You may be obliged to report certain Information Security incidents to external authorities, such as: regulatory bodies for your industry, third party associates (for example your ISP) and law enforcement agencies. The responsibility for making such reports usually lies with senior management.

• Your organisation may unwittingly be aiding or abetting an offence by not reporting an Information Security incident to outside authorities. Future investigations could lead to your organisation as being the source of the offence.

• Identify the relevant bodies, and ascertain how to contact them, so that you are prepared for any future eventuality.
• Consider the following authorities:

1. A regulatory body associated with your industry (Banking, Medical, Engineering).
2. Local law enforcement agencies (for cases of pornography or fraud etc).
3. Trading and Standards Offices.
4. Your own organisation - in the case of law enforcement agencies or Defence.
5. Data Protection Coordinator.
6. FAST (Federation against Software Theft) or the BSA (Business Software Alliance) for copyright offences.
7. CERT® Coordination Centre.

• Consider using a specialist Information Security organisation for investigations, if you lack in-house expertise.
• Consider carefully the validity of any evidence collected before reporting it to a third party.
• You may need to take legal advice about the severity of the offence before proceeding.