Much of critical incident management is essentially information management. Deciding how much information to report can be difficult. In dangerous field situations where there are many security related incidents, which incidents do you report? In some cases over-reporting can be problematic in that important incidents may get lost in the paperwork, or those receiving the reports may become so accustomed to receiving security reports on so many routine incidents that they fail to distinguish the difference between major and minor security incidents.
So How do you decide which security incidents to report and which ones not to report?
Security incident reporting thresholds
In high-risk environments, many small incidents occur, sometimes on a daily basis. It is not necessary to treat every security incident, or the news of every incident, as a critical incident. It is important to match your response to the need, and to modify the overall reporting level so that in the event of a significant security incident, important details do not become lost in the paperwork. In general, there are three levels of information to consider in your security reporting. There are some incidents that you should:
The brief descriptions below explain each of these levels in more detail. Note that this is general guidance for security incident reporting; your own organization may have specific policies or rules which you should follow. Before going to the field you should know to whom or to which office in your organization you should report such incidents.
Report the incident immediately if:
Include in your next regular periodic report if:
Critical incident management refers to actions that take place after a serious security incident has happened. However, many tools and preparedness measures needed to respond appropriately must be in place before the incident occurs.
The stages of critical incident and response that managers should understand are:
Several useful tools and measures should be in place to afford the manager full ability to respond effectively to a critical incident. These include:
Not every security incident is a critical incident and not all security incidents should be reported. In general, there are three levels of security incident reporting that should be considered:
Standard formats and templates for security reporting can be helpful as information checklists to promote completeness of the report