I'm currently looking into reporting processes in information security and I was wondering what kind of information should be reported when an IT security event or incident occurs.
The definitions of those would be (taken from ISO/IEC 27000:2016)
information security event
identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of controls, or a previously unknown situation that may be security relevant
information security incident
single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security
To give a bit of context: Think of a really large company that has about 150 locations. Most of these locations employ around 30 up to 500 employees. I would estimate the median to be at about ~120 employees. All in all we are talking about roughly 70,000 employees. Each location has it's own reporting process. This doesn't mean, that there are 150 different processes, most of them will look pretty much the same with only minor differences. I would guess that there are probably 4 types of processes out there at the moment:
- process type 1 (70% of all locations have this)
- an incident occurs
- the affected employee reports the incident to the people responsible for IT security in this specific location
- the affected employee fills out a form that requires him to put in a very small set of information
- the form is sent to the technical staff, that is located on-site, that then tries to fix the problem
- process type 2 (15% of all locations have this)
- an incident occurs
- the affected employee reports the incident to the technical staff or someone he/she thinks is responsible, but there is no-one responsible for IT security on-site
- the affected employee fills out a form that requires him to put in a very small set of information
- the form is sent to the technical staff, that is located on-site, that then tries to fix the problem
- process type 3 (10% of all locations have this)
- an incident occurs
- the affected employee reports the incident to a big central location, that manages all IT infrastructure for several locations, including this one. There is no-one responsible for IT security on-site.
- the affected employee fills out a form that requires him to put in a very small set of information
- the form is sent to the technical staff at the central location, that then tries to fix the problem
- process type 4 (5% of all locations have this)
- an incident occurs
- the affected employee cannot report the incident, because there is no-one responsible for IT security on-site or at the central location specifically for this site
- the affected employee tries to come up with a solution him/herself and then contacts a third-party vendor
- no information were put into any forms
This situation itself is problematic but this is not all. From time to time, information security incidents happen in bulk at several locations. If the incidents happen at locations, where there are also people that are responsible for IT security on-site, most of the time, these people are qualified enough to call in to the central location and warn them about a possible company-wide security threat. The central location can then react and pull in all the forms that have been filled out by affected employees. In cases like this, the right information that helps to solve/fix incidents like this are very valuable.
You can imagine, that for a company this big, basically every kind of attack is possible/probable. There are a lot of security controls in place, but it still happens.
My question is: What kind or type of information should that be in an environment like the one described?
How can I design a form in a way, that it is easy enough to fill out for non-tech-savvy personnel, but informative enough for technical staff to gain good and interesting information to fix a grave it security incident?
EDIT 1: This company has a company-wide CERT that is located at the the central location and the CERT is where the forms would be analyzed. I will edit this question again later on, to provide some more details on what exactly I have in mind.