We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Advice and guidance

Public sector cyber incident co-ordination procedure

Published
3 January 2025
From
Director of Digital
Directorate
Digital Directorate
Topic
Communities and third sector, Public safety and emergencies, Public sector
ISBN
9781836911883

Outlines the procedures for notifying and coordinating responses to notifiable cyber incidents affecting Scotland’s public services. It defines the agreed-upon cyber incident notification process adopted by the Scottish public sector since 2018.

View supporting documents Supporting documents

Section D - Roles and Responsibilities

15. The UK and Scottish Governments, the NCSC and Police Scotland have important roles to play during notifiable cyber incidents.

16. Scottish Ministers and devolved agencies/bodies have responsibility for the consequence management of incidents that impact on Scotland. As part of these arrangements the Scottish Government, national and local responders and other key organisations in Scotland play an important role in public communication. In the event of an emergency, the public will often turn to the bodies closest to them for information and reassurance about an incident and the appropriate response to it. To ensure effective communication and avoid confusing messages, early and effective engagement between those organisations communicating with the public at all levels (UK, Scotland, local) is vital.

17. NIS Competent Authorities. Scottish Ministers for health and the Drinking Water Quality Regulator for Scotland for water have a role in incident reporting and a regulatory role but typically not an incident management role. Organisations within the health and water sector may wish to notify the external coordination bodies in line with this policy whilst also notifying their Competent Authorities in parallel to meet their reporting obligations and in doing so could use any reporting template designated by the Competent Authority.

18. In addition to the individual Scottish public sector organisations affected by notifiable cyber incidents, particularly C1-C4 incidents, a key role is played by central cyber incident coordinating bodies. These bodies support the management and coordination of all notifiable cyber incidents in Scotland. They are as follows:

  • The National Cyber Security Centre (NCSC)
  • The Scottish Cyber Coordination Centre (SG SC3)
  • The Scottish Government Cyber Resilience Unit (SG CRU)
  • Police Scotland Cyber Unit
  • Scottish Government Resilience (SGOR) (if activated)
  • Cabinet Office Briefing Room (COBR) (if activated)

19. There are also some sector/network-specific coordinating bodies that will play an important role in central coordination and management of notifiable cyber incidents, depending on the Scottish public sector organisations affected (or potentially affected). These include the following:

  • Scottish Government Cyber Security Unit (where public bodies on the SCOTS network are impacted)
  • Scottish Government Health Resilience, Scottish Government e-Health and NHS National Services Scotland (NSS)
  • Scottish Local Authorities Information Security Group (SLAISG) and Scottish Local Government Digital Office
  • HEFESTIS, shared services to College and University institutions
  • Higher Education Information Directors Scotland (HEIDS)
  • Scottish College's Information Leads (SCIL)
  • Lead Scottish Government policy areas
  • Scottish Regional and Local Resilience Partnership network

It is recognised that some bodies may have additional reporting routes, such as the HE and FE community who will report to Joint Information Systems Committee (JISC) as the network operator for the Janet Network. The JISC /JANET CSIRT[1] team have an “important role in central coordination and management of notifiable cyber incidents”.

20. Further information on the roles and responsibilities of these bodies is set out below.

(i) Individual Scottish public sector organisations – roles and responsibilities

21. Individual Scottish public sector organisations retain lead responsibility for the management of cyber incidents. However, they will should understand the role of the NCSC when a national incident is declared as part of the National Cyber Security Incident Management Policy. The responsibilities of organisations include:

Ensuring that they have organisational cyber incident response plans in place as part of wider incident response and business continuity arrangements. These should be tested and updated regularly, with staff appropriately trained to implement them. As part of these arrangements, out of hours contact details should be provided to the SC3.

Working to respond to cyber incidents when they affect their organisations, either through their dedicated incident response teams or by working with service providers (including, where they are SCOTS customers, SG iTECS) or, in appropriate circumstances, the NCSC and Police Scotland (see below). This will include:

  • Identifying that there has been an incident and determining its extent and seriousness
  • Working to ensure the immediate impact is managed
  • Working to remediate the compromise and increase security across the network
  • Activating business continuity plans to ensure minimal service disruption
  • Working to preserve evidence that may be key to criminal investigations
  • Sharing threat intelligence via the Cyber Security Information Sharing Partnership (CiSP).

Activating and supporting central notification and coordinating mechanisms in the event of a notifiable cyber incident. This will entail providing incident reports and contributions to Ministerial briefings, working with central bodies to coordinate the provision of practical support from NCSC and Police Scotland, communications handling, etc.

Notifying the Information Commissioner’s Office or affected individuals of cyber incidents that involve the loss of personal data, in line with the requirements of the General Data Protection Guidelines (UK GDPR) (from May 2018).

For public bodies impacted by the NIS Directive and Regulations, notifying the Competent Authority (see point 6) within 72 hours for incidents in scope as defined by the relevant Competent Authority.

22. Request further professional guidance on incident management: Whilst there are other sources of professional advice and guidance available the NCSC recommends the use of incident response companies in its Cyber Security Incident Response scheme[2] (CSIR).

(ii) Central cyber-incident coordinating bodies – roles and responsibilities

A. The National Cyber Security Centre (NCSC)

23. The NCSC is a SC3 Core partner. For the vast majority of the more serious notifiable cyber incidents (C1-C3) involving Scottish public sector organisations, the NCSC will be or will be supporting the lead central coordinating body. The NCSC will be responsible for collating information and intelligence from a variety of sources to provide situational awareness, victim engagement and technical advice and mitigation. Where a wider policy response is required, either the Lead Government Department, Devolved Administrations or the UK’s National Security Secretariat will usually take the lead on this particular element. The NCSC will work closely with SG SC3, SGOR, Police Scotland and other coordinating bodies to ensure that wider Scottish interests are taken into account during any incident response.

24. When an incident is declared a nationally coordinated cyber incident, NCSC (the Incident Management Team) will lead on incident management, incident response and technical support to the affected organisation. NCSC will also lead on media communications, and will work with the impacted organisations to coordinate the communications response and to ensure an agreed set of public messages.

25. When an incident falls below that of a nationally coordinated cyber incident the NCSC will assess the nature and extent of the incident and identify what support is available to the public sector body, making direct contact with their point of contact where appropriate.

26. NCSC is not a law enforcement agency. However, it does work closely with law enforcement (including Police Scotland) where appropriate. The NCSC, as the technical authority, will direct the law enforcement agency to the evidence, so that the evidence can be forensically captured.

B. Scottish Cyber Coordination Centre (SC3)

27. The Scottish Cyber Coordination Centre (SC3) has been set up within the Scottish Government to improve coordination and response to cyber incidents and significant vulnerabilities. SC3 adopts the incident and vulnerability coordination role which formerly sat within the Cyber Resilience Unit. Where required, SC3 hosts multi agency meetings for the purpose of situational awareness or direct coordination support.

28. The SC3 will, subject to SGOR activation, provide a coordination function for Scottish public sector organisations, to ensure that Scottish Ministers are appropriately briefed on notifiable cyber incidents and threats emanating from such attacks, and to ensure clarity on which organisations are leading on which activities in Scotland (thus avoiding duplication of effort).

29. Unless SGOR is activated, the SC3, working with the NCSC, will under most circumstances lead on:

  • Coordinating work to gather and disseminate any available early warning or threat intelligence and advice to the wider public, private and third sectors in Scotland, in order to facilitate appropriate preventative or mitigating action. This will be undertaken with the explicit agreement of the public body affected.
  • Supporting NCSC or Police Scotland to make appropriate contact with Scottish public sector organisations where required, or to understand any particular sensitivities in respect of the Scottish public sector. Alternatively, this role may be fulfilled by sector/network-specific coordinating bodies in certain circumstances (see below).
  • Liaising with the SG CRU and other policy areas. Coordinating work to ensure appropriate briefing and updates are provided on an ongoing basis to Scottish Ministers and key partners. This may often involve work to support sector/network-specific coordinating bodies to lead on provision of such briefing/updates.
  • In the absence of a sector/network-specific coordinating body, or a lead policy/operational area, the SC3/CRU may assume lead responsibility for briefing Scottish Ministers.
  • Agreeing lines-to-take for Scotland-specific media communications, and ensuring communications leads are engaged with each other, particularly in incidents where the NCSC has primacy on communication.
  • Providing a Cyber Resilience Early Warning (CREW) notice to Scottish public sector bodies, advising them of the incident, without referencing the specific organisation affected, and directing them to generic mitigation advice.

30. In the event that SGOR is activated, the lead on coordinating the work outlined above will transfer to SGOR. The SC3 will support SGOR structures as appropriate, including by acting as liaison with the NCSC and Police Scotland.

C. Scottish Government Cyber Resilience Unit

31. SG CRU is the lead for cyber policy and strategy within the Scottish Government and responsible for driving activity across the four Action Plans that deliver against the Strategic Framework for a Cyber Resilient Scotland. The CRU is a core SC3 partner providing direct support particularly through the Public Sector lead.

32. SG CRU will:

  • Lead on cyber policy implications of SC3 coordinated activity and consider wider communication through the Cyber Scotland Partnership and other routes available via its networks.

D. Police Scotland

33. Police Scotland is a Core SC3 partner. Police Scotland leads the criminal investigation of cyber incidents that amount to criminal acts. By definition almost all cyber-attacks on networks are in contravention of the Computer Misuse Act 1990 and are therefore criminal. That said, due to the complex nature of attacks, which can be launched indiscriminately by threat actors from anywhere in the world.

34. The precise role played by Police Scotland in responding to notifiable cyber incidents will depend on the nature of the incident. Police Scotland Cyber Crime Unit has responsibility for the criminal investigation of cyber incidents, liaising with the National Crime Agency (NCA), the NCSC and Europol. In instances of notifiable cyber-attacks the immediate consideration for public sector organisations will be the containment and management of the incident. It is important, however, that Police Scotland Cyber Crime Unit are also consulted early, in order that guidance can be provided on securing vital digital evidence should a fuller criminal investigation follow.

35. Police Scotland will:

  • Coordinate with key partners to ensure appropriate action is taken in support of any potential criminal investigation of the incident.
  • Work closely with NCSC to ensure the requirements for forensic recovery of evidence and forensic analysis for intelligence are balanced.
  • Coordinate with the SC3 to support the gathering and dissemination of any available early warning or threat intelligence and advice to the wider public, private and third sectors in Scotland, in order to facilitate appropriate preventative or mitigating action.
  • Contribute to appropriate updates/briefing on an ongoing basis for Scottish Ministers and key partners.

D. Scottish Government Resilience (SGOR)

36. When the scale or complexity of an emergency is such that some degree of central government coordination or support becomes necessary, the Scottish Government will activate its emergency response arrangements through SGOR. The precise role of SGOR will vary depending on the nature of the emergency.

37. Where SGOR is stood up to deal with a cyber incident, it will act as the liaison for the UK Cabinet Office Briefing Room arrangements (COBR) and the National Cyber Security Centre (NCSC).

38. SGOR will:

  • Provide strategic direction for Scotland
  • Coordinate and support the activity of SG Directorates
  • Collate and maintain a strategic picture of the emergency response with a particular focus on response and recovery issues
  • Brief Ministers
  • Ensure effective communication between local, Scottish and UK levels, including the coordination of reports on the response and recovery effort
  • Determine the Scottish Government's public communication strategy and coordinate national public messages in consultation with Resilience Partnerships and other key stakeholders, and
  • Disseminate national advice and information for the public, through the media.

39. In the event that UK level arrangements are initiated, SGOR will work with the COBR, the NCSC and other relevant departments to ensure a coordinated response. SGOR will be the main point of contact for Resilience Partnerships in Scotland.

E. Cabinet Office Briefing Room (COBR)

40. COBR is the UK central government’s crisis management facility. It is run by the UK National Security Secretariat crisis management teams. The decision to activate COBR rests with the UK National Security Secretariat, but the NCSC can request that COBR be activated in the event of a cyber incident, including where there is a need to draw on additional resource or make major political decisions. Where cyber incidents impact on Scotland, the Scottish Government Resilience (SGOR) arrangements will interface with COBR.

(iii) Sector/network-specific cyber-incident coordinating bodies

41. Beyond the central coordinating organisations (NCSC, SG SC3, Police Scotland, SGOR and COBR), a number of key bodies or teams are likely to have roles that are specific to certain sectors or networks within Scotland. These include the eHealth and Health Resilience teams in the Scottish Government, NHS National Services Scotland (NSS), Scottish Government Cyber Security Unit, Transport Resilience, HEFESTIS, the JISC Janet CSIRT for HE and FE and so on. When these sectors or networks are affected by a notifiable cyber incident, these bodies may take on assessment, coordination or advisory roles, following agreement with central coordinating bodies. This may include:

  • Supporting initial assessment and triage by the central coordinating bodies, and agreeing key roles on the basis of that assessment and triage.
  • Coordinating work to gather and disseminate any available early warning or threat intelligence and advice to the specific sectors or networks they cover in Scotland, in order to facilitate appropriate preventative or mitigating action.
  • Supporting central coordinating bodies to make appropriate contact with Scottish public sector organisations where required, or to understand any particular sensitivities in respect of their sectors.
  • Working with communications leads to agree media lines.
  • Providing direct technical advice or guidance where appropriate expertise exists (e.g. in SG Cyber Security Unit for the SCOTS network, or in NSS or e-Health for NHS networks, JISC Janet CSIRT for HE and FE).
  • Leading on, or contributing to, work to ensure appropriate briefing and updates are provided on an ongoing basis to Scottish Ministers, central coordinating bodies and other key partners.

42. The sector/network-specific cyber-incident coordinating bodies that may be involved in responding to notifiable cyber incidents include the following:

  • Scottish Government Health Resilience/e-Health and the NSS Information Security Team: for notifiable cyber-incidents involving Scottish NHS Boards and public body.
  • National Services Scotland (NSS) Centre of Excellence: Single point of contact for the coordination of cyber incidents impacting on NHS Boards.
  • Scottish Government Cyber Security Unit: for notifiable incidents involving organisations on the SCOTS network and SPOC for the SG Centre of Expertise.
  • Scottish Government lead policy areas or sponsor teams: for notifiable cyber-incidents involving public sector organisations that fall within the remit of SG policy areas or sponsor teams. This is particularly the case where policy or service delivery issues may arise.
  • Scottish Local Authority Information Security Group and/or the Scottish Local Government Digital Office: for notifiable cyber-incidents involving Scottish local authorities.
  • HEIDS/HEFESTIS/Scottish College's Information Leads (SCIL): for notifiable cyber-incidents involving the Scottish further or higher education sectors.
  • Transport Resilience: for notifiable cyber-incidents involving the Scottish transport sector.
  • Health Emergency Preparedness Resilience and Response team within Scottish Government
  • Regional and Local Resilience Partnerships. As part of Civil Contingency Act planning Scotland has a robust tried and tested multi-agency coordination response in Scotland based on three Regional Resilience Partnerships (RRPs - North, East and West). The generic email contacts for each RRP coordinator are wosrrp@gov.scot, nosrrp@gov.scot, eosrrp@gov.scot

43. In addition to information sharing, these organisations may be invited to contribute on an appropriate basis to the incident response for these sectors.

This document will be updated as guidance evolves on incident coordination. Please send all comments, questions or additions to SC3@gov.scot

Contact

Email: SC3@gov.scot

Back to top