Control 6.8 : Information Security Event Reporting
Summary
Personnel and contractors should be required to report any observed or suspected information security events through appropriate channels in a timely manner. Prompt reporting is essential for effective incident response and minimizing potential damage.
Applicability
In-Scope: Mandatory for all personnel. It is the primary human-based detection control and is vital for identifying threats that automated systems might miss (e.g., suspicious social engineering).
Out-of-Scope: Never out-of-scope.
Implementation Guidance
Microsoft 365 / Entra ID
-
Report Phishing: Enable the Report Message add-in in Outlook to allow users to flag suspicious emails directly to the security team via Microsoft Defender for Office 365.
-
Reporting Portal: Use Microsoft Forms or a dedicated Microsoft Teams app to provide a simplified, 24/7 interface for reporting physical or digital security concerns.
-
Feedback Loop: Automate notifications using Power Automate to acknowledge the user's report and provide them with status updates, reinforcing the reporting culture.
Evidence Checklist
-
Reporting Procedure: A documented and widely communicated process for reporting different types of security events.
-
Event Logs: A record of all reported events, including the time of the report and the initial assessment by the security team.
-
Awareness Evidence: Samples of posters, emails, or Teams messages that promote a culture of proactive security reporting within the organization.
Practical Audit Advice
Here are some questions the auditor might ask:
-
How are employees trained to recognize the types of events that warrant an immediate report?
-
What is the expected timeframe for an employee to report a suspected security event once it has been identified?
-
Can you provide an example of a security event that was reported by a staff member and show how it was subsequently triaged?
-
How do you ensure that employees feel comfortable reporting mistakes (like clicking a malicious link) without fear of immediate punishment?