Spain has become the first country in the European Union to have a single framework for the notification and management of cyber-security incidents.
The Spanish National Cyber-security Incident Notification and Management Guide approved by the National Cyber-security Council is a technical document that creates a benchmark in terms of notifying and managing cyber-security incidents within Spanish territory. They are addressed both to the public and private sectors and they standardise the criteria in this field.
The Guide establishes a “one-stop” notification mechanism, that implies the incidents shall be reported only to the relevant institution (CSIRT): National Cryptologic Centre of the National Intelligence Centre (CCN-CERT) when it comes to the Public Sector and the National Cybersecurity Institute for the Private Sector (INCIBE-CERT).
The Guide comprises a classification system for the incidents, which are sorted into ten different categories: abusive content (e.g. Spam), harmful content (e.g. Malware), information gathering (e.g. Network traffic monitoring), intrusion attempt (e.g. Access to credentials), intrusion (e.g. Compromised applications), availability (e.g. DDoS), compromised information (e.g. lost data), fraud (e.g. Phishing), vulnerable (e.g. Weak cryptography) and other.
Each incident will be associated to a particular level of danger, which will be defined relying on the risk that the incident would involve for the affected organisations’ systems if it was materliased. There are five levels of danger, namely: critical, very high, high, average and low. Additionally, the Guide sets up an impact indicator in order to assess the consequences post-incident for the organisation or company activities and systems. Depending on this indicator, the impact will be critical, very high, high, average, low. There is an extra category called “no impact”, where no damage at all has been caused as a result of the incident.
As for the cyber-security incidents management, the Guide establishes a six-steps process to prevent these incidents and properly tackle them in case they take place. The phases are described as follows: preparation (e.g. updated policies), identification (e.g. network monitoring), containment (e.g. information assessment and classification), mitigation (e.g. recovery of the latest backup copy), recovery (e.g. restore the activities) and post-incident actions (identification and analysis of the origin of the incident and the costs).
