CONTACTINFORMATIONNIEUWSSEARCHENGLISH
HomeLegal
CERT-in-a-Box

The project 'CERT-in-a-Box' and 'Alerting service-in-a-Box' is an initiative of GOVCERT.NL to preserve the lessons learned from setting up GOVCERT.NL and 'De Waarschuwingsdienst', the Dutch national Alerting service.

contactinformation

Visiting address:
Wilhelmina van Pruisenweg 104
2595 AN Den Haag
Travel information

Postal address:
Postbus 84011
2508 AD Den Haag

Telephone: (070) 888 75 55
Fax: (070) 888 75 50
E-mail: info@govcert.nl
participant to:

'CERT-in-a-Box' and 'Alerting service-in-a-Box'
21 / 07 / 2006

Results of the Alerting service

Alerting service legal products
The introduction paragraphs show that the control of liability risks in particular constitutes a specific legal question for the public function of GOVCERT.NL. The control of liability risks has been translated into the following concrete legal products:

  • Privacy statement
  • Disclaimer
  • General terms and conditions
These products are all shown in a clear location on the alerting service website. For an integral view of the aforementioned products, please see appendix {to be completed by Rafke}   

Publication of the privacy statement, a disclaimer and the general terms and conditions on the website is not specific for a government alerting service. It is recommended that each alerting service clearly communicates the terms and conditions for its services, as well as its privacy policy to users of its services

SMS services
The alerting service offers the opportunity to receive an alert of any ICT related security incidents via SMS. Registration for this SMS service is via the alerting service website. 

In order to be able to provide the SMS service, a service agreement has been concluded with an SMS news service supplier. This service agreement contains the guarantee that the alerting service can offer the SMS service at all times. The SMS news service supplier is, for example, responsible for managing the database of subscribers, registering and deregistering subscribers, the delivery method, the forwarding of the content provided by the alerting service and the reporting tool used for the SMS service. 

The fact that the alerting service has outsourced the processing of personal information for the SMS news service to the SMS news service supplier means that a so-called processor agreement has also been concluded between the alerting service (read ICTU) and the SMS news service supplier in accordance with the personal data protection act. The essence of this processor agreement is that the SMS news service supplier undertakes to process the personal data in accordance with ICTU's instructions, to take appropriate security measures and to maintain the necessary confidentiality with regard to the subscriber data it processes on behalf of ICTU for the alerting service's SMS news service.   

The conclusion of a service agreement and processor agreement is applicable to all alerting services that wish to offer SMS services

Reporting point
As stated in the introduction to this chapter, GOVCERT.NL does not only support the prevention and handling of ICT related security incidents. GOVCERT.NL is also the national reporting point for ICT related security incidents.
The ICT related security incidents reporting point is housed within the alerting service. When the reporting point was set up, it used the Web Content Management System (WCMS) as developed by AusCERT. A licence agreement was concluded for the use of this WCMS, giving GOVCERT.NL access to the source code. 

It should be noted that the following activities were also undertaken to control the liability risks for the reporting point:  

  • On the alerting service's website, it clearly states what the purpose of the reporting point is. It also clearly states how to submit a report and what is done with these reports. By managing the expectations regarding the reports, liability risks can be controlled.

  • The privacy statement is amended to include the processing of subscriber data with regard to the reporting point. The privacy statement states what personal data is processed by the reporting point, for what purpose, as well as whether this information will be passed on to third parties.

Clearly communicating the purpose of the reporting point and including the personal data that will be processed for the reporting point in the privacy policy applies to all alerting service that offer the opportunity to report ICT related security incidents.     




Index
References