UmU-CSIRT RFC 2350 Profile

1. DOCUMENT INFORMATION

This document complies with RFC 2350.

1.1. Date of Last Update

This is version 1.3 as of November 09, 2018.

1.2. Distribution List for Notifications

This profile is kept up-to-date in the location specified in section 1.3. E-mail notification of updates are sent to UmU IRT management and investigators.
Please send any questions about updates to the UmU IRT team e-mail address: irt@umu.se.

1.3. Locations where this Document May Be Found

The current version of this profile is available at
https://www.aurora.umu.se/regler-och-riktlinjer/sakerhet/it-sakerhet/rfc2350

2. CONTACT INFORMATION

2.1. Name of the Team

Full name: Umeå University Incident Response Team.
Short name: UmU IRT

2.2. Addresses

2.2.1 Mail address
UmU IRT
IT-stöd och systemutveckling (ITS)
S-901 87 UMEÅ, Sweden

2.2.2 Visiting address
UmU IRT
IT-stöd och systemutveckling (ITS)
Campustorget 5
Umeå, Sweden

2.3. Time Zone

Central European Time, CET, UTC+1 

Central European Summer Time, CEST, UTC+2 in summer time (last Sunday of March to last Sunday of October)

2.4. Telephone Number

UmU IRT's telephone number: +46 90 786 77 67

2.5. Facsimile Number

Not applicable.

2.6. Other Telecommunication

Not applicable.

2.7. Electronic Mail Address

Please send incident reports that relate to Umeå University, including copyright issues, spam and abuse to abuse@umu.se. Non-incident related mail should be addressed to irt@umu.se.

2.8. Public Keys and Encryption Information

Please encrypt any sensitive e-mail with the UmU IRT PGP key with:

PGP keyid 0x6CCBB03C and
PGP fingerprint 793A 2CF5 32F4 DDB2 092F BDEA 703A 9036 6CCB B03C
and send it to irt@umu.se.

Please sign messages using a key that is verifiable using the public keyservers.
Because all UmU IRT investigators can read mail encrypted with the irt@umu.se key, individuals can use it if they cannot find a key for a specific UmU IRT team member.

2.9. Team Members

No public information is provided about UmU IRT team members.

2.10. Other Information

Further information about the UmU IRT can be found at https://www.aurora.umu.se/regler-och-riktlinjer/sakerhet/it-sakerhet/
UmU IRT is accredited by the Trusted Introducer (TI) for CSIRTs in Europe and has been registred as "TI Accredited CSIRT" since 16 November 2017; see https://www.trusted-introducer.org/directory/teams/umu-irt.html for details.

UmU IRT compiles with the CSIRT Code of Practice: https://www.trusted-introducer.org/TI-CCoP.pdf
UmU IRT supports the use of the Information Sharing Traffic Light Protocol: https://www.first.org/tlp/docs/tlp-v1.pdf
UmU IRT employs the SIM3 - Security Incident Management Maturity Model for self-assessment: https://www.trusted-introducer.org/SIM3-Reference-Model.pdf

2.11. Points of Customer Contact

The preferred method for contacting UmU IRT is e-mail.

For general inquiries, please send e-mail to: irt@umu.se.

For abuse or security issues, please use abuse@umu.se.

In an emergency, contact UmU IRT on +46 90 786 77 67, +46 90 786 57 41, +46 90 786 92 49
UmU IRT's hours of operation are generally restricted to regular business hours, or 08:00 to 16:30 Monday to Friday except public holidays.

An off-hours emergency telephone number can be provided upon request, at the team's discretion.

3. CHARTER

3.1. Mission Statement

IRT handles operational IT security for Umeå University. This includes discovery and investigation of IT security incidents, incident prevention, incident response and resolution, and information to and cooperation with the constituency.

For the world, UmU IRT is the Umeå University interface with regards to IT security incidents response.

All IT security incidents (including abuse) related to Umeå University can be reported to UmU IRT.

3.2. Constituency

Umeå University with all its organizations, employees and networks.
UmU IRT corresponding AS-numbers are:
AS2833 SUNET-UMU and the following prefixes:
130.239.0.0/16
2001:6B0:E::/48
2001:6B0:F::/48

3.3. Sponsoring Organisation / Affiliation

UmU IRT operates with the authority delegated by the Umeå University Vice Chancellor via the UmU CIO.

UmU IRT is part of "Verksamhetsområde IT", the central IT operations group for Umeå University. UmU IRT is recognized by Sunet CERT, whose constituency includes all organizations connected to Sunet, the Swedish University Network.

3.4. Authority

UmU IRT operates under authority delegated by the vice-chancellor of Umeå University, and may act independently of its organizational home.

UmU IRT coordinates security incidents on behalf of Umeå University. The UmU CIO will be involved in case of an critical incident.

UmU IRT is expected to make operational recommendations or take operational actions in the course of its work in the interest of the IT Security at Umeå University.

UmU IRT aims to work cooperatively with representatives of its constituency. However, when the situation warrants it, UmU IRT will exercise direct authority as necessary, up to and including forcible disconnection of users, systems and networks.

4. POLICIES

4.1. Types of Incidents and Level of Support

All incidents are considered normal priority.

4.2. Co-operation, Interaction, and Disclosure of Information

Co-operation, Interaction, and Disclosure of Information
UmU IRT routinely cooperates and/or interacts with:
* Sunet CERT and other individual incident response teams.
* Umeå University IT operations staff and other adequate staff when needed.

All incoming information is handled confidentially by UmU IRT and in accordance with Swedish Law.

When reporting an incident of sensitive nature, please state so explicitly by using an appropriate label in the Subject field (for example, SENSITIVE, EMERGENCY, etc.) and if possible, use encryption as well.

UmU IRT supports the Information Sharing Traffic Light Protocol (ISTLP; see https://www.trusted-introducer.org/ISTLPv11.pdf); information that arrives with the tags WHITE, GREEN, AMBER, or RED will be handled appropriately.

4.3. Communication and Authentication

See section 2.8; usage of PGP in all cases where sensitive information is involved is highly recommended.

5. SERVICES

5.1. Incident Response

UmU IRT receives incident reports from external parties. Incidents involving organizations within the constituency that have IT security capability are forwarded to those organizations.To ensure rapid response to emergencies, incidents that are emergent will be coordinated by, and may be handled entirely by, UmU IRT regardless of which parts of the constituency are involved.

5.1.2.Incident coordination

UmU IRT coordinates incident response in certain cases where the incident is not handled directly by UmU IRT.
* When the incident is emergent, UmU IRT will coordinate the response until the incident is no longer considered an emergency.
* When the incident involves multiple organizations within the constituency.
* When the incident involves shared resources (e.g. the wireless network).
* When the incident involves law enforcement.

Upon request, UmU IRT will assist members of its constituency with incident triage.

5.1.3 Incident resolution

UmU IRT provides the following services. The availability of a service is governed by the severity and type of an incident, as well as the workload of the team.

* Advice on the process of incident resolution.
* Technical assistance in eradication of the cause of a compromise.
* Forensic analysis of (potentially) compromised systems.
In addition, UmU IRT may perform or direct incident resolution if the affected member of the constituency is unable to do so.

5.2 Proactive activities

UmU IRT engages in the following proactive activities:

* Network intrusion detection and monitoring to discover security issues.
* Regular vulnerability scanning of the university network.
* Searching for indications of compromise.
* Advice and recommendations on information security issues to members of the constituency.
* Forwarding of information on critical vulnerabilities or other developments related to information security.
* IT security training on request from the constituency.

6. INCIDENT REPORTING FORMS

Not available; please report using e-mail. When reporting an incident of sensitive nature use encrypted e-mail.

7. DISCLAIMERS

None.

 

Anja Axelsson
2019-04-01