Public sector cyber incident co-ordination procedure

Section A - Introduction

Purpose

1. This document defines the procedures for the notification and coordination of notifiable cyber incidents impacting on Scotland’s public services. Cyber incidents can quickly escalate beyond the initial victim organisation and can become a national or international emergency, such incidents require a coordinated response and a rapid sharing of threat intelligence, including Indicators of Compromise (IoCs) across the public sector.

2. This procedure is intended to define the agreed cyber incident notification process what has been adopted by the Scottish Public sector since its introduction in 2018. It assists in the additional support offered to organisations experiencing a notifiable cyber incident and is intended to increase the ability of the Scottish Public Sector to respond and mitigate against such incidents.

3. This guidance updates previous guidance and defines the circumstances under which Scottish public bodies should activate central notification and coordination procedures by:

Defining a ‘notifiable cyber incident’, and making clear how this interacts with other definitions and arrangements in operation by organisations such as NCSC and Scottish Government Resilience (SGOR).

Setting out the procedures that should be adopted to ensure effective and efficient central notification and coordination of notifiable cyber incidents, and providing a template that should be used to report cyber incidents (distributed separately).

Clarifying (within those procedures) the roles and responsibilities of individual public sector organisations and central coordinating actors, including the NCSC, Scottish Government Scottish Cyber Coordination Centre (SC3), Cyber Resilience Unit (CRU) , SGOR, Police Scotland, Cabinet Office Briefing Room (COBR), lead Scottish Government policy or operational areas, and Scottish Ministers.

Identifying the organisations that may have a wider role in incident coordination or dissemination of alerts and messages.

4. This guidance is written primarily for officials in Scottish public sector organisations who may need to be involved in cyber incident response. The ultimate purpose of this guidance is to ensure that notifiable cyber incidents, which may have the potential to impact on public services and public trust and confidence in the Scottish public sector, are managed and coordinated swiftly and effectively, ensuring that key actors are timeously informed and able to respond with advice, guidance and support as appropriate.

5. This guidance also makes clear that, to ensure an effective response to notifiable cyber incidents, Scottish public sector bodies will sometimes be asked to share sensitive information with a limited number of external central coordinating bodies. This requires a level of trust between key partners, and an assurance that material will be handled appropriately, with sensitivities around its disclosure understood.

6. Public sector organisations within the Drinking Water and Health sectors fall under the remit of the Network and Information Systems (NIS) Regulations and must report certain types of cyber incidents to their Competent Authorities. This policy is entirely focused on incidents that are reportable to Scottish Government, NCSC and Police Scotland for incident management and coordination purposes and to ensure swift support and advice can be provided where necessary. It does not replace the requirement under the NIS Regulations to formally report incidents to the relevant Competent Authority within 72 hours of an incident being identified.

7. Referrals from Health should be routed through the National Services Scotland (NSS) Centre of Excellence as the NHS Single Point of Contact.