Reporting a Security Incident: Once an incident has been responded to and a team has gotten involved to assess the damage and start the cleanup, the required parties will need to be informed. These parties be will responsible for getting the ball rolling whether it is legal action, an investigative process, or other requirements as necessary.
When considering how to report a security incident the following guidelines are worth keeping in mind and can prove helpful at the time of crisis:
- Adhere to known best practice and guidelines that have been previously established. These best practices and guidelines will describe how to best assess the damage and implement loss control as necessary.
- Wherever feasible refer to previously established guidelines as documented and described in the company IRP. The IRP should include guidelines on how to create a report and who to report to. Furthermore, the IRP should define the formats and guidelines for putting the report together in order to ensure that the information is actually usable by its intended audience.
- Consider the situations where it is necessary to report the incident to local law enforcement in addition to the company officials.
- Consider the situations and conditions about when and if the security incident must be reported to regulatory bodies as required by law.
- In situations where security incidents are reported outside the organization, note this in the company incident report.
During the preparation of a security incident report include all the relevant information to detail and describe the incident. The following items should be included at a minimum:
- A timeline of the events of the security incident that includes any and all actions taken during the process.
- A risk assessment that includes extensive details of the state of the system before and after the security incident occurred.
- A detailed list of any all who took part in the discovery, assessment, and final resolution (if this has occurred) of the security incident. It is important to include every person who took part in this process regardless of how important or unimportant their role may be perceived.
- Detailed listing of the motivations for the decisions that were made during the process. Documents these actions in a format that states what each action was and what factors led to the decision to take the designated actions.
- Recommendations as to what could be done to prevent a repeat of the incident and what could be done to reduce any damage that may result.
- Two sections in the report to ensure that it is usable by all parties. First, prepare a long-format report that includes specific details and actions that occurred during the security incident. Second, include an executive-level summary that provides a high level, short-format description of what occurred.
