Verizon releases framework for reporting security incidents

Effort seeks a common language, with help from security community

SAN FRANCISCO — Verizon Business on Monday released for public use a framework for collecting and reporting information about security incidents in the hope of creating a standardized way for government and industry to share information about breaches.

“If we don’t have a common language to collect and communicate data, we are going to be handicapped,” said Wade Baker, director of risk intelligence for Verizon.

The company announced the availability of the Verizon Information-Sharing framework at the RSA Security Conference. The site also contains a forum for VerIS users. Baker said the framework is expected to evolve with input from the security community.

“We’re not making the claim that this is perfect,” he said. Verizon also is creating an advisory board of outside security experts go oversee further development.

VerIS is based on the methodology used by Verizon to produce its annual Data Breach Investigation Reports. The reports contain information gleaned from forensics investigations of security incidents conducted by Verizon’s Investigative Response Team, which it offers as a commercial service. It examines the threat involved, asset targeted, impact of the incident and methods of control.

There is a trend toward standardizing language used to identify vulnerabilities and threats, such as the Common Vulnerabilities and Exposures dictionary sponsored by the Homeland Security Department and maintained by Mitre Corp. But so far the trend has not extended to the reporting of security incidents.

“Everybody at some level tracks major incidents,” Baker said. “But they’ve all been collecting it in different ways. It usually is an internal way of doing it,” specific to an organization.

Publicly available information about security breaches, although they are common and often make headlines, is not consistent or complete. “The details tend to be somewhat sketchy,” he said. “Never have I seen a classification of how the incident took place.”

Several government agencies as well as private companies had asked Verizon about using the underlying framework used to collect its report data.

“We made the decision to make the release and let others use it,” free of royalty, Baker said.

The metrics in the framework are organized in four sections:

  • Demographics, which is the largest section; “who did what to who and with what result,” Baker said.
  • Incident description.
  • Discovery and mitigation.
  • Impact.

The goal is provide organizations with a tangible idea of the cause and severity of attacks within that organization. It also enables sharing by anonymizing the data giving it a common format and language.

“Not everybody wants to share data, but those who do need to have a standard language,” Baker said. “There is one large government agency that is using this currently,” to classify incidents from the last three years for analysis. He said he could not name the agency.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected