Good Practice Guide Reporting Security Incidents
Resilient e-Communications Networks
This subsection will discuss means used for improving the scheme's performance within the already
selected area or purpose. Ideas for improvements will appear while analyzing the incidents, whether
via individual ex-post or a statistical examination. The other essential source of impulses is feedback
from the reporting parties. The points of interest for the organizers are problems encountered with
reporting, requests for support, and suggestions for the scheme's further development. The most
recommendable practice is to ask for feedback regularly, whether in one-to-one consultations with
service providers, or in regular meeting of stakeholders and/or expert groups.
is an emergency response scheme run with a pool of select CI providers
across various sectors. Depending on the sector, the organizers hold semi-annual sector-wide
meetings of stakeholders in order to discuss lessons learned, but also to listen to the wishes of
stakeholders and collect suggestions.
The Finnish national CERT organizes working group meetings four to five
times a year that discuss new threats and other issues. The group involves representatives of
major service providers, customers and some public institutions.
holds yearly one-to-one evaluation meetings with the largest operators, which,
on the one hand, evaluate the operators' networks and discuss incidents, and on the other
hand collect their feedback.
Communication with stakeholders is a presupposition of successful long-term steering also for other
reasons. The organizing authority needs to educate the constituency on new requirements and new
threats, and it also needs to maintain and increase commitment to the scheme's goals. Some
authorities recommend informal follow-ups on reports, discussing improvements in both reporting
standards and resiliency measures of the given reporting party; others hold seminars, workshops,
conferences, or forums for discussion; yet others issue regular reports on activity and analyses for this
[Regulator]: "Build on trust, show the need
, provide feedback when reported,
create and communicate added value
for the reporter."
During our research the respondents most frequently mentioned coverage of their respective schemes
as subject to improvements. Thus the improvements might have concerned:
Extending operation time,
Enlarging the constituency,
Increasing data volume.
The scheme's operation time may be extended from business hours or great emergencies to a 24/7
model. Including new sectors or smaller service providers may expand the constituency. Finally, the
volume of data may increase upon lowering the reporting thresholds and/or refining the reporting
template. With more and better data, more sophisticated analyses of threats and recommendation for
avoiding them become available, which in turn may increase the value given back to the community.