Description of the CSIRT for CERT PKP Informatyka ================================================= 1. Document Information This document contains a description of CERT PKP Informatyka in accordance with RFC 2350. It provides basic information about CERT PKP Informatyka, its channels of communication and its roles and responsibilities. 1.1 Date of Last Update Version 1.6, 25.08.2023 1.2 Distribution List for Notifications There is no distribution list for notifications. 1.3 Locations where this Document May Be Found The current version of the document describing the CSIRT is available on the website CERT PKP Informatyka website https://www.pkp-informatyka.pl/rfc2350_en.txt Make sure you are using the latest version. 1.4 Authenticating this Document This document has not been signed with the CERT PKP Informatyka PGP certificate at the moment. 2. Contact Information 2.1 Name of The Team CERT PKP Informatyka Short name: CERT IT-PKP 2.2 Address PKP Informatyka Sp. z o.o. Al. Jerozolimskie 142A Warsaw, 02-305 Poland with annotation: "CERT PKP Informatyka" 2.3 Time Zone CET UTC + 1 CET UTC + 2 (The Summer Time is from the last Sunday in March to the last Sunday in October) 2.4 Telephone Number +48 22 392 45 67 2.5 Facsimile Number None available 2.6 Other Telecommunication None available 2.7 Electronic Mail Address It is an e-mail alias used for communication with the person on duty at CERT PKP Informatyka. 2.8 Public Keys and Other Encryption Information PGP key used by CERT PKP Informatyka Key ID: 0571E461 Fingerprint:36CC 41CF 0ED3 A965 000A 65AF D359 0427 0571 E461 The public key can be found on CERT PKP Informatyka website https://www.pkp-informatyka.pl/cert_pgp.asc 2.9 Other Information General information about CERT PKP Informatyka can be found at: https://www.pkp-informatyka.pl/cyberbezpieczenstwo/cert.html 2.10 Customer Contact The preferred method of contact is email . To ensure integrity and confidentiality, we recommend using our cryptographic keys (section 2.8). If transmission of information by e-mail is not possible or is not advisable for security reasons, contact with CERT PKP Informatyka may be made using the number provided in section 2.4. Working hours of CERT PKP Informatyka department: during working hours (8AM - 04PM), Monday to Friday except public holidays and 25 November). In case of emergency, call the SOC department, which operates 24 hours a day, 7 days a week on the phone number (section 2.4). 3. Charter 3.1 Mission Statement The mission of CERT PKP Informatyka team is to identify, analyze and mitigate threats directed to the group of users and customers served by PKP Informatyka. Advisory and educational services directed to the same group are also provided. 3.2 Consituency CERT PKP Informatyka provides services to an internal client and selected companies from the railway sector. The list of stakeholders is a Trade Secret. Consitituency of CERT PKP Informatyka is all users and services of the PKP Informatyka (contains all those systems connected to network AS41464 and AS196830). 3.3 Sponsorship and/or Affiliation CERT PKP Informatyka is financially maintained by the PKP Informatyka Sp. z o.o. 3.4 Authority The CERT PKP Informatyka operates under the auspices of, and with authority delegated by, the management of PKP Informatyka. Parts of that role, specifically addressing operational aspects such as: - monitoring of cyber security threats, - incident response, - information sharing, are fulfilled by CERT PKP Informatyka. 4. Policies 4.1 Types of Incidents and Level of Support CERT PKP Informatyka is authorized to address all types of computer security incidents which occur, or threaten to occur, in its constituency. The level of support provided by CERT PKP Informatyka will vary depending on the type or severity of the incident or event. The size of the user community and the availability of resources at any given time are also taken into account. Incidents will be prioritized according to their extent and severity. 4.2 Co-operation, Interaction and Disclosure of Information CERT PKP Informatyka exchanges all necessary information with other SOCs and CSIRTs, other entities included in the Polish national cyber security system, as well as with affected parties' administrators. CERT PKP Informatyka states that all incident handling information is handled confidentially. Information that is sensitive or may be harmful is only processed in a secure environment and is encrypted. We recommend, when reporting an incident and providing sensitive information, that you use encryption (section 2.8) or contact CERT PKP Informatyka directly (sections 2.4 and 2.7) to establish another secure communication channel. No personal information is shared by CERT PKP Informatyka to cooperating entities unless specifically authorized to do so. 4.3 Communication and Authentication In view of the types of information that CERT PKP Informatyka deals with, telephones will be considered sufficiently secure to be used even unencrypted. Unencrypted e-mail will not be considered particularly secure, but will be sufficient for the transmission of low-sensitivity data. If it is necessary to send highly sensitive data by e-mail, PGP will be used. Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data should be encrypted for transmission. In order to verify the authenticity of the information received or its source or to authenticate the person making the contact, it is possible to use available methods of such verification, such as searching the WHOIS database, community sites (e.g. Trusted Introducer, FIRST), calling back, meeting in person or sending an e-mail, using digital signatures (especially PGP). CERT PKP Informatyka respects the TLP 2.0 (Information Sharing Traffic Light Protocol Version 2.0) that comes with the tags CLEAR, GREEN, AMBER+STRICT, AMBER OR RED. 5. Services 5.1 Incident response CERT PKP Informatyka responds to the incident by providing a wide range of services for individual groups of recipients. 5.1.1 Incident selection - Monitoring and detection of suspicious events. - Analysis and classification of events as an incident security or false alarm. 5.1.2 Coordination of incidents - Accepting notifications with hallmarks potential incidents. - The process for notifying peer CSIRTs / SOCs - Analysis of incidents that may affect technical resources and business. - Analysis of artifacts and evidence of an incident. - Coordination of security incidents ensuring effective communication with stakeholders. 5.1.3 Incident resolution - Vulnerability detection, testing and analysis. - Dissemination of information about security vulnerabilities. - Responding to vulnerabilities in order to prevent using them. - Eliminate threats in terms of restoration system integrity as part of a recovery plan. 5.2 Proactive activities - Conducting communication in the field of cybersecurity in the form of reports and information brochures for users and external customers. - Consulting and educational services for PKP Informatyka users and customers. - Detecting violations in the monitored infrastructure. - Cybersecurity date monitoring and analysis, known compromise indicators from various information sources. 6. Incident Reporting Forms There are no local forms developed yet for reporting incidents to CERT PKP Informatyka. We strongly encourage anyone reporting an incident by email (section 2.10). 7. Disclaimers While every precaution will be taken in the preparation of information, notifications and alerts, CERT PKP Informatyka assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.