EGI-CSIRT profile

AreaISM
Document status

FINALISED

Owner
ApproversEGI-CSIRT
Approval status

APPROVED

Approved version and date

v.4  

StatementThis document presents the EGI-CSIRT profile established according to RFC-2350
Dissemination Level

TLP:WHITE - Public

Next reviewTogether with review for accreditation by TF-CSIRT.

1. Document Information

1.1. Date of Last Update

This is version v.4 of 18 April 2024.

1.2. Distribution List for Notifications

This profile is kept up-to-date on the location specified in 1.3.

E-mail notification of updates are sent to:

• All EGI-CSIRT members

• All EGI-CSIRT constituents

Any questions about updates please address to the EGI-CSIRT e-mail address.

1.3. Locations where this Document May Be Found

The current version of this profile is always available on https://go.egi.eu/rfc2350.

2. Contact Information

2.1. Name of the Team

2.2. Address

EGI Foundation

Science Park 140

1098 XG Amsterdam

Netherlands

2.3. Time Zone

GMT+1 (GMT+2 with DST or Summer Time, which starts on the last Sunday in March and ends on the last Sunday in October)

2.4. Telephone Number

Regular telephone number: +31 (0)20 89 32 007 (EGI Foundation secretary telephone number)

Emergency telephone number +31 (0) 630 372 691 (EGI Foundation Director)

2.5. Facsimile Number

No-Fax-Number

2.6. Other Telecommunication

email: contact@egi.eu

2.7. Electronic Mail Address

abuse@egi.eu

This address can be used to report all security incidents to which relate to the EGI-CSIRT constituency, including copyright issues, spam and abuse.

2.8. Public Keys and Encryption Information

PGP/GnuPG is supported for secure communication.

The current EGI-CSIRT team-key is present on the public key servers and can be found at:

https://confluence.egi.eu/display/EGIBG/CSIRT+PGP+key

Please use this key when you want/need to encrypt messages that you send to EGI-CSIRT. When due, EGI-CSIRT will sign messages using the same key.

When due, sign your messages using your own key please - it helps when that key is verifiable using the public key servers.

2.9. Team Members

No information is provided about the EGI-CSIRT team members in public.

TF-CISRT Trusted Introducer members can access information via the Trusted Introducer Directory: https://www.trusted-introducer.org/directory/teams/egi-csirt.html

2.10. Other Information

See the EGI-CSIRT public website at https://csirt.egi.eu/, the EGI-CSIRT documentation at https://go.egi.eu/csirt and the EGI Security policies and procedures at https://go.egi.eu/security-policies

2.11. Points of Customer Contact

Regular cases: use EGI-CSIRT e-mail address.

Regular response hours: Monday-Friday, 09:00-17:00 (except public holidays (Christmas, New Year's Eve, Easter)).

EMERGENCY cases: send e-mail with EMERGENCY in the subject line.

3. Charter

3.1. Mission Statement

The mission of EGI-CSIRT is to coordinate the resolution of IT security incidents related to their constituency (see 3.2), and to help prevent such incidents from occurring.

3.2. Constituency

The constituency for EGI-CSIRT is the EGI Federation (https://www.egi.eu/egi-federation/). The EGI Federation is coordinated by EGI Foundation (https://www.egi.eu/egi-foundation/), a research-or-educational and registered not-for-profit foundation established under Dutch law to coordinate and manage the EGI Federation on behalf of its participants. This constituency currently consists of 29 participants, covering 22 countries and regrouping more than 300 organisations. An overview of the integrated resources and services providers is provided at https://www.egi.eu/egi-infrastructure/.

3.3. Sponsorship and/or Affiliation

EGI-CSIRT is supported by the EGI Foundation, the not-for-profit foundation established under Dutch law to coordinate and manage the EGI Federation on behalf of its participants: National Initiatives (NGIs) and European International Research Organisations (EIROS).

3.4. Authority

The team coordinates security incidents on behalf of their constituency and has the authority to remove Resource Centres from its infrastructure (EGI). The team is however expected to make operational recommendations in the course of their work. Such recommendations can include but are not limited to remove Resource Centres from its infrastructure (EGI). The implementation of such recommendations is not a responsibility of the team, but solely of those to whom the recommendations were made.

4. Policies

4.1. Types of Incidents and Level of Support

All incidents are considered normal priority unless they are labelled EMERGENCY. EGI-CSIRT itself is the authority that can set and reset the EMERGENCY label. An incident can be reported to EGI-CSIRT as EMERGENCY, but it is up to EGI-CSIRT to decide whether to uphold that status.

The service of level for response to requests is 4 hours within working hours 09:00-17:00 CEST from Monday to Friday.

4.2. Co-operation, Interaction and Disclosure of Information

All incoming information is handled confidentially by EGI-CSIRT, regardless of its priority.

Information that is evidently sensitive in nature is only communicated and stored in a secure environment, if necessary using encryption technologies. When reporting an incident of sensitive nature, please state so explicitly, e.g. by using the label SENSITIVE in the subject field of e-mail, and if possible using encryption as well.

EGI-CSIRT supports the Information Sharing Traffic Light Protocol (TLP – see https://go.egi.eu/tlp) - information that comes in with the tags CLEAR (WHITE), GREEN, AMBER or RED will be handled appropriately.

EGI-CSIRT will use the information you provide to help solve security incidents, as all CERTs do. This means that by default the information will be distributed further to the appropriate parties – but only on a need-to-know base, and preferably in an anonymised fashion.

If you object to this default behaviour of EGI-CSIRT, please make explicit what EGI-CSIRT can do with the information you provide. EGI-CSIRT will adhere to your policy, but will also point out to you if that means that EGI-CSIRT cannot act on the information provided.

EGI-CSIRT does not report incidents to law enforcement, unless national law requires so. Likewise, EGI-CSIRT only cooperates with law enforcement EITHER in the course of an official investigation – meaning that a court order is present – OR in the case where a constituent requests that EGI-CSIRT cooperates in an investigation. When a court order is absent, EGI-CSIRT will only provide information on a need-to-know base.

4.3. Communication and Authentication

See 2.8 above. Usage of PGP/GnuPG in all cases where highly sensitive information is involved is highly recommended.

In cases where there is doubt about the authenticity of information or its source, EGI-CSIRT reserves the right to authenticate this by any (legal) means.

5. Services

5.1. Incident Response (Triage, Coordination and Resolution)

EGI-CSIRT is responsible for the coordination of security incidents somehow involving their constituency (as defined in 3.2). EGI-CSIRT therefore handles both the triage and coordination aspects. Incident resolution is left to the responsible administrators within the constituency – however EGI-CSIRT will offer support and advice on request.

5.2. Proactive Activities

EGI-CSIRT proactively advises their constituency in regard to recent vulnerabilities and trends in hacking/cracking. EGI-CSIRT advises Egi.eu on matters of computer and network security. It can do so proactively in urgent cases, or on request. Both roles are roles of consultancy: EGI-CSIRT is not responsible for implementation.

6. Incident reporting Forms

See the SEC01 EGI CSIRT Security Incident Handling Procedure, and the CSIRT Incident reporting pages.