Notification and Management of Cybersecurity Incidents in the Public Sector

Through Resolution No. 3/2023, the Undersecretariat for Information Technologies approved the Guide for Notification and Management of Cybersecurity Incidents, drafted by the Argentina’s Computer Emergency Response Team (CERT.ar). This Guide is aimed at the Public Sector, the Cybersecurity Focal Points, and the CERTs of the National Public Administration.

The purpose of the Guide is to establish a common taxonomy and classification of security incidents, and notification guidelines that allow organizations to respond promptly, orderly, and effectively to cybersecurity incidents affecting them. It was developed on the basis of international guidelines and documents related to cybersecurity, which have been established by the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), the International Telecommunication Union (ITU), and the European Union Agency for Cybersecurity’s (ENISA) Best Practices Guide for Incident Management.

The most relevant sections include:

Taxonomy and classification of cybersecurity incidents: this section defines a taxonomy for classifying cybersecurity incidents to be notified to the CERT.ar for facilitating the reporting process and subsequent analysis, containment, and eradication. Incidents are classified into abusive content, harmful content, obtaining information, intrusion, availability, information compromise, indication of fraud, vulnerable asset, and others.

Notification of cybersecurity incidents: this section details the procedure to follow when an incident needs to be reported to CERT.ar, including the information to be communicated, the suggested criteria to be used, and a reference to the way of assigning the levels of impact and criticality in each case. It also states that incidents must be reported within 48 hours of knowing they occurred or potentially occurred. The section also provides information on the Traffic Light Protocol to be used when handling of incidents, the types of reports to be made and their content, and the different follow-up statuses for managed incidents.

Management of cybersecurity incidents: this section describes the stages of the security incident management process:  preparation, identification, containment, remediation, recovery, and post-incident activity. It also identifies the actions and activities that should be implemented on each stage.  

Good practices for reporting cybersecurity incidents: this section lists a series of recommendations regarding digital evidence, including its definition, characteristics, and the principles governing it. It also recommends observing the "Protocol for the identification, collection, processing, and presentation of digital evidence" approved through Resolution No. 232/23 of the Ministry of Security.

Find more information about the Guide here.