The Government of Spain announced, on 23 January 2019, that it had issued a guide on the notification and management of cyber incidents (‘the Guide’), according to the requirements of Royal Decree-Law 12/2018, of September 7, on the Security of Network and Information Systems. In particular, the Guide creates a framework for the notification of incidents relating to the security of network and information systems by operators of essential services based on a series of impact criteria, as well as a management scheme on the same.
Maria Berlanga, Associate at Bird & Bird (International) LLP, told DataGuidance, “One of the main novelties of the Guide is the establishment of a one-stop notification system for cyber incidents. It is designed to be a reference handbook in which every entity, public or private, citizen or agency can find a scheme and detailed guidance about how and where to report a cybersecurity incident which has occurred within its sphere of influence, regardless of whether they are obliged to report cyber incidents or do so voluntarily. In addition to entities required to report a cyber-incident under specific laws, […] any organisation may report an incident that it may consider appropriate according to criteria such as the need for the organisation to have the relevant computer security incident response team’s (‘CSIRT’) support for the investigation or resolution of the incident and/or is of benefit or general interest for the safety of the cybersecurity community.”
In addition, the Guide includes a reporting methodology for the notification of incidents by operators, based on the type of the incident and the level of hazard. In this regard, the Guide classifies incidents by type, including abusive or harmful content, obtaining of information or fraud, and seeks to assist the affected organisations or authorities when analysing, containing and eradicating the incident.
The Guide reinforces the idea of the importance of organisations being prepared for any event that might occur
Berlanga continued, “[According to the reporting methodology], the procedure follows certain steps; firstly, the affected [organisation] will send an email (or ticket) to the relevant CSIRT notifying the incident, the relevant CSIRT will report the incident to the receiving organisation or competent authority, then the receiving organisation or competent authority will contact the affected to collect the incident data and finally, the CNPIC, if appropriate, will make the information available to the State security bodies and to the Public Prosecutor to initiate the corresponding investigation.”
Furthermore, the Guide describes six phases for the management of incidents, which it identifies as the preparation, identification, contention, mitigation, recovery and post-incident measures. Following this description, the Guide highlights that the phases of managing incidents should not be treated as separate steps since they might intertwine with each other.
Berlanga concluded, “The management of incidents is understood as the set of actions focused on preventing the occurrence of incidents and, in case of occurrence, to restore operational and security levels as soon as possible. The Guide reinforces the idea of the importance of organisations being prepared for any event that might occur and, in this sense, it provides advice that can be taken into account to prevent, detect and monitor incidents. Once an incident is identified, the priority is to contain its impact, mitigate the events, return to operational level and, finally, learn from what happened and take the appropriate measures to prevent a similar situation, in addition to improving cyberattack procedures.”
NIKOS PAPAGEORGIOU Privacy Analyst