Good Practice Guide Reporting Security Incident
Good Practice Guide - Reporting Security Incident
: The German Federal CIIP authority BSI (Bundesamt für Sicherheit in der
Informationstechnik) is hosting also CERT-Bund, the Federal GovCERT, as its department.
As we have remarked in section 5.3.2 above, emergency response functions may be difficult to
appease with the regulatory ones. For that reason, we see CIP authorities as less likely to extend their
status towards telco regulation, and their function towards assuming failure prevention and/or
rectification responsibilities in the network faults area.
National /governmental CERTs can boost their emergency response and failure-prevention capacities
by moving into critical infrastructure protection, or by assuming some kind of a regulatory role. Some
CERTs have emerged as a grass-roots initiative of industry and are based on voluntary participation; in
those cases introducing regulatory powers needs to be discussed with the constituency first. There is
also the possibility to federate functions very loosely. For instance, the facilities already used by CERT
(such as a 24/7 service, operations centre, etc.) may be also used for running another institution.
Theodore Puskas Foundation [Hungary] is running its own scheme in the cyber security area
(CERT Hungary), but it also hosts the national communication network failure reporting
scheme; the latter function has been commissioned by the national regulator (NHH). While
both schemes are using the same infrastructure, the follow-up differs and is managed
separately by CERT Hungary and the NHH. Although the two duty services are separated by
function and staff, they cooperate on the basis of sharing security events related to IT security.
Our research suggests that the regulatory authorities in telecommunications are best suited to
federate functions. Indeed it is quite feasible to combine a failure-prevention scheme with alerts in
cases of emergencies or high priority incidents, and with possible rectification-oriented follow-up.
Some European regulatory authorities host national CERTs (e.g., RRT in Lithuania, FICORA in Finland),
while others run emergency response schemes (e.g., PTS in Sweden, ComReg in Ireland).
This document is far from recommending boundless federation of functions within one scheme.
Indeed some benefits can only be obtained from specialized schemes. For instance, an efficient
emergency response scheme may be better kept separately from the regulatory loop; also mergers
between the cybersecurity and the network faults areas within one scheme are rarely seen. In these
cases, the telecommunications regulatory authority may consider simply hosting two different
: The Finnish regulator runs a network faults prevention scheme with some
emergency response aspects, and separately also CERT.FI.
: The Swedish regulator PTS is coordinating an outage reporting scheme
MIMER/GLU. The scheme is exclusively focused on helping to handle a possible crisis and is
separated from the regulatory reporting loop.
Evolution of incident reporting schemes is only part of the integration of CIIP policies at both national
and European levels. As these efforts progress, the organizers of the reporting schemes will be looking
towards necessary adjustments in the legal framework. Those would aim, on the one hand, at
improving the scheme's legal status, the right to demand cooperation etc., and on the other hand, at
harmonizing the incident reporting with other components of the national CIIP policies. Clashing
jurisdictions or other obstacles to cooperation will have to be sought and removed. Indeed, many of