-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
RFC 2350
1. About this document
This document describes the incident response coordination service from Centro Nacional de Cibersegurança (CNCS), which is the Portuguese National Cybersecurity Center, according to the RFC2350.
1.1 Date of Last Update
This is version 1.9 published 2021/01/25.
1.2 Distribution List for Notifications
There is no existing distribution channel for notifications of updates.
1.3 Locations where this Document May Be Found
The Portuguese version of this document is available at https://www.cncs.gov.pt/pt/certpt/rfc-2350/ .
The English version of this document is available at https://www.cncs.gov.pt/en/certpt/rfc-2350/ .
1.4 Authenticating this Document
This document is signed with CERT.PT PGP key.
4. Policies
4.1 Types of Incidents and Level of Support
CERT.PT handles every type of cybersecurity incident, namely, those that result in a security violation of the following types:
a) Malicious Code
b) Availability
c) Information Gathering
d) Intrusion Attempt
e) Intrusion
f) Information Content Security
g) Fraud
h) Abusive Content
i) Vulnerable
The level of support offered by CERT.PT depends on the type, severity and scope of the ongoing incident and available resources. In regular circumstances CERT.PT tries to give an initial answer within one business day.
The level of support offered by CERT.PT, under regular conditions, also varies on the type of entity from its constituency that is affected, being ensured all services described under (5.) to State entities, operators of Critical Infrastructures, operators of Essential Services and Digital Service Providers. To the remaining entities and individual of its constituency, CERT.PT ensures Incident response coordination and Security Alerts services.
In cases of significant severity and scope, or large-scale incidents, priority will be given to security incidents affecting State entities, operators of Critical Infrastructures, operators of Essential Services and Digital Service Providers.
4.2 Co-operation, Interaction and Disclosure of Information
The privacy and data protection policies of CERT.PT ensure that sensitive data is only shared with third parties on a need-to-know basis and with the previous authorization of the owner of that information.
4.3 Communication and Authentication
From the communication means made available by CERT.PT, telephone and clear text email are considered safe for non-sensitive information. For sensitive information transmission, the use of PGP encryption is required.
CERT.PT recognises and adopts TLP (Traffic Light Protocol) for sharing and dissemination of information.
5. Services
5.1 Incident Response Coordination
To the whole Constituency.
Whenever requested, CNCS through CERT.PT service, coordinates incident response between involved parties. This coordination typically involves the victims and ISPs or other CSIRTs when necessary. The coordination includes:
1) triage of incident reports and its technical and forensic analysis;
2) articulation with involved national and international entities;
3) as well as the production of mitigation and/or resolution recommendations.
The incident response coordination can initiate from CNCS, such as in the case of a large-scale incident, or be requested by the provided channels.
5.2 On-Site Support
For State entities, operators of Critical Infrastructures, operators of Essential Services and Digital Service Providers.
On-Site Support is a service where CNCS's specialized personal offers support on the premises of the requestor and aids with the incident analysis and response. Depending on the requirements of the incident, this support can, among others, include:
1) forensic analysis of the machine or hardware;
2) traffic analysis;
3) malware analysis;
4) articulation with other national or international CSIRTs;
5) production of recommendations;
6) support on the application of mitigation or resolution measures.
CNCS does not perform any of the before mentioned measures. This responsibility is entirely of the participating entities.
5.3 CSIRT Capability Building
For State entities, operators of Critical Infrastructures, operators of Essential Services and Digital Service Providers.
Aims to improve the national incident response capabilities by creating new CSIRTs or developing the capabilities or already established CSIRTs. To achieve this, CNCS promotes and provides activities that foment the CSIRT capability building in the national territory, namely:
1) Training sessions to both technical and decision level personal that integrate a CSIRT;
2) Coordination of national exercises and promotion of Portuguese participation in international cybersecurity exercises;
3) Definition of a baseline of technical, operational and human capabilities of a CSIRT;
4) Definition of good practices to cybersecurity incident management;
5) Consultancy for the creation of new CSIRTs.
5.4 Security Alerts
To the whole Constituency.
Alert interested parties, including the public in general, to new cybersecurity risks, providing the necessary information to mitigate it or protect from it. To that effect CNCS has two activities:
1) Articulating with other national authorities, it issues a single national security level;
2) Creates and disseminates security alerts to interested parties.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEuD6qPPgLJch8ZRhOOsnezqD3rPsFAmAOtdUACgkQOsnezqD3
rPuLcA/9Fdqkz4mPOg+wC8AYWW9iBWxFbslBX2VeaCwYcP6EcjuGwy2COmtAUJ2I
ii9w9JjX3SBk7P5tlm2GQrENewcphPPC+oaXx5c6DN2fiO7h6+896phkltxziPGB
eMb/5cbQmo58rpjuB4WrNsm0IBNK4K9Ha/SGHkM071tvoHpTbEBBDNzZrZ/8hDKk
VtqvYFqvE6KJ+mFDNhYmyUr2JCQP1XPTIh2hBY4u+h19/YV69bcdBGKVvCQYcc1S
BQCvbf9DxzeS44YitCygcVO/Rbz8MjvlFMBOPQkc1adveXHAOc4+8Jqv/tW5JyD6
hIT98wJ3008xUE4BpSEStnjzSyBeN5zLP8/IE1Rznyq52UYcK9mFoDH9ts+Gx4Gj
iiVHgwd5cor5YHC5POBnuY0vC2P0VJ0qZn1hIHlk8VEJJT+kl092FI1Og+KZCQm9
bv5FFeykFsIKL1JnrRS9Y3xXJrdPeWOlm64j+2WT3CkrI6+uIRZ/3nauqbxThpAY
/q6lcc7ecFA9KB/u39pSfmhcuaqJX8GIGL0BQkEczgGX+V4BdVbSVeROwhudsduW
osk7eLuX6QhqOzShUHmOGkpkcnNYHLwFEu+dimBC0A+Hn1uUTNKUCH7GjhJxhwQy
t5uLw05x4lt9kTwz3Q5imx0yxFTbK9VEBUV5hKMeGlxjfJ5wAQk=
=ldF6
-----END PGP SIGNATURE-----