S 6.125 Establishment of a central contact point for reporting security incidents

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: IT Security Officer

To increase the efficiency when registering security incidents, it should be examined if a central contact point should be established for reporting security incidents.

There are two ways to report security incidents in actual practice:

• All malfunctions/incidents (including security incidents) are reported to the central incident contact point, which is usually the service desk in the first level of incident management.
• Security incidents are reported to a specific contact person from security management who works in a separate alarm centre.

The following lists the advantages of recording all incidents centrally:

• Most users are not able to judge whether or not an incident is a security-related incident.
• Security management could use existing infrastructure and processes in IT service management for security incidents.
• Information on security incidents could be administered in a central database together with the information on other incidents. Central administration in a shared database is possible when strong authentication is used and the tool used provides sufficiently sophisticated authorisation management. However, the practical limits of feasibility are reached fairly quickly with such authentication.
  
  Note: It may be useful to handle security incidents that violate the security policies separately (for example in the case of internal attacks).

However, a disadvantage of a central incident contact point is that it is necessary to train more personnel in security-related matters and that the trustworthiness of all employees working in the central point of contact needs to be examined so that sensitive information on the incidents is not passed on to the general public when this is not authorised.

If the government agency or company decides to establish a central contact point for reporting security incidents, then the employees working there should be provided with the resources and procedures for detecting security incidents (such as an overview of the protection requirements of the systems supported, for example). The information security training required should not be underestimated in this case (see S 6.129 Training service desk employees how to handle security incidents). If a central point of contact is established, then it must also be possible to reach this point of contact during normal working hours. Information on security incidents must be handled confidentially by the employees of the point of contact.

Review questions:

• Is it guaranteed that the contact point for reporting security incidents can be reached during normal working hours?
• Are the employees of the central incident contact point adequately trained and have they been sensitised to issues related to information security?
• Is information on security incidents handled confidentially by the employees of the point of contact?
• Do all employees know who to contact to report security incidents?