Obligation to notify information security incidents
- significant violations of information security
- threats of significant violations of information security or events that essentially prevent or disturb its operations.
The notification must specify the disturbance or related threat in terms of
- estimated duration
- corrective measures
- measures to prevent such disturbance from reoccurring.
The notification on a significant information security disturbance submitted to FICORA should also include, where possible, information about the cause of the disturbance or threat and how it emerged.
The disturbance notification must be made within 24 hours of the domain name registrar becoming aware of the disturbance.
For example, if the system of the domain name registrar has been intruded, it is crucial that the supervising authority is notified immediately. There is a risk that the intruder may be able to freely alter the details of the domain names managed by the domain name registrar, such as name servers. Depending on the registrar's customer base, the threat may concern a large amount of customers.
The notification is submitted preferably by email to cert(at)ficora.fi. If the information security disturbance is serious and/or the registrar needs help in examining the unauthorised changes, please call the telephone number provided to the registrars.
If some information is lacking and the event needs further examination, a so-called preliminary notification should be made within 24 hours, which can then be complemented as soon as possible but no later than three (3) days after the preliminary notification.
If, in spite of examinations, the domain name registrar cannot provide all information within three days of the preliminary notification, the information that has become available before this deadline must be notified, along with reasons why the rest of the information will be notified after the deadline.