The organization informs the authority defined in the legislation (CSIRT) without delay about disturbances that have significantly affected the provision of its services.
A disturbance is significant when at least one of the following occurs:
Notifications are to be done step by step according to the descriptions below. In addition, while the disruption is ongoing, the organization must deliver the status updates requested by the authority.
Early warning (at the latest within 24 hours of detecting the disruption)
More detailed notification of disruption (within 72 hours of the disruption at the latest detection)
Final report (at the latest within 1 month of the incident report)
All security incidents are addressed in a consistent manner to improve security based on what has happened.
In the incident treatment process:
The organization shall ensure that clear persons are assigned to incident management responsibilities, e.g. handling the first response for incidents.
Incident management personnel need to be instructed and trained to understand the organization's priorities in dealing with security incidents.
A process for reporting incidents is maintained to help staff report incidents efficiently and consistently.
Things to report as an incident include e.g.:
The personnel guidelines emphasize the obligation to report security incidents as soon as possible in accordance with the agreed process. The instructions also describe other operations in the event of an incident (e.g. recording seen error messages and other details).
Viranomaisen on viipymättä tiedotettava niille, jotka hyödyntävät sen tietoaineistoja, jos viranoman tietojenhallintaan kohdistuu häiriö, joka estää tai uhkaa estää tietoaineistojen saatavuuden. Tiedotuksessa on annettava seuraavat tiedot:
a) Häiriön tai sen uhan arvioitu kesto.
b) Mahdolliset korvaavat tavat hyödyntää viranomaisen tietoaineistoja, jos sellaisia on.
c) Häiriön tai uhan päättyessä.
Viranomaisen on noudatettava digitaalisten palvelujen ja muiden sähköisten tiedonsiirtomenetelmien käyttökatkoista tiedottamisesta yleisölle annettuja ohjeita, kuten ne on säädetty digitaalisten palvelujen tarjoamisesta annetun lain (306/2019) 4 §:n 2 momentissa.
In case of major incidents, the organisation must report them to the authorities defined in their national application of DORA. Reporting of major incidents should include:
When an incident has an impact of financial interest of clients, they must be informed as soon as possible with needed information about actions to mitigate the incident. In case of cyber threats clients should be informed, if they might be affected, with protection measures they should consider doing.
The relevant competent authorities are defined in Article 46 of DORA
When users of the organization's services are potentially exposed to a significant information security threat, the organization must communicate this to them, including all possible remedial measures that users can take themselves to protect themselves against the threat.
When necessary for clarity of communication, the organization must include in its communication also more general information about the related information security threat.
If it is appropriate from the point of view of the service provided by the organization, the organization will notify the users of its services without delay of significant disruptions that are likely to negatively affect the delivery of the services in question.
A disruption is significant when at least one of the following occurs:
The organization should regularly, at least once a year, practice potential disruption or attack situations.
The exercise can focus either on developing disturbance detection, response or management, or all of these.
Documentation of the implementation of exercises and observations must be maintained.
The organization must have a procedure for reporting disturbances, attacks and violations to the authorities. For example:
For each identified critical function, the organization should define how long an interruption can be tolerated without disrupting the organization's operations.
The definition must take into account:
Organization must create processes that identify, collect and store relevant evidence information related to information security incidents. The evidence may need to have been collected in a way that can be accepted in relevant courts or other similar disciplinary bodies.
Regarding the evidence material, it should be possible to demonstrate e.g.:
Certification or other assurances of the competency of related personnel and tools may additionally be considered to establish more evidentiary value.
The organization shall establish means to limit the impact of the incident to a minimum. The means should correspond to the plans made and include:
Detection processes and procedures are maintained and tested to ensure awareness of anomalous events. Detection activities must comply with all relevant requirements.
The organization must define the threshold at which a security incident becomes a cyber security breach.
The organization shall determine what security events it monitors and in what ways.
Security events should be monitored from a variety of sources to identify important potential incidents that require a response. Information can be obtained e.g. directly from the management system, external partners, or logs generated by the organization’s equipment.
Examples of security incidents that can be monitored include:
When offering cloud services, the organisation needs to have planned processes or procedures for:
The organization has defined metrics that can be monitored and are related to cyber security incident management. At its best, good metrics help detect weaknesses in incident detection.
Possible metrics include:
The organization has defined a process and the team involved in responding promptly to security incidents and deciding on the appropriate actions.
The first level response process includes at least:
The organization must have a process for reporting a security breach that has occurred or is suspected of endangering internationally classified information to the competent security authority.
The organization must also have guidelines and procedures for detecting and informing of security breaches that have compromised classified information within the organization and to whom the security breach or suspicion thereof should be sent. inform. In addition, it must be clear what kinds of data security deviations require contacting the authorities.
Security classified information is considered compromised when it has been revealed or could have been revealed to outsiders as a result of a data security incident. Several data owners (e.g. the EU) as well as valid authority approvals require immediate notification of deviations or suspicions that endanger classified information.
Incident management must also take into account:
The organization must be sure that the information or system being processed is protected from physical damage such as fire, water damage or vandalism in emergency or disruption situations, or unauthorized intrusion and physical damage caused using electronic methods, such as equipment breakage. Information or the system must be protected with appropriate, but appropriate actions based on the risk assessment.
The organisation must devote sufficient resources for monitoring user activity, anomalies in the ICT-environment, and cyber attacks.
By monitoring organisation should recognize anomalies and incidents from the baseline operations.
Organisations should conduct incident classification and impact assesment based on the following criteria:
Organisation should have a procedure for categorizing security incidents during processing. The incident should be categorized to at least the following categories:
The incident should then be qualified based on it's effects for example into:
The incidents should then be prioritized based on the severity of the incident.
The organisation should have clear communication channels for event reporting:
Organisation should also consider the possibility of external reporting. This could mean having a system to handle security event reports from external parties, including:
The organisation should also ensure that the mechanisms and information for reporting incidents are easily accessible to all relevant reporters and establish a feedback procedure to provide timely responses and updates to those who report security events, ensuring they are informed of the outcomes and any necessary follow-up actions.
Organisation must develop a clear, comprehensive definition of what constitutes a reportable security event or observation, ensuring it covers the following categories:
Organisation must have a defined procedure for reporting of incidents and it should be communicated to the personnel:
In case of a connection loss or a fault in the network systems, such as:
The organization should ensure that their critical systems fail safely, to reduce further damage.
The organization has defined procedures for communicating with relevant authorities and parties when an incident occurs. These parties include, for example, sector-specific computer emergency response teams and the NSM NCSC.
The organization should have a defined and well-documented recovery plan. The recovery plan should be able to be initiated during or after an incident. Recovery actions and measures will vary from incident to incident, for example, the type of incident can affect the actions taken. These actions could include:
The organization should adopt a 'build back better' mindset when rebuilding ICT systems. This means that systems should be rebuilt to a better state than they were before the incident.
The organization should establish clear processes for building a timeline whenever an incident occurs. This timeline should include both the organization's actions and the threat actor's activities. The timeline should encompass:
This aids the organization in understanding the full scope of the incident and improving responses in future events.
The organization should have a clear process for enriching incident information to ensure an effective response. This process should include continuously updating event data, monitoring situational awareness, and collecting information from multiple sources. Enriching incident information should help the organization manage incidents more effectively.
Identify the extent and impact of the incident on business processes to understand how operations may be disrupted. This assessment should include a thorough evaluation of the effects on underlying ICT functions. Also, it should be examined how the incident impacts ICT services, including cloud-based applications and internal systems, as well as the various ICT systems that support business activities.
The organization should create and maintain incident response plans. The response plans should include at least:
Organization should include suppliers and other relevant third parties in its incident management process and planning with means such as:
Organization enforces documentation policies for each incident investigation and response process:
In case of an incident the organization implements recovery measures defined in its incident recovery plan. The measures are implemented and communicated to the public to:
The organization should explain the steps being taken to recover from the incident and to prevent a recurrence.
Organization defines criteria for initiating incident recovery measures on incidents. The occurred incident is evaluated against these criteria, and determined whether the incident recovery process shall be initiated, by at least these measures:
Document the decision-making process for initiating recovery actions and ensure that it is communicated to relevant stakeholders for transparency and alignment.
The organization should take into account environmental threats that may affect the usability of systems as part of the risk assessment process and also as part of the information security incident process.
Environmental threats include, for example:
After a disturbance, a forensic examination must be carried out on the malicious code or other remnants of the disturbance. A safe investigation in a closed environment can open up the causes, goals, and motives of the incident. This helps the organization fix potential security vulnerabilities, prepare for similar incidents, and identify or profile a potential attacker.
The organization shall define procedures for clearly sorting detected security events. Sorting must enable the prioritizing of events according to severity and potential impact.
Sorting is intended to enhance the investigation and evaluation of security events so that, for example, a response to a disruption can be initiated quickly.
Procedures can consist of common processes, technical tools, or algorithms that utilize machine learning. Procedures need to be reviewed regularly to ensure that they work and are appropriate for their needs.
If it is difficult to identify the source of a security incident based on the primary treatment, a separate follow-up analysis is performed for the incident, in which the root cause is sought to be identified.
The knowledge gained from analyzing and resolving security incidents should be used to reduce the likelihood of future incidents and their impact.
The organization regularly analyzes incidents as a whole. This process examines the type, amount and cost of incidents with the aim of identifying recurrent and significant incidents that need more action.
If recurrent incidents requiring response are identified, based on them:
The organization has defined procedures to ensure that the original reporter and other personnel involved in the incident are informed of the outcome of the incident management.
Linked personnel can be documented on an optional field on the incident documentation template.
Staff have a whistle blowing system that allows them to report breaches of security rules or procedures anonymously.
An organization may have a process for voluntarily informing information certain security incidents, cyber threats or near-misses to a supervisory authority.
Voluntary notifications refers to notifications for other than significant incidents, which are mandatory by the NIS2 directive.