Reporting of security events

A process for reporting incidents is maintained to help staff report incidents efficiently and consistently.

Things to report as an incident include e.g.:

• unauthorized access to data / premises
• action against security guidelines
• suspected security issue (e.g. phishing, malware infection)
• data system outage
• accidental or intentional destruction / alteration of data
• lost or stolen device
• compromised password
• lost physical identifier (e.g. keychain, smart card, smart sticker)
• suspected security weakness (e.g. on utilized data system or other procedures)

The personnel guidelines emphasize the obligation to report security incidents as soon as possible in accordance with the agreed process. The instructions also describe other operations in the event of an incident (e.g. recording seen error messages and other details).

Management shall define responsibilities and establish procedures to ensure an effective and consistent response to security incidents.

Management must ensure e.g.:

• interference management has clear responsibilities
• there is a documented process for responding, handling and reporting incidents

The process must ensure e.g.:

• staff have a clear contact point / tool and instructions for reporting incidents
• the reported security breaches will be addressed by qualified personnel in a sufficiently comprehensive manner

The organisation should have clear communication channels for event reporting:

• Establish and maintain adequate communication channels for security event reporters, ensuring that:
• A common point of contact for reporting events is identified and communicated to all relevant parties.
• Different reporting channels are available based on the perceived severity of events, including real-time communication options for significant emergencies and asynchronous methods (e.g., tickets, email) for less urgent matters.

Organisation should also consider the possibility of external reporting. This could mean having a system to handle security event reports from external parties, including:

• An externally accessible and well-communicated method for reporting security events.
• Defined procedures for responding to and addressing security event reports from external sources.

The organisation should also ensure that the mechanisms and information for reporting incidents are easily accessible to all relevant reporters and establish a feedback procedure to provide timely responses and updates to those who report security events, ensuring they are informed of the outcomes and any necessary follow-up actions.

Organisation must develop a clear, comprehensive definition of what constitutes a reportable security event or observation, ensuring it covers the following categories:

• Personnel misconduct or misbehavior.
• Intrusion, theft, unauthorized access to security zones, and vulnerabilities in security zones.
• Cybersecurity incidents such as vulnerabilities in IT systems, and detected successful or unsuccessful cyber-attacks.
• Supplier and partner incidents that could negatively impact the security of the organization.

Organisation must have a defined procedure for reporting of incidents and it should be communicated to the personnel:

• Design and implement effective reporting mechanisms tailored to perceived risks.
• Ensure these mechanisms are well communicated and accessible to all employees, stakeholders, and relevant parties to facilitate timely and accurate reporting of security events.
• Conduct training sessions and awareness programs to ensure that all relevant employees and stakeholders understand the definition of reportable security events and are familiar with the reporting mechanisms.