Skip to contentCYBERINFO
|

Control 6.8 : Information Security Event Reporting

Summary

Personnel and contractors should be required to report any observed or suspected information security events through appropriate channels in a timely manner. Prompt reporting is essential for effective incident response and minimizing potential damage.

Applicability

In-Scope: Mandatory for all personnel. It is the primary human-based detection control and is vital for identifying threats that automated systems might miss (e.g., suspicious social engineering).

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

  • Report Phishing: Enable the Report Message add-in in Outlook to allow users to flag suspicious emails directly to the security team via Microsoft Defender for Office 365.

  • Reporting Portal: Use Microsoft Forms or a dedicated Microsoft Teams app to provide a simplified, 24/7 interface for reporting physical or digital security concerns.

  • Feedback Loop: Automate notifications using Power Automate to acknowledge the user's report and provide them with status updates, reinforcing the reporting culture.

Evidence Checklist

  • Reporting Procedure: A documented and widely communicated process for reporting different types of security events.

  • Event Logs: A record of all reported events, including the time of the report and the initial assessment by the security team.

  • Awareness Evidence: Samples of posters, emails, or Teams messages that promote a culture of proactive security reporting within the organization.

Practical Audit Advice

Here are some questions the auditor might ask:

  • How are employees trained to recognize the types of events that warrant an immediate report?

  • What is the expected timeframe for an employee to report a suspected security event once it has been identified?

  • Can you provide an example of a security event that was reported by a staff member and show how it was subsequently triaged?

  • How do you ensure that employees feel comfortable reporting mistakes (like clicking a malicious link) without fear of immediate punishment?