Good Practice Guide Reporting Security Incident
Good Practice Guide - Reporting Security Incident
80
Status
Task/Recommendation
Offer incident reporting as a channel to improve communication with customers.
Promote information sharing as a way to increase efficiency and reduce cost of the
participants' business continuity processes.
In the network fault area, contribute to the costs of upgrades, if required.
Balance your reporting requirements with the load they place on reporting parties'
resources.
Do not require too much reporting while the stakeholders are responding to the incident.
Status
Task/Recommendation
Stage: Setting The Reporting Procedure
Task: Set the reporting requirements
Prepare a list of reportable information, including:
o
contact information;
o
time and location of the incident;
o
status information;
o
incident description;
o
incident impact; and
o
incident handling description.
Use categorized variables in order to assist incident prioritization.
Use unique incident ID for managing larger volumes of updating reports.
Standardize the reporting format if a large number of reports is expected or if statistical
analyses are planned.
Automate for very large volumes of reports.
Widely publicize the selected reporting channels among your constituency.
Introduce your scheme as the single point of contact for reporting incidents within the
eCommunications sector.
Retain informal procedures for low reporting volumes and for emergencies.
Invite quick alerts through any channel; keep alternative channels for emergency
reporting.
Have the initial report filed as soon as possible; updates can be sent later.
Ask for the most detailed information in a concluding report.
Consider a secure and resilient voice bridge as a tool for emergency response.
Offer assistance to the reporting parties: issue guidelines, keep clarifying the
requirements in informal communication.
Task: Introduce prioritization mechanisms
Use human review to prioritize incidents in any scheme that requires follow-up action.
Use thresholds and in-built categorization as pre-filters in schemes with large volumes of
reports. Even in that case, use human review.
If using in-built categorization, consider differentiated deadlines for reporting, with the
most severe incidents reported in the shortest time.
For emergency response, maintain a 24/7 service to review incident reports.
Task: Establish follow-up procedures
Set procedures for information updating.
o
In emergency response schemes, update the incident information and status
continuously until the incident is closed.
o
Use informal follow-up calls to complete the information with the reporting