This snapshot, taken on 04/03/2010, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.
We're creating a single website for everything to do with BIS but, while we do that, you'll find information in three places. > Find what you're looking for
Incident reporting and monitoring provides the means by which unwanted events (such as virus infections, deliberate intrusions and attempted information theft) can be detected, acted upon and analysed. Check this section to find out more about:
You can also consult our Incident Handling Checklist and print it for future reference.
For all but the smallest companies a formal incident management procedure pays dividends. This removes doubt and uncertainty, and can help ensure that events do not escalate and require stronger action.
Incidents should be reported as quickly as possible. A single point of contact makes reporting easier, and allows for collation of information, should suspect patterns of events begin to emerge.
If you suspect criminal activity, you may find our reporting incidents to the police and police contacts sections useful.
The incident monitoring process should include a means of analysing current and historic events. It should include information on:
The process should be used to identify recurring or high impact incidents or malfunctions, and include information on the frequency and severity of incidents and malfunctions experienced.
Data collected in the incident monitoring process should be taken into account when reviewing your information security policy.
Precise reporting procedures will vary, according to the nature and extent of the incident. The following sections summarise the reporting of:
External
There is no obligation to report a virus infection. However, dealing with a severe outbreak without involving an external agency will make your life difficult, especially if effects are complex and destructive.
If you use anti-virus software and the infection has circumvented defences, your first port of call should be your anti-virus software supplier.
The major companies act as clearing houses for information on outbreaks, and have information on many variants on the thousands of viruses that exist. They also have extensive research information on possible future viruses.
Internal
Internal reporting is essential to reduce the spread of the virus code inside the company, and also to establish the source.
It can often be a breach of internal policy that has caused an outbreak, with inappropriate use of e-mail and the Internet being amongst the most common reasons why viruses have been imported.
You should have internal procedures to manage outbreaks. Your System Administrator makes the best focal point for internal reporting.
You may also wish to inform regular contacts (suppliers, partners etc) if you suspect you may have sent them a virus.
External
Reporting inappropriate usage depends on the type of misuse. If there is a criminal element to the event, you may wish to consider reporting it to the police.
If you want to report illegal or offensive material on websites or newsgroups, you should contact the Internet Watch Foundation (IWF). The IWF was established by concerned Internet firms in the UK, to provide a focus for removing illicit material from the Internet.
The IWF are best placed to decide on the legality of the offending site or newsgroup, and will inform the police as appropriate.
Internal
Procedures ought to be in place for dealing with this issue, to include Human Resources, the suspect's line manager and an information security representative.
Remember that an established policy and/or code of behaviour will provide the basis for how you react to incidents, and how you report them.
External
Reporting unauthorised access depends on the type of misuse. If there is a criminal element to the event, you may wish to consider reporting it to the police.
In some cases, reporting a criminal attack is not straightforward. For example, many companies will want to consider negative publicity issues surrounding an attack.
Internal
Internal reporting must be managed appropriately. Procedures ought to be in place for dealing with this issue, to include HR, the suspect's line manager and an Information Security function representative.
External
By definition, information theft is a criminal event. In most cases you will need to report the incident to the police, however situations are not always so straightforward.
For example, if the theft of information highlights shortcomings in your own procedures, could the loss of reputation cause greater damage than the theft itself?
Any theft incident should be handled with care - remember that there may well be forensic evidence which should be preserved.
Internal
Internal reporting needs similar careful consideration, especially if an insider is involved. You may not want to alert the perpetrator by broadcasting that you know about the theft. HR issues should also be considered with care.
External
If a systems failure is caused by an information security breach (for example, theft or unauthorised access), you may wish to consider reporting the event to the police.
Also note that you may be required by regulatory bodies to report such events. Make sure you know what you have to report in such circumstances.
Internal
The reporting of systems failure is central to recovery. An incident response team should be the prime decision-making body that decides to whom incidents are reported, and how this reporting is handled.
As with all incident reporting, the nature and impact of the event dictates subsequent actions. If the incident impacts outside your organisation, you should make sure that those who depend on you (suppliers, customers, remote workers) are included in any reporting scheme.
