Public sector cyber incident co-ordination procedure
Outlines the procedures for notifying and coordinating responses to notifiable cyber incidents affecting Scotland’s public services. It defines the agreed-upon cyber incident notification process adopted by the Scottish public sector since 2018.
Section B – Definitions
8. The NCSC classification matrix has 6 categories of incidents:
| Category 1 | Category 2 | Category 3 | Category 4 | Category 5 | Category 6 |
|---|---|---|---|---|---|
| National Cyber Emergency | Highly Significant Incident | Significant Incident | Substantial Incident | Moderate Incident | Local Incident |
A fuller description of the categories has not been provided as this is for the NCSC and law enforcement to assess, not the individual organisation.
9. The NCSC categorisation does not provide guidance about the cyber incidents that Scottish Ministers expect to be notified of. As such the following definition of a ‘Notifiable Scottish Public Sector Cyber Incident’ has been established to provide this clarity.
Notifiable Scottish Public Sector Cyber Incidents are defined as incidents or attacks against Scottish public sector network information systems, or external suppliers of key systems which have one or more of the following characteristics:
Have the potential to disrupt the continued operation of the organisation or delivery of public services
Carry a likelihood that other public, private or third sector organisations may experience a similar attack, or that the incident could spread to those organisations
Could have a negative impact on the reputation of the Scottish public sector or Scottish Government
Carry the likelihood of Scottish Parliament or national media interest.
10. Scottish public sector organisations should understand this definition, incorporate it into internal incident response plans, and report any cyber incidents meeting this definition via the procedure outlined in Section C of this document. The rule of thumb should be if in doubt notify.
Classification By NCSC Of Notifiable Cyber Incidents
11. The NCSC in liaison with law enforcement will classify notified incident with a grading that will determine the level of response at both the operational and strategic coordination level. The following classifications have been adjusted to reflect the Scottish public sector context.
NCSC C1 and C2 incidents are highly likely to see COBR and SGOR coordination arrangements being activated at C1, and likely at C2 depending on severity of incident and wider impact and consequences. These processes are linked to the wider emergency response arrangements that are long established within the UK and Scotland.
NCSC C3 and C4 incidents are likely to see SGOR activated and taking the strategic coordination lead with support from NCSC. SG SC3 will provide the NCSC liaison role to SGOR in such instances. Where there are limited strategic consequence management issues arising from the incident but a level of coordination is required the SC3 may lead the multi-agency coordination response.
NCSC C5 and C6 incidents are less likely to require multi-agency coordination. The SG SC3 will work with lead policy areas to provide a coordination function for Scottish public sector organisations, and ensure that Scottish Ministers are appropriately briefed on notifiable cyber incidents and threats emanating from such attacks. SG SC3 will also ensure that affected organisations are sighted on any advice and guidance available from the NCSC and Police Scotland and consider the wider intelligence dissemination interests.
Contact
Email: SC3@gov.scot
There is a problem
Thanks for your feedback