The Development of SITIC, Swedish IT Incident Centre - PTS-ER-2006:42
29/09/2006
In 2002, the National Post and Telecom Agency (PTS) received the government assignment to establish a so called “national centre for reporting of IT incidents”. The activities within the unit SITIC (Swedish IT Incident Centre) were established gradually from 2003 onwards. In accordance with the original task definition, SITIC was set up as a unit within PTS. As of today, SITIC has a staff of ten people and a budget of fifteen million Swedish kronor. Operations have been established in accordance with the original task definition and today SITIC is a complete, functioning and internationally established CSIRT organisation with operations during office hours.
In the task list for 2006, PTS received an assignment to present a proposal regarding how to strengthen the international role of SITIC, how to set the balance between information dissemination and reporting and how to further develop the tasks. A proposal is also requested regarding how to specify the modified organisational goals in the government instruction document for PTS.
This report describes an operational profile based on an internationally established service model. Contents and priorities for the operational profile are based on several sources: Experiences from the first years of SITIC activities, international development within the field, experiences from similar organisations, input from SITIC’s existing constituency and input from other organisations in its vicinity.
The suggested operational profile involves clearer categorisation of the constituency, along with differentiation of services for the subgroups of the constituency. Office hours operations are supplemented with some evening and weekend activity, as well as round the clock on call services for part of the incident handling services. More emphasis is put on incident response, critical infrastructure activities and active contributions to joint international development and co-operation projects. Clearer focus is put on the ability to gather data through the operation of traffic monitoring systems. Proprietary periodic statistics reports are substituted by continuous situation information.
The highest prioritised services are those which gather, process or disseminate time critical information and have relevance for the entire constituency. Then follows process focused services with longer time span or services dealing with measures during incidents. The third and final group is dominated by services with deep technical content.
As for legal aspects, the current secrecy legislation is considered appropriate for SITIC’s purposes, whereas a clarification may be needed regarding the possibilities for the organisation to handle IP addresses.
The suggested operational profile presumes allocation of additional funding.