[Rev. 6/20/2022 8:19:55 AM]
[NAC-480 Revised Date: 5-22]
CHAPTER 480 - SECURITY OF INFORMATION SYSTEMS
480.100 Definitions.
480.110 “Certification” defined.
480.115 “Cybersecurity incident response plan” defined.
480.120 “Data breach” defined.
480.125 “Detect” defined.
480.130 “Distributed denial of service” defined.
480.135 “Incident” defined.
480.140 “Incident response” defined.
480.145 “Information system” defined.
480.150 “Office” defined.
480.155 “Political subdivision” defined.
480.160 “Protected information” defined.
480.165 “Ransomware” defined.
480.170 “Sensitive information” defined.
480.175 “Threat” and “cybersecurity threat” defined.
480.200 Cybersecurity incident response plan: Contents and requirements.
480.205 Cybersecurity incident response plan: Political subdivision authorized to include certain internal groups into plan.
480.210 Cybersecurity incident response plan: Effective upon certification.
480.215 Cybersecurity incident response plan: Administrative or nonsubstantive change does not require filing of revised plan.
480.230 Political subdivision required to document actions taken to mitigate or recover from incident.
480.235 Political subdivision required to report significant information learned from incident; use of information.
480.240 Political subdivision required to report certain types of cybersecurity incidents; contents of report.
NAC 480.100 Definitions. (NRS 480.935, 480.950) As used in this chapter, unless the context otherwise requires, the words and terms defined in NAC 480.110 to 480.175, inclusive, have the meanings ascribed to them in those sections.
(Added to NAC by Office of Cyber Defense Coord. by R088-19, eff. 12-29-2020)
NAC 480.110 “Certification” defined. (NRS 480.935, 480.950) “Certification” means to attest authoritatively in a written statement.
(Added to NAC by Office of Cyber Defense Coord. by R088-19, eff. 12-29-2020)
NAC 480.115 “Cybersecurity incident response plan” defined. (NRS 480.935, 480.950) “Cybersecurity incident response plan” means a cybersecurity incident response plan that satisfies the requirements of NAC 480.200.
(Added to NAC by Office of Cyber Defense Coord. by R088-19, eff. 12-29-2020)
NAC 480.120 “Data breach” defined. (NRS 480.935, 480.950) “Data breach” means an incident where protected or sensitive information is, without limitation, copied, transmitted, viewed, stolen or used by a person not authorized to do so.
(Added to NAC by Office of Cyber Defense Coord. by R088-19, eff. 12-29-2020)
NAC 480.125 “Detect” defined. (NRS 480.935, 480.950) “Detect” means to discover or identify the presence or existence of a cybersecurity threat.
(Added to NAC by Office of Cyber Defense Coord. by R088-19, eff. 12-29-2020)
NAC 480.130 “Distributed denial of service” defined. (NRS 480.935, 480.950) “Distributed denial of service” means a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or the surrounding infrastructure of the target with a flood of Internet traffic.
(Added to NAC by Office of Cyber Defense Coord. by R088-19, eff. 12-29-2020)
NAC 480.135 “Incident” defined. (NRS 480.935, 480.950) “Incident” means an occurrence that:
1. Actually or potentially results in adverse consequences to an information system or the information such a system processes, stores or transmits and may require an incident response to mitigate the actual or potential adverse consequences.
2. Is a violation or imminent threat of violation of a security policy or procedure or acceptable use policy of a political subdivision.
(Added to NAC by Office of Cyber Defense Coord. by R088-19, eff. 12-29-2020)
NAC 480.140 “Incident response” defined. (NRS 480.935, 480.950) “Incident response” means the activities that address an incident within the pertinent domain to mitigate immediate and potential adverse consequences or threats.
(Added to NAC by Office of Cyber Defense Coord. by R088-19, eff. 12-29-2020)
NAC 480.145 “Information system” defined. (NRS 480.935, 480.950) “Information system” means any equipment or interconnected system or subsystem of equipment that processes, transmits, receives or interchanges data or information.
(Added to NAC by Office of Cyber Defense Coord. by R088-19, eff. 12-29-2020)
NAC 480.150 “Office” defined. (NRS 480.935, 480.950) “Office” means the Nevada Office of Cyber Defense Coordination of the Department of Public Safety.
(Added to NAC by Office of Cyber Defense Coord. by R088-19, eff. 12-29-2020)
NAC 480.155 “Political subdivision” defined. (NRS 480.935, 480.950) “Political subdivision” means a city or county of this State.
(Added to NAC by Office of Cyber Defense Coord. by R088-19, eff. 12-29-2020)
NAC 480.160 “Protected information” defined. (NRS 480.935, 480.950) “Protected information” means information about any person protected by law or regulation.
(Added to NAC by Office of Cyber Defense Coord. by R088-19, eff. 12-29-2020)
NAC 480.165 “Ransomware” defined. (NRS 480.935, 480.950) “Ransomware” means a type of malware that attempts to deny or denies access to the data of a user of an information system until a ransom is paid.
(Added to NAC by Office of Cyber Defense Coord. by R088-19, eff. 12-29-2020)
NAC 480.170 “Sensitive information” defined. (NRS 480.935, 480.950) “Sensitive information” means any information the loss, misuse, modification or unauthorized access of which could adversely affect the public, the privacy of persons as provided by law or regulation or the interests of this State.
(Added to NAC by Office of Cyber Defense Coord. by R088-19, eff. 12-29-2020)
NAC 480.175 “Threat” and “cybersecurity threat” defined. (NRS 480.935, 480.950) “Threat” and “cybersecurity threat” mean a circumstance or event that has or indicates the potential to exploit vulnerabilities and to adversely impact the operations or assets, including, without limitation, information and information systems, of a political subdivision, person, other governmental entity or the public.
(Added to NAC by Office of Cyber Defense Coord. by R088-19, eff. 12-29-2020)
NAC 480.200 Cybersecurity incident response plan: Contents and requirements. (NRS 480.935, 480.950) A cybersecurity incident response plan must include:
1. Measures that preemptively build, reinforce and improve the capability to prevent, protect against, detect, respond to and recover from an incident, including, without limitation:
(a) A statement of purpose and a statement of objectives that summarize the scope of the cybersecurity incident response plan and associated policies and procedures;
(b) A list of common cybersecurity terms and associated definitions;
(c) Written metrics for measuring:
(1) The impacts of an incident on the political subdivision; and
(2) The capability and effectiveness of the political subdivision to engage in an incident response;
(d) A list of management and leadership personnel who will support an incident response;
(e) A list of internal and external contacts and associated contact information to support an incident response;
(f) A written plan for all personnel, including, without limitation, employees and contractors, regarding reporting computer anomalies and incidents to the proper personnel;
(g) A written plan for all personnel who will be involved in an incident response, including, without limitation, employees and contractors, that outlines the roles, responsibilities, job titles and contact information of such personnel;
(h) Procedures for sharing information, both internally and externally, to ensure appropriate communication and minimize information disclosure to unauthorized parties;
(i) Procedures to contact law enforcement or a regulatory body, as applicable, in a manner consistent with legal requirements; and
(j) Procedures to contact and inform any external entity that may be impacted by an incident due to a networked connection between the political subdivision and the entity affected by such an incident.
2. Documented methodology, procedures and tools to detect, identify, classify and communicate current or potential cybersecurity threats to information systems, including, without limitation:
(a) Defined phases of handling an incident;
(b) A written method of documenting the attack vector used in an incident;
(c) A written method of documenting the indicators that triggered an incident or incident report;
(d) Procedures for analyzing and documenting the scope and impact of an incident;
(e) Procedures to prioritize and handle concurrent incidents in one or more physical locations; and
(f) Procedures outlining which persons will be notified of an incident and the phase during the handling of an incident that such persons will be notified.
3. Procedures to prevent the damage to and spread of damage to information systems from a threat, including, without limitation:
(a) Recurring cybersecurity training programs for all personnel, including, without limitation, employees and contractors, who use the information systems of a political subdivision;
(b) Written standards for the time required for administrators of information systems and other personnel to report anomalous events to the proper personnel, the mechanisms for such reporting and the information that should be included in such a report; and
(c) Procedures for isolating information systems and gathering and storing evidence.
4. Processes and procedures to eradicate the threat from a compromised information system.
5. Processes and procedures to restore information systems impacted by an incident back to a state of production, including, without limitation, verification of data and the integrity of information systems.
6. Procedures to document information learned from an incident, including, without limitation, procedures to document:
(a) Areas of incident response successes and failures; and
(b) Recommendations on the prevention of future incidents.
7. A statement of commitment by management to an incident response.
(Added to NAC by Office of Cyber Defense Coord. by R088-19, eff. 12-29-2020)
NAC 480.205 Cybersecurity incident response plan: Political subdivision authorized to include certain internal groups into plan. (NRS 480.935, 480.950) In addition to information technology, cybersecurity and management groups, a political subdivision may consider incorporating legal, public affairs, human resources, physical security and facilities management groups of the political subdivision into the cybersecurity incident response plan.
(Added to NAC by Office of Cyber Defense Coord. by R088-19, eff. 12-29-2020)
NAC 480.210 Cybersecurity incident response plan: Effective upon certification. (NRS 480.935, 480.950) A cybersecurity incident response plan becomes effective upon certification by a city manager or county manager, as applicable.
(Added to NAC by Office of Cyber Defense Coord. by R088-19, eff. 12-29-2020)
NAC 480.215 Cybersecurity incident response plan: Administrative or nonsubstantive change does not require filing of revised plan. (NRS 480.935, 480.950) A purely administrative or nonsubstantive change to a cybersecurity incident response plan shall not be deemed a revision for the purpose of any requirement to file a revised plan pursuant to NRS 480.935.
(Added to NAC by Office of Cyber Defense Coord. by R088-19, eff. 12-29-2020)
NAC 480.230 Political subdivision required to document actions taken to mitigate or recover from incident. (NRS 480.935, 480.950) A political subdivision shall document any actions taken to mitigate or recover from an incident, including, without limitation, documenting current baselines of information systems and the location of backups and network diagrams.
(Added to NAC by Office of Cyber Defense Coord. by R088-19, eff. 12-29-2020)
NAC 480.235 Political subdivision required to report significant information learned from incident; use of information. (NRS 480.935, 480.950) A political subdivision shall report any significant information learned from an incident to a city manager or county manager, as applicable, within 90 days after an incident. Such information may be used to update policies, procedures, guidelines and cybersecurity incident response plans.
(Added to NAC by Office of Cyber Defense Coord. by R088-19, eff. 12-29-2020)
NAC 480.240 Political subdivision required to report certain types of cybersecurity incidents; contents of report. (NRS 480.935, 480.950)
1. A political subdivision shall report to the Office within 1 business day after a known or suspected incident that is:
(a) A data breach;
(b) A distributed denial of service incident;
(c) A ransomware incident; or
(d) Any other incident that disrupts the delivery of essential services for more than 1 business day or directly affects life or property.
2. The report submitted pursuant to subsection 1 must contain information on:
(a) The date and time of the incident;
(b) The type of incident;
(c) The type of information system or data affected by the incident;
(d) The known and projected impact of the incident to the political subdivision;
(e) Whether law enforcement, a regulatory body or an external entity that could be affected by an incident have been notified of the incident, if applicable; and
(f) Any additional resources that are needed by the political subdivision to respond to the incident, if applicable.
(Added to NAC by Office of Cyber Defense Coord. by R088-19, eff. 12-29-2020)