Home > Articles > Operating Systems, Server > Solaris

  • Print
  • + Share This
Like this article? We recommend

Notification of a Security Incident

This section contains descriptions about who can report an incident, how an incident can be reported, how it should be communicated, and the points of contact within an organization.

Who Can Report an Incident

A security incident can be reported by anyone, yet it is typically reported by any of the persons listed below, who are involved in the installation, monitoring, support, or management of the organization's products or services at the customer sites (the following list is not all-inclusive):

  • Geographically-based (geo-based) customer account managers

  • Computer system administrators

  • Security administrators

  • Security managers

  • Technical support engineers or field engineers and related staff physically located outside of the organization's main sites, at customer sites, or at customer service centers

  • Enterprise's customers, partners, or vendors

  • Enterprise's employees and/or contractors

Communication Entry Points

Reporting an incident can happen in multiple ways, as indicated below, but are not limited to the following:

  • Phone calls, e-mail messages, or faxes of an incident description to the organization's security personnel

  • Reports to the enterprise's CSIRT

  • Reports to the organization's security web site, following the procedures and conditions listed on the site (for example, for high urgency)

  • security@company.com alias of the enterprise

  • Organization's or enterprise's customer service centers

It is important to note that the organization's geo-based customer account manager is jointly responsible for the organization's security site, along with the organization's security officer for that geographic area. Together, they form the VSCIRT team that follows up on the incident.

Communication

The organization's security officer and/or worldwide security manager should communicate through a well-known email alias with all of the parties that need to be aware of a compromise and its implications. Established secure communication mechanisms should be deployed to accomplish this.

Executing information dissemination procedures include, but are not limited to, contacting users affected by an intrusion, security personnel, law enforcement agencies, vendors, and other security incident response teams, internal or external to the enterprise.

What a security incident covers must be stated in a written format and provided on an internal public web site. Priority definitions must be provided for all types of reported emergencies.

Explicit Nature of Communication

All notification information must be clear, concise, and fully qualified using a standard notification form, specified by the organization's security advisory group. Bear in mind that choice of language and cultural differences are important factors for communication.

Factual Information—Written and Spoken

Written information must be factual and sent though fax or email in a secure manner. When information is transmitted verbally, it should describe the incident clearly without generating undue alarm or confusion.

Technical and Non-Technical Explanation

Depending on the parties involved in processing an incident, it could be necessary to clearly explain the security incident in a technical manner, as well as in a non-technical manner.

Points of Contacts

The primary, incident-related points of contact (POCs) are the organization's geo-based customer account manager, who is responsible for the installation of products and services at the customer site, and the geo-based security officer. Alternatively, or on a temporary basis, the POC could be an employee from the enterprise's CSIRT, such as a security administrator, or any enterprise employee on a hotline (for example, a technical support engineer). This POC must be the focal point for collecting and disseminating information until other arrangements are made by the geo-based security officer.

External Contacts

The enterprise's corporate security must maintain contacts with the local security manager, the organization's worldwide security managers, and the country's federal law enforcement agencies, as necessary, during the course of an incident.

The enterprise's security coordinators, who could be members of the corporate security team or an independent organization, must maintain a contact list, including the following:

  • CERT (http://www.cert.org)

  • FIRST (http://www.first.org)

  • CSIRTs outside of the enterprise

  • Internet service providers

  • Customer (constituency) site security contacts

  • Other sites that are external to the constituency

  • Participating vendors and partners

  • Security experts

  • Media contacts

  • + Share This
  • 🔖 Save To Your Account