Iscte SOC scope and RFC2350 Response

This document defines, in detail and in accordance with the definition in RFC2350 – “Expectations for Computer Security Incident Response”, the constituency relative to the SOC (Security Operations Center) of “ISCTE – INSTITUTO UNIVERSITÁRIO DE LISBOA” (hereinafter referred to as Iscte), and to the CSIRT (Computer Security Incident Response Team) that is an integral part thereof, as well as other relevant information.

2.1 Publication of Policies and Procedures

The definition and specification of policies and procedures concerning the SOC service of Iscte and its CSIRT are detailed in the document called the Iscte “Security Incident Response Plan”.

The SOC service is not only responsible for the continuous implementation of information security incident monitoring policies and processes (hereinafter referred to as Incident/es) in iscte infrastructure and its components, but also for the implementation and maintenance of real-time monitoring mechanisms and response procedures.

2.2 Relationships between differents CSIRT

The Iscte SOC service is the internal entity that should serve as a point of contact for all CSIRT communications from other organizations or institutions and is also responsible for monitoring the life cycle of all Incidents reported by them, and which are within the scope of Iscte.

2.3 Establishment of Secure Communications

Information security is an indispensable criterion for the operation of the SOC service.

Thus, all stakeholders in the Incident Response process need well-established secure communication channels.

These Communication Channels are defined and listed in Chapter 6 of the document called the Iscte “Security Incident Response Plan”.

Public information on the PGP key associated with the email address mailbox for Incident Reporting (Preferred Contact Method) can be found at the “Public Key and Cipher Information” section.

3.1 Access to the Document

The updated version of this document should be made available to all Iscte employees who belong to a department or section that:

• • • • Be involved in the incident response process;
      • It has been previously defined; and/or
      • Be one of the stakeholders in the service.

3.1.1 Last Updated

The last update was made on 11/02/2021.

3.1.2 Distribution List for Notifications

Any changes to this document will be communicated by sending an email to all interested parties and involved in the distribution list defined for this purpose, below:

3.1.3 Document Location

The updated version of the Response to RFC2350 by iscte SOC is published in https://siic.iscte-iul.pt/ciberseguranca/rfc2350.

3.1.4 Document Authenticity

This document was signed with the Iscte SOC PGP key.

• • • • • • User ID: SOC ISCTE-IUL soc@iscte-iul.pt
          • Fingerprint: 7EE6 FE47 80EA D304 923A 2BDD D261 3476 A184 7050
          • Key type: RSA/4096
          • Available at: https://pgp.surf.nl/pks/lookup?op=get&search=0xD2613476A1847050

In order to validate the authenticity of this document, a version of it is available in plaintext, signed with this PGP key. This version can be found in https://siic.iscte-iul.pt/ciberseguranca/rfc2350.txt.

3.2 Contact Information

3.2.1 Team Name

SOC do Iscte

3.2.2 Address

Av.ª das Forças Armadas, 1649-026 Lisboa, Portugal

3.2.3 Time zone

UTC/GMT Lisbon, London, Dublin – WEST (Western European Summer Time)

3.2.4 Office Hours

O serviço do SOC do Iscte funciona no horário de expediente normal, entre as 9h e as 18h

3.2.5 Phone

+351 210 464 500

3.2.6 Other Communications

For matters that are not related to reporting and responding to Incidents: soc@iscte-iul.pt

3.2.7 Preferred Contact Method

The preferred contact method of the Iscte SOC team is the email address used for incident reporting: csirt@iscte-iul.pt

3.2.8 Incident Reporting and Management Portal

Exclusive to the Iscte community

https://iajuda.iscte-iul.pt/

3.2.9 Information on Public Keys and Ciphers

The SOC service provides a PGP key that should be used whenever there is a need to encrypt any type of information or file:

• • • • • • User ID: CSIRT ISCTE-IUL csirt@iscte-iul.pt
          • Fingerprint: 1D08 1964 6E48 A2E8 2932 EAF3 49E8 B051 87CF 1A3D
          • Key type: RSA/4096
          • Available at: https://pgp.surf.nl/pks/lookup?op=get&search=0x49E8B05187CF1A3D

3.2.10 Team Members

Coordinator
Dauto Ussene Jeichande (dauto.jeichande@iscte-iul.pt)

Operational Team
(soc@iscte-iul.pt)

3.2.11 Other Information

For more information about Iscte, visit https://iscte-iul.pt/.

3.3 Guide

3.3.1 Mission

The purpose of Iscte’s SOC service is to serve its internal community and customers in the context of response to information security incidents, as well as to protect its services and personal information related to them, and also to prevent possible cyber attacks that may have some impact associated with the respective infrastructures and/or the institution’s business.

3.3.2 Community

The SOC service serves Iscte employees and their customers and is the entity responsible for collaboration in the incident response process with other internal, external and/or service providers involved and necessary.

Iscte’s SOC service thus operates not only but also prevention and monitoring of the following ranges of IP addresses belonging to Iscte itself:

• 192.92.146.0/24
• 193.136.188.0/24
• 193.136.189.0/24
• 193.136.190.0/24
• 193.136.191.0/24
• 194.210.64.0/20
• 194.210.80.0/22
• 194.210.84.0/23
• 194.210.86.0/24
• 2001:690:21a0:00/48
• iscte-iul.pt
• iscte.pt

3.3.3 Affiliation

The SOC service is an Iscte service whose scope is the institution’s systems and resources. The sources of events that are collected and monitored by the SOC service are documented in chapter 11 of the document called “Security Incident Response Plan” of Iscte.

3.3.4 Authority

The SOC service has the authority to respond to Incidents that occur within the Iscte community, as well as to respond on behalf of the organization in collaborative Incident Response processes with entities outside of the organization.

3.4 Policies

3.4.1 Incident Types and Support Level

The Iscte SOC service adopts the taxonomy defined in chapter 7 of the document called “Security Incident Response Plan” of Iscte. This, with the exception of the categories “Privacy” and “Maintenance”, is in full compliance with the taxonomy adopted at national level by the National Cybersecurity Center (CNCS) and by the members of the National Network of CSIRTs, in December 2019, and at European level, also in 2019, by ENISA, the entity for Network and Information Security of the European Union.

The level of support given to each Incident may vary depending, not only on its Severity in Iscte, according to the values defined in chapter 8 of the document called “Security Incident Response Plan” of Iscte, but also on the SOC resources available. Although all Incidents are treated as quickly as possible by the SOC service, these differences are detailed in chapter 9 of the document called “Security Incident Response Plan” of the Iscte.

3.4.2 Cooperation, Interaction and Privacy Policy

The SOC Privacy and Data Protection Policy stipulates that any type of information considered as sensitive will only be passed on to third parties in case of extreme necessity and always with the prior authorization of the individual, department or entity to which it belongs.

3.4.3 Communication and Authentication

The email and phone indicated in this document are considered sufficient for the transmission of information to the Iscte SOC service that is not sensitive and/or confidential. If necessary, the PGP key of the email for incident reporting, available in the point “Information on public keys and ciphers”, can be used for encryption of messages sent with content considered sensitive.

3.5 Services

3.5.1 Incident Response

The Iscte SOC service provides a coordination and response service for computer security Incidents related to the entire Iscte community.

3.5.1.1 Incident Triage

In the Triage phase the Incidents are triaged and a first analysis is performed, with the objective of determining if they effectively constitute an Incident and to assign them a classification appropriate to their context.

3.5.1.2 Incident Coordination

In this phase a more detailed analysis is performed to determine the causes that led to the occurrence of the Incident and the immediate countermeasures needed to mitigate it. If necessary, other internal or external stakeholders are contacted.

3.5.1.3 Incident Resolution

Finally, the eradication and/or mitigation measures for the Incident are outlined and applied, and, whenever justified and necessary, there is a subsequent analysis of lessons to be learned, a more detailed report, and a meeting with the teams involved.

3.5.2 Monitoring

The SOC service ensures the monitoring, correlation and analysis of events from the Iscte security tools integrated in SIEM in chapter 11 of the document called “Security Incident Response Plan” of Iscte.

3.5.3 Proactive Activities

The SOC service is constantly monitoring possible threats that may arise and will proactively alert the community and other stakeholders defined for this purpose whenever a related Incident occurs.

3.6 Forms

3.6.1 Post-Mortem Form

A report is prepared with a more detailed analysis of all the details of the respective Incident, following the template defined for this purpose, present in chapter 16 of the document called “Security Incident Response Plan” of the Iscte, indicating the timeline of the Incident’s life cycle, the measures taken at each stage, the people involved, and the lessons learned to try to eradicate future similar Incidents, among other information.

3.7 Disclaimer

Although every precaution is taken in the preparation of the information that is disseminated, either on the Internet or through the distribution lists, the Iscte’s SOC does not assume any responsibility for errors or omissions that do not originate from the SOC itself, as well as for the occurrence of Incidents that may arise from the use of that information.