Good Practice Guide Reporting Security Incidents
Resilient e-Communications Networks
For emergency response, consider impact on CI providers as a threshold
For failure prevention and rectification, consider impact on customers as a
threshold criterion; you may combine number of customers affected, area, and
duration of the outage.
For rectification, consider social and political impact of an incident as a threshold
Adjust reporting thresholds to the scheme's purpose: e.g. higher thresholds for
emergency response and lower thresholds for statistics, failure prevention.
Avoid low thresholds unless you are able to process a large volume of reports;
also consider burden to the reporting parties to participate.
Focus on flexible situation assessment in emergency response schemes.
Aim at formalized thresholds in failure-prevention schemes.
Cultivate shared understanding of what should be reported and why with the
Stage: Engaging Cooperation
Task: Start with what already exist
Map the already existing arrangements for incident reporting, emergency response,
industry cooperation, and CIIP, and build on them, if possible.
Leverage the local culture of cooperation.
Task: Formulate the value proposition
Clearly formulate the expectations, possibilities, and value proposition of the scheme.
Formulate advantages to the participants; consider in particular:
efficient and fast information distribution;
access to information unavailable elsewhere;
assistance in emergencies;
improved reaction to crisis situations.
Task: Raise awareness
Be pro-active in raising awareness about the needs for the scheme.
Demonstrate your scheme's advantages to the participants.
Secure C-level management support.
Educate the potential reporting staff.
Task: Build trust with the reporting parties
Show serious commitment to the project.
Build on previously existing trusted relationships.
Use an individual, differentiated approach to the partner organizations.
Invite the reporting parties and other stakeholders to get involved in the scheme's
Task: Address the private stakeholders' concerns
Establish clear rules on how will the submitted information be treated.
If necessary, separate emergency reporting from the regulatory loop.
Maintain confidentiality on network topology and other information that might be used
in business competition.
Anonymize public communication on incidents.