected or if statistical analyses are planned the reporting
format should be standardized. Use of categorized variables is recommended when it comes to
incident prioritization.
Automated tools must be used for large volumes of post-processed reports (emergency alerts
or periodic information distribution).
Assistance to the reporting parties should be offered: guidelines must be issued and
requirements in informal communication must be clarified.
5.1.2
Reports and Reporting Deadlines
The next thing the scheme's organizers will have to decide is the timing in which they would like to
receive the reports (i.e. deadlines). Our research indicates that there are different kinds of reports for
which different deadline policies are applicable:
Initial report,
Update report(s),