The The security Component of Notification of security incidents . establishes the criteria and procedures for notification by entities of the subjective Areas of implementation law 39/2015 and 40/2015 the Centre National Cryptologic (CCN) of those incidents that have a significant impact on the security of information and services in relation to the category of the system, in order to give adequate response to the mandate of chapter VII, response to security incidents, Royal Decree 3/2010, of 8 january, which regulates the national security in the area of E-government (ENS).
In this ITS, after the object and scope of application, addresses issues such as the criteria for determining the level of impact, the compulsory notification of incidents involving High level of impact, very high and critical, the evidence in the case of High-level incidents, very high and critical, the obligation to transfer of statistics of incidents, the notification of impacts received, the development of automated tools to facilitate the notifications, the legal status of notifications and communication of information, plus an additional provision with details of the notification where the incident concerning personal data. Its most important aspects are as follows:
- Paragraph 3 sets out the criteria for determining the level of impact of the incident.
- (Fourth determines cases, by the level of impact, there is an obligation to report the incident at CCN-CERT.
- Paragraph 5 provides evidence that may seek the CCN-CERT for significant security incidents.
- Paragraph six collects the obligation of the Public Administrations to produce statistics of security incidents and forwarding them to CCN-CERT, together with the rest of the information received about the incidents.
- Paragraph seven is dedicated to the notice of the impact the CCN-CERT when their level of impact requires.
- Paragraph eight describes the automated tools available for notifications under this Component of The security council. In particular, citing the tool LUCIA Consolidated List, for the coordination of incidents and threats) developed by the NCC to automate the mechanisms for notification, communication and exchange of information on security incidents, as required by Guide CCN-STIC 817 .
- Paragraph 9 sets out the legal framework applicable to notifications and communications of information described in this instruction.
- Paragraph 10 adds an additional provision in which contains several issues relating to data protection and in anticipation of the entry into force of the The General Rules on data protection (Regulation (EU) 2016/679) . When the incident affects personal notification to the competent supervisory authority will take place regardless of the level of impact of the incident at the national security.
The NHIS envisages, in its article 29, paragraph 2, technical instructions of the security council as essential elements for proper, uniform and consistent implementation of the requirements and measures contained in the same. These technical security instructions regulate specific aspects that the daily reality has been particularly significant, such as: Report of the state security; Notice of security incidents; Audit of security; Conformity with the national security; Acquisition of products of The security council; Cryptology of employment in the national security; Interconnection in the national security and safety requirements in outsourced environments.