logo

Incident Response Plan

Home Services Incident Response Plan

National Cybersecurity Incident Response Plan

Introduction

The National Cyber Security Center’s (“NCSC”) has created this framework to defines its role in cybersecurity incidents in the Kingdom of Bahrain. Cybersecurity incidents vary greatly in nature; thus, this plan focuses on the elements that are common among most incidents. This plan is divided into multiple sections to address each phase of incident response separately.
For the purposes of this document, a cybersecurity incident is defined as event that adversely affects an IT asset’s (data, a system, an application, etc…) confidentiality, integrity or availability. It is possible that a cybersecurity incident comes as a result of human error.

cyberwiser

Roles and Responsibilities

This section addresses the roles and responsibilities of the NCSC’s staff and external entities during a cybersecurity incident:

  • National Cyber Security Center

    • Incident Manager

      Receive external alert notifications, delegate alerts to analysts, coordinate with victims during incidents when needed.

    • Security Analyst

      Analyze and validate security alerts.

    • Artefact Analyst

      Respond to security incidents. Support security analysts.

  • Affected Entity

    Report cybersecurity incidents, give the NCSC’s access to data needed to analyze the incident, and once the incident is closed, adequately address any security issues that have caused or contributed to the incident.

  • Sectoral Regulator

    Report incidents and define sector-specific objectives for the response of an incident.

Threat Alerts

Typically, threat alerts are generated from the NCSC’s security infrastructure, however, external alerts could also be received. Internal alerts are validated to eliminate false positives while external alerts are scrutinized to determine their credibility.

Threat Assessment

Once an incident has been declared, a risk assessment is done to determine the threat level of the incident. The two main factors of threat assessment are the importance of the effected entity and the impact (or anticipated impact) of the incident.

The threat level of an incident can change as more information is discovered about the incident and the response to the incident shall be changed accordingly. Factors that may elevate the threat level are: the number of affected entities/individuals, potential social and economic impact, the threat actor involved, time-sensitivity, and visibility to the public.

The assessment and classification of an incident is handled by the NCSC.

The NCSC prioritizes incidents affecting Government entities and Critical National Infrastructure. Critical National infrastructure are entities that manage assets (e.g., facilities, equipment, processes, information) necessary for the country to function and upon which daily life depends. Within this infrastructure, there are certain elements so critical to the country that their loss or compromise could directly result in loss of life, cause a debilitating effect on the delivery of essential services, or otherwise cause widespread economic or social impact.

C1 - National Cybersecurity Emergency

THREAT

Threat to human life.

Threat to national security.

RESPONSE

Coordinated response from the NCSC and its partners, onsite.

C2 - Very Critical Incident

THREAT

High threat to Government entity or CNI.

RESPONSE

Incident response from NCSC, typically onsite.

C3 - Critical Incident

THREAT

Moderate threat to Government entity or CNI.

High threat to large businesses.

RESPONSE

Incident response from NCSC, typically remotely

C4 - Moderate Incident

THREAT

Low threat to Government entity or CNI.

Low to Moderate threat to large businesses.

Any threat to medium businesses.

RESPONSE

Alert notification from the NCSC and/or incident response from NCSC where needed.

Engagement of Affected Entities

Once an incident has been declared, the affected entity shall be contacted by the NCSC. Experience has proven that maintaining a relationship with the entity based on mutual trust is produces the best possible outcome.

Leadership

During C1 and C2 incidents, it is beneficial to have all concerned parties meet regularly for efficient communication and response. Forming two groups is optimal:

cyberwiser

Tactical leadership group

  • National Cyber Security Center

  • NCSC Partner’s

  • Affected Entity’s Technical Lead

This group meets to identify operational challenges and discusses potential solutions.

cyberwiser

Strategic leadership group

  • National Cyber Security Center

  • Affected Entity’s Technical Lead

  • Other Stakeholders

This group meets to agree on objectives, achieve situation awareness, align policy and operational responses, consult with subject matter experts (depending on the nature of the incident and the affected sector), and develop a mitigation plan. These groups may meet not only during the incident response phase but also during the recovery process.

Closing Incidents

Since incidents vary greatly, the conditions for closing each incident are different. Typically, the incident is considered closed if:

  • The security threat is identified.

  • All threats are contained and eradicated.

  • The root cause is identified.

After closing the incident, the NCSC may provide guidance to the affected entity on how to recover from the incident. For C3 incidents and above, an incident report shall be shared with the affected entity with a proposed plan to address the root cause of the incident and advice on how to improve their security posture. An incident handler may make follow-up calls to support incident recovery.