ISMS-DOC-A06-8-1 Information Security Event Reporting Procedure

Information Security Event Reporting Procedure

classification]

Implementation guidance

The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.

Purpose of this document

This document defines the organization’s procedure for employees and other parties to report information security events.

Areas of the standard addressed

The following areas of the ISO/IEC 27001 standard are addressed by this document:

• A.6 People controls

o A.6.8 Information security event reporting

General guidance

Despite all the technology available to detect information security incidents, people can still be the most useful resource in observing suspicious circumstances and identifying possible security concerns. This won’t happen unless personnel understand their detective role within the organization, know what to look for, and are able to easily and quickly report their observations to the right place. Awareness training is a big part of this, but it needs to go hand in hand with a clear procedure for capturing the information and routing it correctly.

Review frequency

We would recommend that this document is reviewed annually and upon significant change to the organization.

Document fields

This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”.

Information Security Event Reporting Procedure

[Insert classification]

To update this field (and any others that may exist in this document):

1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name.

2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab).

3. Press F9 on the keyboard to update all fields.

4. When prompted, choose the option to just update TOC page numbers.

If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9.

If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly.

Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.

Copyright notice

Except for any specifically identified third party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.

Licence terms

This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence.

If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third party copyright included in this document.

Disclaimer

Please Note: Your use of and reliance on this document template is at your sole risk.

Document templates are intended to be used as a starting point only from which you will

Information Security Event Reporting Procedure

[Insert classification]

create your own document and to which you will apply all reasonable quality checks before use.

Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country.

You should take all reasonable and proper legal and other professional advice before using this document.

CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.

Information Security

Reporting Procedure

Information Security Event Reporting Procedure

Information Security Event Reporting Procedure

classification]

Revision history

Distribution

Approval

Information Security Event Reporting Procedure

classification]

1 Introduction

It has often been said that information security is everyone’s responsibility, and this is certainly held to be true within [Organization Name] It is expected that employees and third parties who come into contact with the organization’s people, locations, systems and procedures will remain vigilant to actual or potential information security issues. These may include:

• Actual breaches of security measures, such as:

o tailgating through a physical entry point

o sharing of passwords

o theft of property or information

o exposure of sensitive data, such as PII, to unauthorised persons

• Suspected information security events, such as:

o detection of a virus on a computer

o unusual activity on a system

o suspicious behaviour by people in organization locations

o becoming aware of a threat, for example via social media

• Vulnerabilities in organization systems or controls, for example:

o a door or window left open

o software vulnerabilities within bespoke or externally supplied code

o ineffective security controls

o weaknesses in procedures that may give rise to information exposure

Such events may be deliberate or accidental, but in either case the actual or potential damage to the organization must be addressed as quickly as possible.

This procedure sets out the channels that should be used to report information security events, and how these reports will be routed to roles within the organization with the relevant responsibility for investigation and action.

This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to [Organization Name] systems.

The following policies and procedures are relevant to this document:

•

Security Event

•

Security Incident Response

2 Information security event reporting procedure

2.1 Emergencies

If there is a threat to life or similar emergency situation, all employees and third parties are authorised to contact emergency services (such as the police or fire service) directly and without delay

2.2 Reporting channels

For internal events affecting the organization, all employees and third parties are authorised to report information security events via the appropriate channel.

The appropriate reporting channel for each type of event is as follows:

EVENT TYPE

Technical events related to the use of ICT systems, such as password violations, viruses, exposure of data, unusual activity

Physical security issues, including tailgating, inadequate security (such as unlocked doors, open windows), possible intruders.

Issues with the design or implementation of business procedures, such as not following instructions, weaknesses in the way information is handled or transferred

REPORTING CHANNEL

Help desk

Location Security

Manager or Supervisor

Other issues not defined Help desk

Table 1: Reporting channels by type of event

2.3 Reporting methods

The method used to report information security events will depend upon the urgency and nature of them. For urgent situations where an event is already occurring or is likely to happen imminently, verbal communication either face to face, or via the phone or similar real time communication method (such as videoconferencing) should be used, as there is no guarantee that other channels will be monitored sufficiently closely.

Actual or suspected information security events may be reported via one or more of the following methods, according to the type of event as listed in Table 1:

• By email, phone, SMS text, web portal or other supported channel to the [Organization Name] help desk:

o Email: support@organization.com

o Phone: +1 234 567 8910

Information Security Event Reporting Procedure

o SMS text:

o Web portal:

• For physical intrusions, such as a suspected unauthorised person within a building, location security should be contacted by phone either directly on +1 234 567 8911 or via the appropriate building reception on 4444

• An immediate manager or supervisor may be informed face to face, or via any of the internal communication channels available, such as email or messaging

2.4 Information required

When reporting an information security incident, the following details should be provided:

• Name, role, department, location and contact details

• A description of the nature of the event

• An indication of the urgency of the event

• If available, an assessment of the potential impact of the event

For events reported to the help desk, this will result in a help desk ticket being raised and a unique number assigned.

Where events are reported to other channels (for example location security or a manager), the recipient should also keep a record of the date and time of the report and the information provided, for future reference.

2.5 Dealing with the report

The recipient of the report will be responsible for assessing it and deciding what action should be taken next. This could be one of:

• Direct action to address the event

• Escalating it to another team for further assessment or action

• Asking for more information

• Deciding that no further action is required

Where appropriate, the Information Security Event Assessment Procedure will be used to determine whether an event should be treated as an incident. For events that are assessed to be actual or potential serious incidents, the Information Security Incident Response Procedure may be invoked.