Good Practice Guide Reporting Security Incidents
Resilient e-Communications Networks
of reported incidents; they may report incidents that have not been reported individually; they may
contain summary information but no details on individual incidents;
The types of reports and reporting timeframes must be taken into account: a) initial report, b)
updates report, c) concluding report; and d) a periodical summary report.
The initial report should be filed as soon as possible; awareness of the need for timely reporting
must be promoted.
A unique incident ID must be used for managing larger volumes of updating reports.
Most detailed information must be quoted in a concluding report; this information might be
used for follow-up analyses.
The Reporting Channel
The final question to settle in the reporting requirements proper is the channel(s) that the scheme will
use for reporting. The standard array of means available for that includes:
Web-based forms, and
Machine readable messages.
Whichever channels are used for reporting need to be publicized among the constituency: the contact
persons, phone numbers, email addresses, electronic interfaces, and finally reporting websites should
be known and available to anybody responsible for submitting reports. For sophisticated platforms,
such as web-based tools or machine readable messages (XML and others), it might be useful to
compile a user handbook for the reporting parties. In terms of choosing the channel, there is no single
good practice but a few suggestions have crystallized:
For a quick alert or an initial report, the organizers mostly welcome information submitted
through any channel. Keeping alternative reporting channels strengthens resilience of the
scheme and increases chances of timely reporting.
For emergency response, secure and resilient voice bridges offer the means of both reporting
and coordinating the reaction.
Machine readable messages (XML and others) and web interfaces are suitable for highly
standardized reporting procedures, especially if automated data processing is involved.
Respondents from among service providers, vendors and scheme organizers cited the value of a single
point of contact for reporting the function known as triage in cybersecurity area. Having a single
point of contact allows the reporting party to focus on solving the problem, because once an incident
is reported, the scheme's staff then ensures information distribution and cooperation both within and