ISO/IEC 27035-4:2024

International
Standard
ISO/IEC 27035-4
First edition
Information technology —
2024-12
Information security incident
management —
Part 4:
Coordination
Technologies de l'information — Gestion des incidents de sécurité
de l'information —
Partie 4: Coordination
Reference number
© ISO/IEC 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2024 – All rights reserved
ii
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Overview . 2
4.1 General .2
4.2 Coordination team .3
4.3 Principles of coordination .4
4.3.1 Timeliness principle .4
4.3.2 Roles and responsibilities principle .4
4.3.3 Common understanding principle .4
4.3.4 Confidentiality principle .4
5 Coordinated incident management process . 4
5.1 Overview .4
5.2 Coordinated plan and prepare .5
5.3 Coordinated detect and report .6
5.4 Coordinated assessment and decision .7
5.5 Coordinated respond .8
5.6 Coordinated learn lessons .9
6 Guidelines for key activities of coordinated incident management .10
6.1 Developing coordination policies . .10
6.2 Establishing communications .11
6.3 Threat and event Information sharing .11
6.3.1 Overview .11
6.3.2 Information types . 12
6.3.3 Establishing information sharing relationships . 13
6.3.4 Participating information sharing relationships .14
6.4 Conducting coordinated exercises .16
6.5 Building trust .17
Annex A (informative) Examples of information security incident management coordination . 19
Bibliography .22

© ISO/IEC 2024 – All rights reserved
iii
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations,
governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/
IEC Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any
claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had not
received notice of (a) patent(s) which may be required to implement this document. However, implementers
are cautioned that this may not represent the latest information, which may be obtained from the patent
database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall not be held
responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html.
In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
A list of all parts in the ISO/IEC 27035 series can be found on the ISO and IEC websites.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.

© ISO/IEC 2024 – All rights reserved
iv
Introduction
Coordination is an important aspect in information security incident management. Incidents crossing
organizational boundaries can occur and cannot be easily resolved by a single organization. Emerging
threats are becoming increasingly sophisticated and can have a much larger impact than previously. The
characteristics of emerging threats and attacks make it more urgent than ever to coordinate incidents
across organizations.
Coordination can include relevant parties both within and outside the organization. For example, relevant
parties within the organization include business managers and representatives from IT; external interested
parties include incident response teams of external organizations and law enforcement organizations. See
ISO/IEC 27035-2:2023, Clause 8 for a complete list. This document, however, only considers coordination
between multiple organizations. This document provides guidelines for multiple organizations to work
together to handle information security incidents. The coordination activities occur throughout the
information security incident management process as defined in ISO/IEC 27035-1.
This document addresses the coordination of information security incident management between multiple
organizations. Incidents sometimes involve technical vulnerabilities. Guidance on the coordination,
disclosure, and handling of technical vulnerabilities is provided by ISO/IEC 29147 and ISO/IEC 30111.
Additional information on the coordination of technical vulnerabilities between multiple organizations is
provided by ISO/IEC TR 5895.
© ISO/IEC 2024 – All rights reserved
v
International Standard ISO/IEC 27035-4:2024(en)
Information technology — Information security incident
management —
Part 4:
Coordination
1 Scope
This document provides guidelines for multiple organizations handling information security incidents
in a coordinated manner. It also addresses the impacts of external cooperation on the internal incident
management of an individual organization and provides guidelines for an individual organization to adapt
to the coordination process. Furthermore, it provides guidelines for the coordination team, if it exists, to
perform coordination activities supporting the cross-organization incident response.
The principles given in this document are generic and are intended to be applicable to multiple organizations
to work together to handle information security incidents, regardless of their types, sizes or nature.
Organizations can adjust the guidance given in this document according to their type, sizes and nature
of business in relation to the information security risk situation. This document is also applicable to an
individual organization that participates in partner relationships.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management systems —
Overview and vocabulary
ISO/IEC 27035-1, Information technology — Information security incident management — Part 1: Principles
and process
ISO/IEC 27035-2, Information technology — Information security incident management — Part 2: Guidelines to
plan and prepare for incident response
ISO/IEC 27035-3, Information technology — Information security incident management — Part 3: Guidelines
for ICT incident response operations
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000, ISO/IEC 27035-1,
ISO/IEC 27035-2, ISO/IEC 27035-3 and the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/

© ISO/IEC 2024 – All rights reserved
3.1
incident response team
IRT
team of appropriately skilled and trusted members of an organization that responds to and resolves
incidents in a coordinated way
Note 1 to entry: There can be several IRTs, one for each aspect of the incident.
1)
Note 2 to entry: Computer Emergency Response Team (CERT ) and Computer Security Incident Response Team
(CSIRT) are specific examples of IRTs in organizations and sectorial, regional, and national entities wanting to
coordinate their response to large scale ICT and cybersecurity incidents.
[SOURCE: ISO/IEC 27035-1:2023, 3.1.2]
3.2
coordinated incident management
CIM
process for IRTs from multiple organizations to work together to handle information security incidents
3.3
community
group of associated organizations, individuals and groups sharing common interests
Note 1 to entry: Impacted communities are the groups of people and associated organizations affected by the provision
of security services, projects or operations.
[SOURCE: ISO 22300:2021, 3.1.39]
4 Overview
4.1 General
Coordination is an important aspect in information security incident management. As stated in
ISO/IEC 27035-1, coordination can occur throughout the information security incident management
process, and the responsible roles for coordination should be taken by the incident management team (IMT)
and the incident coordinator. Coordination can include both internal and external parties (see a full list
of these parties in ISO/IEC 27035-2:2023, Clause 8). Among different parties, there are different degrees
of coordination relationships. Some coordination relationships are loose, only involving information
disclosure, such as the contacts with internal representatives from the legal department, public relations,
or external parties like law enforcement and media. Other coordination relationships are dense, targeting
incident response, which involves working with multiple internal incident response teams, or the incident
response teams from external organizations and internet service providers (ISPs). See Annex A for
examples of information security incident management coordination. ISO/IEC 27035-1, ISO/IEC 27035-2
and ISO/IEC 27035-3 focus on guidelines for information security incident management within a single
organization, and internal and external coordination activities are only briefly covered. This document
gives further detail on coordination between multiple organizations, and can benefit different organizations
to achieve a structured and effective cross-organization incident response. Figure 1 illustrates the scope of
this document.
1) CERT is an example of a suitable product available commercially. This information is given for the convenience of
users of this document and does not constitute an endorsement by ISO or IEC of this product.

© ISO/IEC 2024 – All rights reserved
Figure 1 — Illustration of the scope of this document
It is more possible to achieve good coordination between multiple organizations, when organizations
use incident management process (see ISO 22320). Based on the incident management process defined
in ISO/IEC 27035-1, the coordinated incident management process can be illustrated as in Figure 2. The
guidelines on the coordinated incident management process and its key activities are generic, which allows
flexibility so that coordination can be applied to incident management partially or entirely as needed (e.g.
the loose coordination case which only involves information disclosure is also applicable).
Figure 2 — Illustration of coordinated incident management process for multiple organizations
4.2 Coordination team
The coordination team is a special type of incident response team. They usually work as independent entities
which focus on the incident management coordination. The coordination team has the following features.
a) The coordination teams focus on activities including information exchanging, information sharing and
response coordination. It is possible that the coordination team does not implement incident response
activities directly. They facilitate efficient incident management coordination and cooperation among
multiple members. By fully dispatching the resources of each member, they help to realize information
sharing between members and throughout the entire community.
b) The coordination team should have a defined service constituency. The constituency is usually based
on a geographic location or a business domain. Typical examples of coordination teams based on
geographical regions are national incident response teams and regional incident response teams in
international regions or within a country. The main reason for setting up a coordination team based on

© ISO/IEC 2024 – All rights reserved
industry sectors is that organizations in the same industry face similar cybersecurity risks. Thus, the
appeal and value of information sharing and response coordination is greater.
c) The coordination team acts as a central point in the incident management coordination. Multiple
coordination teams can be arranged in a peer mode or a hierarchical mode. The coordination team and
the members can be regarded as forming a community, whereby the coordination team acts as a central
point when coordination is needed between multiple members. If the impact of the incident exceeds the
coordination team’s constituency or capability, the coordination team should contact another relevant
coordination team or relevant community member for assistance.
4.3 Principles of coordination
4.3.1 Timeliness principle
Information security incidents are highly time-sensitive. Any threat information and incident status has a
certain validity period. Therefore, all parties should agree on the time requirements of each item before
performing incident management coordination and observe the agreed time in the coordinated incident
management process.
4.3.2 Roles and responsibilities principle
Clear roles and responsibilities should be defined for incident management coordination activities. When
working under a coordination model with multiple organizations involved, it is important for all parties to
know the role that they play and what their respective responsibilities are under the model. In this manner,
all parties know what is expected of them to enable cohesion and minimise confusion. In addition, where the
lead coordinator role changes (e.g. depending on the content and context of the specific incident), criteria
should also be established to determine who leads coordination for that incident.
4.3.3 Common understanding principle
Communicating and coordinating incident response information can be difficult unless the organizations
involved utilize shared vocabulary. Organizations should use a common language and terminology to support
the exchange of information and facilitate understanding. Also, by adopting a common taxonomy to classify
information and standardizing data exchange format, organizations can have common understanding of the
security information shared by others. A common understanding can help organizations to reach consensus
and ensure their goals are consistent in the incident management coordination.
4.3.4 Confidentiality principle
During the incident management coordination, it is possible for organizations involved to carry out
information communication or exchange. Organizations should be careful to protect secret business
information and personal sensitive information when transmitting information to external parties. They
should consult their legal department to formulate confidentiality rules for information exchange.
5 Coordinated incident management process
5.1 Overview
As illustrated in Figure 2, the coordinated incident management process has the same phases as the incident
management process as defined in ISO/IEC 27035-1, namely:
— coordinated plan and prepare (see 5.2);
— coordinated detect and report (see 5.3);
— coordinated assess and decide (see 5.4);
— coordinated respond (see 5.5);

© ISO/IEC 2024 – All rights reserved
— coordinated learn lessons (see 5.6).
Figure 3 shows an overview of the activities in the coordinated incident management process, covering:
— coordinated activities for multiple organizations to complete together;
— the impacts on the internal activities of an individual organization and the adaption to make;
— if a coordination team exists, the coordination activities it performs.
Figure 3 — Overview of coordinated incident management process
5.2 Coordinated plan and prepare
In the coordinated plan and prepare phase, organizations in the community reach an agreement on
coordination policies and public framework, establish communication channels, and conduct training and

© ISO/IEC 2024 – All rights reserved
collaborative exercises to enhance incident response capability and mutual trust. Every organization should
appoint an incident coordinator responsible for the incident management coordination of the community,
and make sure that the organization’s incident management team (IMT) consents authority to the incident
coordinator and all planning and preparation activities.
The coordinated plan and prepare activities include, but are not limited to:
a) reach an agreement on coordination policies (see ISO 22397), including but not limited:
— memoranda of understandings (MOUs), or non-disclosure agreements (NDAs);
— the purpose, scope and resources of coordination;
— information sharing rules, and requirements of removing sensitive information;
— event tracking and coordination processes.
b) establish communication channels, including temporary channels, such as telephone, email, meeting,
as well as regular channels. Periodical meeting of incident coordinators from organizations in the
community, either offline or online, is a good way to improve understanding and build mutual trust.
Data exchange format and transmission mechanisms for information sharing should be determined to
make the information exchange process as secure and automated as possible;
c) conduct training and exercises on coordination in the community.
The adaption of an individual organization’s internal activity includes:
d) appointing an incident coordinator responsible for the incident management coordination of the
community, and making sure that the organization’s incident management team (IMT) consents
authority to the incident coordinator and all planning and preparation activities;
e) establishing organizational information sharing, disclosure, and incident management coordination
policies;
f) establishing and preserving appropriate relationships and connections with the community;
g) checking internal circumstances and solving conflicts.
The coordination team performs the following activities to achieve coordination:
h) providing neutral advice and facilitating accomplishment.
5.3 Coordinated detect and report
During the coordinated detect and report phase, the community encourages all members to actively share
threat intelligence. It establishes a threat information exchange mechanism and takes technical measures to
ensure the security of information transfer channels. Organizations of the community analyse the collected
information to make further assessment and decision-making.
Threat information exchange is based on trust. The following elements can be considered:
a) exchanging threat information should have the ability to support members' anonymity;
b) taking effective measures to protect the security of information related to reported vulnerabilities and
incidents and to prevent information leakage;
c) attempting to automate as much of the information sharing process as possible;
d) ensuring that threat information sharing mechanisms have the ability to support broad participation.
In addition to structured threat information expression and automatic exchange, these mechanisms
should also allow information in any format, such as email and verbal.

© ISO/IEC 2024 – All rights reserved
The adaption of an individual organization’s internal activity includes:
e) according to the pre-established shared information approval process, sharing threat intelligence as
quickly as possible; it is most valuable when the threat intelligence is shared quickly;
f) performing data sanitization or scrubbing to remove sensitive pieces of data from the incident
information without disturbing the information on precursors, indicators, and other technical
information;
g) analysing the captured internal incident threats and external threat intelligence shared by the
community to identify suspicious incidents. Automated measures should be applied in threat
information collection, processing, and use;
h) ensuring that the necessary measures are taken to protect information shared with the team by other
organizations;
i) ensuring all the shared information is managed by the responsible incident coordinator for the
community, and that the incident coordinator coordinates with other internal incident coordinators to
enhance overall information security situation awareness.
The coordination team performs the following activities to achieve coordination:
j) receiving and aggregate information. Automated measures should be applied in threat information
collection, processing, and use;
k) performing information dissemination and alerts notification.
5.4 Coordinated assessment and decision
For the coordinated assess and decide phase, organizations in the community should work together to assess
the impact of a specific incident and decide on the initiation of coordination.
The coordinated assessment and decision activities include, but are not limited to:
a) initiate the coordination request for a specific incident. In the community, there are three possible cases
of initiating coordination requests:
— One organization becomes aware of a possible incident and finds that the incident cannot be under
its own control, so the coordination request is initiated by the organization’s responsible incident
coordinator for the community;
— The coordination team becomes aware of a possible incident from reporting or information
sharing within the community. The coordination team discovers that the incident involves multiple
organizations and initiates the coordination request;
— Multiple organizations initiate the coordination requests almost at the same time and after assessing
the similarity and correlation, multiple requests merge into a single one.
b) assess whether an incident occurred or not, and decide to start the coordination for the incident in the
community;
c) assess the impact of the incident and the involved organizations who should participate;
d) assess the available resources that can be provided by the participating organizations;
e) ensure that the incident coordinators of all participating organizations are involved in the assessment
and decision process. The incident coordinators should gather internal related data and obtain necessary
authority from their organizations.

© ISO/IEC 2024 – All rights reserved
The adaption of an individual organization’s internal activity includes:
f) when aware of an incident not under its own control, the organization should identify the relevant
community and distribute incident information to the responsible incident coordinator of the
community;
g) the responsible incident coordinator identifies whether a coordination request is needed to initiate
the coordination process, or whether a coordination process for the incident already exists in the
community, and accordingly notifies the relevant incident response teams to prepare.
The coordination team performs the following activities to achieve coordination:
h) conducts an overall assessment of reporting or information sharing of the community, and analysis and
relevance of the information from multiple sources;
i) discovers any abnormalities and assesses the impact;
j) generates timely alerts to the whole community, and when necessary, makes a decision to start response
coordination.
5.5 Coordinated respond
For the coordinated respond phase, only the organizations involved by the incident should participate.
All participating organizations work together to determine the coordinated incident response plan, then
implement their parts accordingly back in their organizations. The incident coordinators of participating
organizations are key roles to coordinate both the internal and external response activities.
The coordinated response activities include, but are not limited to:
a) identify which organization will lead the response activities, it is recommended to let the coordination
team lead, if it exists. Also identify the associated roles and responsibilities of all parties involved in the
incident response.
b) conduct a combined investigation of the incident. The incident coordinators of participating
organizations coordinate internal IRTs to conduct an internal investigation, sharing necessary
information and participating in a combined investigation of the incident;
c) develop the coordinated incident response plan together. The internal incident response teams of
participating organizations develop the coordinated incident response plan, under the coordination
of their organizations’ incident coordinators. The developing progress is iterative, every organization
should provide timely feedback on applicability and validity. The coordinated incident response plan
should determine the activities for every participating organization to perform, and the arrangement
can be described by a matrix (see Table 1 for an example). The steps to create a matrix are:
— identifying response activities required to respond to the incident and assigning the response
activities to the top row;
— assigning the participating organizations to the left column;
— linking each response activity with the participating organizations.
Table 1 — Example of matrix
Activity 1 Activity 2 Activity 3 …… Activity N
Organization A X
Organization B X X X X
Organization C X X X
……
Organization M X X X
© ISO/IEC 2024 – All rights reserved
d) implement the coordinated incident response plan to achieve the containment, eradication and recovery
of the incident. The IRTs of participating organizations take response actions within their organization.
Each participating organization should follow its internal criteria and meet the requirements of its
part according to the coordinated incident response plan. The incident coordinators of participating
organizations supervise internal response progress of their organization to together evaluate overall
expectations, and make adjustments to the coordinated incident response plan when necessary;
e) review and confirm the resolution of the incident. The incident coordinators of participating
organizations lead the internal review of the response activities and together complete the joint incident
report. The incident coordinators should submit the joint incident report to the incident management
teams (IMTs).
f) after resolution of the incident, participating organizations should follow a closure process of the
coordination relationships and consider whether a coordinated post incident activity is required,
including:
— combined further investigation;
— alert notification to the whole community.
The adaption of an individual organization’s internal activity includes:
g) participate actively in the development of the coordinated incident response plan. The internal IRTs should
conduct an internal investigation, verify the applicability and validity of the plan under development, and
share necessary information for the development of the coordinated incident response plan;
h) take response actions required by the coordinated incident response plan. The internal IRTs should
follow the internal criteria of their organization and report the internal response progress to the
incident coordinator to coordinate with overall expectations;
i) perform the internal review of the response activities to draft a joint incident report and provide the
required assistance to the coordinated post-incident activity, after the incident has been resolved.
The coordination team performs the following activities to achieve coordination:
j) provide technical support and tackle the obstacles between multiple organizations during the
development and implementation of the coordinated incident response plan;
k) supervise the overall response progress and coordinate for unexpected problems;
l) after resolution of the incident, play a key role in the required post incident activity, e.g. lead the
combined further investigation, release the alert notification to the whole community and follow up.
5.6 Coordinated learn lessons
In the coordinated learn lesson phase, a single organization or multiple organizations in the community
jointly evaluate the incident response process, especially the coordination process. Organizations review
the process, identify and document lessons learned from the coordination, and improve the information
security incident response and coordination process in a continuous iteration. The activities in this phase
are mainly carried out and coordinated by the incident coordinators of the relevant organizations, including:
a) reviewing, identifying, and improving the implementation of information security controls (new or
updated controls), and incident management coordination process;
b) reviewing the effectiveness of existing policies, rules, processes and tools throughout the information
security incident response and coordination process, and making appropriate adjustments;
c) performing comprehensive evaluation of the performance and effectiveness of the participating
organizations;
d) communicating and sharing the results of review within a trusted community (if so desired);

© ISO/IEC 2024 – All rights reserved
e) deciding whether and to what extent the incident information, related attack vectors and vulnerabilities
can be shared with partner organizations or communities, to assist in preventing the same event from
recurring in their environment.
6 Guidelines for key activities of coordinated incident management
6.1 Developing coordination policies
Coordination policies are the foundation for organizations in the community to perform incident management
coordination. The coordination policies should provide the common vision, principles, procedures, as well
as financial support for organizations to handle information security incidents together. The coordination
policies can generally include contractual aspects, operational aspects, financial aspects and ethical aspects.
a) Policies in contractual aspects can include:
1) rules for joining and leaving the community, also multiple grades of membership can be adopted;
2) non-disclosure agreements (NDAs) outlining confidential material, knowledge, or information that
can be shared within a certain range but require restricted access. The community can choose
different levels of NDAs according to the actual needs, e.g. NDAs with strict policies can help to build
trust, while NDAs with moderate policies can increase participation.
b) Policies in operational aspects can include:
1) the benefits and responsibilities of members. Generally, if the responsibilities are clearly described
to members in the community, they are more likely to be more active, and therefore get better
benefits. While basic responsibilities can result in loose connections and less benefits;
2) the requirements and responsibilities of the members’ personnel. Each organization should appoint
an incident coordinator responsible for the incident management coordination of the community;
3) the coordination process, specifying a set of conditions that require coordination, timing
requirements in coordination activities and operational mechanisms to organize multi-party
response activities;
4) training and exercises programmes;
5) media policies complying with information disclosure policies.
c) Policies in financial aspects can include:
1) whether a fee is needed for membership, and whether multiple grades of membership can involve
fee differences;
2) funding policies for member organizations to hold events such as meetings and trainings, or for an
individual to attend events.
d) Policies in ethical aspects can include:
1) a code of conduct describing expected behaviour for anyone involved. This code of conduct
covers various kinds of activities, both online and offline, organized by the community, including
coordination communication, meetings, trainings, and special events. A code of conduct can help to
create inclusive, open, collaborative and enjoyable environments.
When applying these policies, the community should follow some principles including: considering
compliance with applicable legislation, being fair to all members and ensuring transparency by providing
timely information. The coordination team, if it exists, can be a central point in sustaining the operation of
the community and the implementation of policies. Otherwise, members can hold a secretariat to undertake
the function, for example, a secretariat consisting of the incident coordinators of partial organizations.

© ISO/IEC 2024 – All rights reserved
6.2 Establishing communications
It is important for the community to establish and maintain communication between members. Members
are encouraged to begin using communication as early as the initial assessment when trying to understand
what is happening or what has happened. The community should ensure the communication is timely, open
and accurate. Multiple (separate and different) communication mechanisms should be established in case of
the failure of one mechanism. The communication mechanisms can generally be divided into two categories:
ad hoc mechanisms and partially automated mechanisms.
a) Ad hoc mechanisms include email, instant messaging clients and the phone. Traditionally, the
communication has occurred through ad hoc mechanisms. The ad hoc communication mechanisms may
rely more on an employees’ connections with peers of partner organizations. The employees use ad
hoc channels to manually communicate with peers for sharing information and coordinating incident
response activities. These ad hoc mechanisms can be the most cost-effective way of sharing information
with partner organizations. However, due to the non-robust nature of ad hoc mechanisms, it is possible
to fail easily, for example, due to an experienced employee’s resignation. Thus, it is recommended for
the organizations to have two or more employees as backup. For the incident coordinators or other
important roles, it is better to have multiple communication mechanisms. Periodical meeting of incident
coordinators, either offline or online, is a good way to improve understanding and build mutual trust.
In addition, ad hoc mechanisms tend to require more manual intervention and are more resource-
intensive to process than the partially automated mechanisms, since the information exchanged in ad
hoc communication channels can lack standardization.
b) Partially automated mechanisms are desired to make the inter-organizational communication efficient.
Organizations should attempt to automate as much of the communication process as possible. In reality,
it is not possible to fully automate the communication process, nor is it desirable due to security and
trust considerations. Organizations should aim to achieve a balance of automated process overlaid with
human-centric processes. According to the community’s needs, the partially automated communication
solutions can support several aspects:
1) Information sharing: The inter-organizational communication is mainly used to share information.
To automate information sharing, the community should choose the data exchange model and
enabling technical transport mechanisms. The members in the community should agree on the data
exchange models to ensure that the models are compatible with their incident response systems. It
is recommended to select existing standards for data exchange models when the members need to
represent the information. Then, members in the community should agree on the technical transport
mechanisms for enabling the information exchange to occur in an automated fashion. The transport
mechanisms include the transport protocol for exchanging the information, the architectural model
for communicating with an information resource, and the applicable ports and domain names for
accessing an information resource.
2) Managing contact relationships: An organization should maintain various contact channels with
peers in the community. It is an efficient way to use technical methods to automate the management
of the contact relationships.
3) Utilizing integrated communication: It is possible to integrate multimedia communication facilities
and personal communication devices as partially automated communication channels. Examples
include video conference systems for convenient communication during incident management
coordination, enabling short or instant messages which can be automatically pushed to the
responsible employee when important alerts are received.
Organizations should protect sens
...