Notification of a Security Incident
This section contains descriptions about who can report an incident, how an incident can be reported, how it should be communicated, and the points of contact within an organization.
Who Can Report an Incident
A security incident can be reported by anyone, yet it is typically reported by any of the persons listed below, who are involved in the installation, monitoring, support, or management of the organization's products or services at the customer sites (the following list is not all-inclusive):
Geographically-based (geo-based) customer account managers
Computer system administrators
Technical support engineers or field engineers and related staff physically located outside of the organization's main sites, at customer sites, or at customer service centers
Enterprise's customers, partners, or vendors
Enterprise's employees and/or contractors
Communication Entry Points
Reporting an incident can happen in multiple ways, as indicated below, but are not limited to the following:
Phone calls, e-mail messages, or faxes of an incident description to the organization's security personnel
Reports to the enterprise's CSIRT
Reports to the organization's security web site, following the procedures and conditions listed on the site (for example, for high urgency)
email@example.com alias of the enterprise
Organization's or enterprise's customer service centers
It is important to note that the organization's geo-based customer account manager is jointly responsible for the organization's security site, along with the organization's security officer for that geographic area. Together, they form the VSCIRT team that follows up on the incident.
The organization's security officer and/or worldwide security manager should communicate through a well-known email alias with all of the parties that need to be aware of a compromise and its implications. Established secure communication mechanisms should be deployed to accomplish this.
Executing information dissemination procedures include, but are not limited to, contacting users affected by an intrusion, security personnel, law enforcement agencies, vendors, and other security incident response teams, internal or external to the enterprise.
What a security incident covers must be stated in a written format and provided on an internal public web site. Priority definitions must be provided for all types of reported emergencies.
Explicit Nature of Communication
All notification information must be clear, concise, and fully qualified using a standard notification form, specified by the organization's security advisory group. Bear in mind that choice of language and cultural differences are important factors for communication.
Factual InformationWritten and Spoken
Written information must be factual and sent though fax or email in a secure manner. When information is transmitted verbally, it should describe the incident clearly without generating undue alarm or confusion.
Technical and Non-Technical Explanation
Depending on the parties involved in processing an incident, it could be necessary to clearly explain the security incident in a technical manner, as well as in a non-technical manner.
Points of Contacts
The primary, incident-related points of contact (POCs) are the organization's geo-based customer account manager, who is responsible for the installation of products and services at the customer site, and the geo-based security officer. Alternatively, or on a temporary basis, the POC could be an employee from the enterprise's CSIRT, such as a security administrator, or any enterprise employee on a hotline (for example, a technical support engineer). This POC must be the focal point for collecting and disseminating information until other arrangements are made by the geo-based security officer.
The enterprise's corporate security must maintain contacts with the local security manager, the organization's worldwide security managers, and the country's federal law enforcement agencies, as necessary, during the course of an incident.
The enterprise's security coordinators, who could be members of the corporate security team or an independent organization, must maintain a contact list, including the following:
CSIRTs outside of the enterprise
Internet service providers
Customer (constituency) site security contacts
Other sites that are external to the constituency
Participating vendors and partners