CSIRT Description for SOC PKP Informatyka ========================================= 1. About this document 1.1 Date of Last Update This is version 1.0, published on 15 October 2019. 1.2 Distribution List for Notifications None available at this moment. 1.3 Locations where this Document May Be Found The current version of this description document is available from the SOC PKP Informatyka WWW site; its URL is http://www.pkp-informatyka.pl/wp-content/uploads/2019/11/rfc2350.txt Please make sure you are using the latest version. 1.4 Authenticating this document This document has not been signed with the SOC PKP Informatyka PGP at the moment. 2. Contact Information 2.1 Name of the Team SOC PKP Informatyka 2.2 Address Security Operations Center PKP Informatyka Al. Jerozolimskie 142A 02-305 Warszawa Poland 2.3 Time Zone Central European Time (GMT+0100, GMT+0200 from April to October) 2.4 Telephone Number +48 22 392 45 67 2.5 Facsimile Number None available at this moment. 2.6 Other Telecommunication None available at this moment. 2.7 Electronic Mail Address This is a mail alias that serves the human(s) on duty for SOC PKP Informatyka. 2.8 Public keys and Other Encryption Information None available at this moment. 2.9 Other Information Artur Slubowski is the Security Operations Center coordinator. General information about SOC PKP Informatyka, as well as links to various recommended security resources, can be found at http://www.pkp-informatyka.pl/soc/ 2.10 Points of Customer Contact The preferred method for contacting SOC PKP Informatyka is via e-mail at ; e-mail sent to this address will be handled by the responsible human. If it is not possible (or not advisable for security reasons) to use e-mail, SOC PKP Informatyka can be reached by telephone on call 24/7. SOC PKP Informatyka operates 24 hours a day, every day of the year. 3. Charter 3.1 Mission Statement The mission of SOC PKP Informatyka is to identify, analyse and mitigate threats targeting PKP Informatyka internet users and providing a consultancy and education services for users. . 3.2 Consituency Consitituency of SOC PKP Informatyka is all users and services of the PKP Informatyka (contains all those systems connected to network AS 41464) 3.3 Sponsorship and/or Affiliation SOC PKP Informatyka is financially maintained by the PKP Informatyka Sp.z o.o. 3.4 Authority The SOC PKP Informatyka operates under the auspices of, and with authority delegated by, the management of PKP Informatyka. Parts of that role, specifically addressing operational aspects such as: - monitoring of cyber security threats, - incident response, - information sharing, are fulfilled by SOC PKP Informatyka. 4. Policies 4.1 Types of Incidents and Level of Support SOC PKP Informatyka is authorized to address all types of computer security incidents which occur, or threaten to occur, in its constituency. The level of support given by SOC PKP Informatyka will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and the availability of SOC PKP Informatyka's resources at the time. Incidents will be prioritized according to their apparent severity and extent. 4.2 Co-operation, Interaction and Disclosure of Information SOC PKP Informatyka exchanges all necessary information with other SOC’s and CSIRTs, other entities included in the Polish national cyber security system, as well as with affected parties'administrators. No personal nor overhead data are exchanged unless explicitly authorized. All sensitive data (such as personal data, system configurations, known vulnerabilities with their locations) are encrypted if they must be transmitted over unsecured environment as stated below. 4.3 Communication and Authentication In view of the types of information that SOC PKP Informatyka deals with, telephones will be considered sufficiently secure to be used even unencrypted. Unencrypted e-mail will not be considered particularly secure, but will be sufficient for the transmission of low-sensitivity data. If it is necessary to send highly sensitive data by e-mail, ZIP and password be used. Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data should be encrypted for transmission. Where it is necessary to establish trust, for example before relying on information given to SOC PKP Informatyka, or before disclosing confidential information, the identity and bona fide of the other party will be ascertained to a reasonable level of trust. Within SOC PKP Informatyka, and with known neighbor sites, referrals from known trusted people will suffice to identify someone. Otherwise, appropriate methods will be used, such as a search of FIRST members, the use of WHOIS and other Internet registration information, etc, along with telephone call-back or e-mail mail-back to ensure that the party is not an impostor. 5. Services 5.1 Incident Response SOC PKP Informatyka will provide incident response capabilities in the following areas: 5.1.1 Incident Triage The main goals of incident triage are: - investigating whether indeed an security incident occurred, - determining the extent and severity of the incident (including a potential impact on the constituency), etc. 5.1.2 Incident Coordination - Determining the initial cause of the incident (vulnerability exploited) - Facilitating contact with other sites which may be involved. - Facilitating contact with appropriate law enforcement officials, if necessary. - Composing announcements to users, if applicable 5.1.3 Incident handling In some cases, limited support may be provided in technical incident handling, including malware and forensic analysis, threat hunting, evidence collection. The extent of this support will depend on the type and severity of the incident, and the type of the affected entity. 5.2 Proactive Services SOC PKP Informatyka coordinates and mantaines the following services to the extent possible depending on its resources: - security information sharing for users by email 6. Incident Reporting Forms SOC PKP Informatyka had created a local form designated for reporting incidents to the team. We strongly encourage anyone reporting an incident by email soc@it-pkp.pl 7. Disclaimers While every preacution will be taken in the preparation of information, notifications and alerts, SOC PKP Informatyka assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.