-----BEGIN PGP SIGNED MESSAGE-----
ISCTE SOC scope and RFC2350 Response
IT SERVICES AND COMMUNICATIONS INFRASTRUCTURES
November 2, 2021
Iscte SOC scope and RFC2350 Response
This document defines, in detail and in accordance with the definition of RFC2350 - "Expectations for Computer Security Incident Response", the constituency related to the SOC (Security Operations Center) of the "ISCTE - INSTITUTO UNIVERSITÁRIO DE LISBOA" (hereinafter referred to as Iscte), and the CSIRT (Computer Security Incident Response Team) which is an integral part of it, as well as other relevant information.
2.1 Publication of Policies and Procedures
The definition and specification of policies and procedures concerning the SOC service of Iscte and its CSIRT are detailed in the document called the Iscte "Security Incident Response Plan".
The SOC service is not only responsible for the continuous implementation of information security incident monitoring policies and processes (hereinafter referred to as Incident/es) in iscte infrastructure and its components, but also for the implementation and maintenance of real-time monitoring mechanisms and response procedures.
2.2 Relationships between different CSIRT
The Iscte SOC service is the internal entity that should serve as a point of contact for all CSIRT communications from other organizations or institutions and is also responsible for monitoring the life cycle of all Incidents reported by them, and which are within the scope of Iscte.
2.3 Establishment of Secure Communications
Information security is an indispensable criterion for the operation of the SOC service. Thus, all stakeholders in the Incident Response process need well-established secure communication channels. These Communication Channels are defined and listed in Chapter 6 of the document called the Iscte "Security Incident Response Plan". Public information on the PGP key associated with the email address mailbox for Incident Reporting (Preferred Contact Method) can be found at the "Public Key and Cipher Information" section.
3. Information, Policies and Procedures
3.1 Access to the Document
The updated version of this document should be made available to all Iscte employees who belong to a department or section that:
• is involved in the incident response process;
• has been previously defined; and/or
• is one of the stakeholders in the service.
3.1.1 Last Updated
Last updated on 02/11/2021.
3.1.2 Distribution List for Notifications
Any changes to this document will be communicated by sending an email to all interested parties and involved in the distribution list defined for this purpose, below:
• Iscte SOC - email@example.com
• SIIC Director;
• Head of URCS;
• Responsible for GDSI;
• Nau Manager;
• Data Protection Officer;
• Legal Guardian;
• Responsible for Communication; and
• CNCS - firstname.lastname@example.org
3.1.3 Document Location
The updated version of the Response to RFC2350 by iscte SOC is published at:
3.1.4 Document Authenticity
This document was signed with the Iscte SOC PGP key.
• User ID: SOC ISCTE-IUL <email@example.com>
• Fingerprint: 7EE6 FE47 80EA D304 923A 2BDD D261 3476 A184 7050
• Key type: RSA/4096
• Available in: https://pgp.surf.nl/pks/lookup?op=get&search=0xD2613476A1847050
In order to validate the authenticity of this document, a version of it is available in plaintext, signed with this PGP key. This version can be found in https://siic.iscte-iul.pt/ciberseguranca/csirt/pt/rfc2350.txt.
3.2 Contact Information
3.2.1 Team Name
SOC do Iscte
Av.ª das Forças Armadas, 1649-026 Lisboa, Portugal
3.2.3 Time Zone
UTC/GMT Lisbon, London, Dublin - WEST (Western European Summer Time)
3.2.4 Office Hours
The Iscte SOC service operates during normal office hours between 9:00 am and 6:00 pm.
• +351 210 464 500
3.2.6 Other Communications
For matters that are not related to reporting and responding to Incidents:
3.2.7 Preferred Contact Method
The preferred contact method of the Iscte SOC team is the email address used for incident reporting:
3.2.8 Incident Reporting and Management Portal (Iscte community only)
3.2.9 Information on Public Keys and Ciphers
The SOC service provides a PGP key that should be used whenever there is a need to encrypt any type of information or file:
• User ID: CSIRT ISCTE-IUL <firstname.lastname@example.org>
• Fingerprint: 1D08 1964 6E48 A2E8 2932 EAF3 49E8 B051 87CF 1A3D
• Key type: RSA/4096
• Available in: https://pgp.surf.nl/pks/lookup?op=get&search=0x49E8B05187CF1A3D
3.2.10 Team Members
• Coordinator: Dauto Ussene Jeichande
• Operational Team:
3.2.11 Other Information
For more information about Iscte you can consult the website: https://iscte-iul.pt/.
The purpose of Iscte's SOC service is to serve its internal community and its customers in a context of response to information security incidents, as well as to protect its services and personal information from them, as well as to prevent possible computer attacks that may have any associated impact on their respective infrastructures and/or the institution's business.
The SOC service serves Iscte employees and their customers and is the entity responsible for collaboration in the incident response process with other internal, external and/or service providers involved and necessary.
The SOC service of Iscte thus acts not only but also in the prevention and monitoring of the following ranges of IP addresses, belonging to Iscte itself:
The SOC service is an Iscte service, the scope of which is the institution's systems and resources. The sources of events that are collected and monitored by the SOC service are documented in Chapter 11 of the document called the Iscte "Security Incident Response Plan."
The SOC service has the authority to respond to Incidents that occur within the Iscte community, as well as to respond on behalf of the organization in incident response processes in collaboration with entities external to it.
3.4.1 Incident Types and Support Level
The Iscte SOC service adopts the taxonomy defined in Chapter 7 of the document called the Iscte "Security Incident Response Plan". This, with the exception of the "Maintenance" category, is in full compliance with the taxonomy adopted at national level by the National Cybersecurity Centre (CNCS) and the members of the National Csirt Network in December 2019, and at European level, also in 2019, by ENISA, the European Union's network and information security body.
The level of support given to each Incident may vary depending not only on the Severity of the Incident in Iscte, depending on the values defined in Chapter 8 of the document called the Iscte "Security Incident Response Plan," but also the available SOC features. Although all Incidents are handled as quickly as possible by the SOC service, these differences are detailed in Chapter 9 of the iscte "Security Incident Response Plan" document.
SOC's Privacy and Data Protection Policy stipulates that any type of information considered sensitive will only be passed on to third parties in case of extreme need and always with the prior authorization of the individual, department or entity to which it belongs.
3.4.3 Communication and Authentication
The email and telephone indicated in this document are considered sufficient for the transmission of information to the SOC service of Iscte that is not sensitive and/or confidential. If necessary, the PGP key of the email can be used for incident reporting, available at the "Information on public keys and ciphers" section, for encryption of messages sent with content considered sensitive.
3.5.1 Incident Response
Iscte's SOC service provides a coordination and response service to computer security incidents related to the entire Iscte community.
184.108.40.206 Incident Screening
In the Screening phase incidents are screened and a first analysis is carried out with the aim of determining whether they are actually an Incident and to assign them a classification appropriate to their context.
220.127.116.11 Incident Coordination
At this stage, a more detailed analysis is carried out to determine the causes that led to the occurrence of the Incident and the immediate countermeasures necessary to mitigate it. If necessary, other internal or external stakeholders are contacted.
18.104.22.168 Incident Resolution
Finally, the eradication and/or mitigation measures respective to the Incident are delineated and applied and, where justified and necessary, a subsequent analysis of lessons to be learned, a more detailed report and a meeting with the teams involved are made.
The SOC service ensures the monitoring, correlation and analysis of events from iscte security tools integrated into SIEM in chapter 11 of the document called the Iscte "Security Incident Response Plan".
3.5.3 Proactive Activities
The SOC service is constantly tracking potential threats that may arise and will proactively alert the community and other stakeholders and defined for this purpose whenever an Incident relates to them occurs.
3.6.1 Post-Mortem form
A report is prepared with a more detailed analysis of all the details of the respective Incident, following the template defined for this purpose, present in Chapter 16 of the document called the "Security Incident Response Plan" of iscte, indicating the timeline of the incident life cycle, the measures taken at each stage, the people involved and the lessons learned to try to eradicate future Similar Incidents, among other information.
Although all precautions are taken in the preparation of the information that is disclosed, either on the Internet or through distribution lists, the SOC-do Iscte assumes no responsibility for errors or omissions the origin of which is not the SOC itself, as well as for the occurrence of Incidents that may result from the use of that information.
ISCTE SOC scope and Response to RFC2350 Information Technology Services and Communications Infrastructures | See. 1 st | PUBLIC
Iscte − University Institute of Lisbon · Av. Armed Forces, 1649-026 Lisbon ·
+351 217 903 000 · · email@example.com
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----