1. About this document
Internet IETF RFC2350 sets out best current practices for documenting the expectations of a Computer Security Incident Response Team (CSIRT). This document is a description of an ISPA-driven CSIRT, named CSIRT.net.za.
1.1 Date of Last Update
This is version 1.0, published 2021-06-30.
1.2 Distribution List for Notifications
Notifications of updates to this document and other CSIRT.net.za policies and procedures are published on the website and sent to the firstname.lastname@example.org mailing list. This mailing list is moderated. For information on subscribing to this list, please visit: CSIRT.net.za Announce list.
1.3 Locations where this Document May Be Found
The current version of this document is available from the CSIRT.net.za website, here: CSIRT.net.za RFC2350, or as a signed text file, here: https://csirt.net.za/rfc2350.txt.
1.4 Authenticating this Document
The text version of this document is signed using the CSIRT’s PGP key (see 2.8).
2. Contact Information
2.1 Name of the Team
The CSIRT is named “CSIRT.net.za”.
CSIRT.net.za (℅ ISPA)
PO Box 518
2.3 Time Zone
South African Standard Time (UTC+02:00).
2.4 Telephone Number
+27 10 500 1200 (ISPA Secretariat)
2.5 Facsimile Number
2.6 Other Telecommunication
2.7 Electronic Mail Address
The address email@example.com can be used to contact CSIRT staff.
2.8 Public Keys and Other Encryption Information
The CSIRT’s PGP public key is available https://csirt.net.za/csirt-pubkey.asc. Public keys for individual CSIRT staff members are available on request.
2.9 Team Members
The CSIRT is currently supported by the ISPA Secretariat team.
2.10 Other Information
More information about CSIRT.net.za can be found on the CSIRT website (https://www.csirt.net.za).
2.11 Points of Customer Contact
The preferred method for contacting CSIRT.net.za is via email at firstname.lastname@example.org. Queries sent to this address are forwarded to the entire CSIRT team.
If it is not possible (or not advisable for security reasons) to use email, CSIRT.net.za can be reached by telephone during regular office hours. Telephone messages are checked less often than email. CSIRT.net.za's hours of operation are generally restricted to regular business hours (09:00-17:00 Monday to Friday except public holidays).
3.1 Mission Statement
The purpose of CSIRT.net.za is to assist members of the CSIRT to implement proactive measures to reduce the risks of computer security incidents and to assist the ISP community in responding to such incidents when they occur.
The constituency is the Internet services sector and operators of Internet infrastructure in South Africa, who are members of CSIRT.net.za. These organisations are typically Internet service providers (ISPs) and largely members of the Internet Service Providers’ Association (ISPA), but participation in CSIRT.net.za is open to any organisation providing Internet services.
3.3 Sponsorship and/or Affiliation
CSIRT.net.za is supported and primarily funded by ISPA.
CSIRT.net.za operates in a co-ordinating and advisory role to the members of the CSIRT, and does not have any direct authority over CSIRT members. It does have a mandate to police compliance with the iCode for those CSIRT members who have voluntarily agreed to support it. It also has a mandate to refer any potential breaches of clause 18 of ISPA’s Code of Conduct to ISPA for review, for CSIRT members who are also members of ISPA.
It is the intention of CSIRT.net.za to apply for recognition as a nodal point for the Internet services sector in terms of section 55(1) of the Cybercrimes and Cybersecurity Bill once the legislative framework exists to support this.
4.1 Types of Incidents and Level of Support
CSIRT.net.za provides a co-ordinating and advisory role and does not directly handle security incidents. Members of CSIRT.net.za are welcome to contact the CSIRT team for security advice at any time (including during an incident), and a response will be provided on a best effort basis.
CSIRT.net.za endeavours to provide members with information relevant to incidents on members’ networks provided to it by partners and third parties, within the limitations of the disclosure of information policy, below.
4.2 Co-operation, Interaction and Disclosure of Information
CSIRT.net.za follows the principle of responsible disclosure within the bounds of policy and legislation. The information security traffic light protocol is used to classify information handled by the CSIRT as follows:
TLP:RED – Not for disclosure, restricted to participants only (most sensitive)
TLP:AMBER – Limited disclosure, restricted to participants’ organisations on a need-to-know basis (sensitive)
TLP:GREEN – Limited disclosure, restricted to the community and related organisations (less sensitive)
TLP:WHITE – Unrestricted disclosure, public (not sensitive)
Participants are the CSIRT team member(s) involved in the exchange only, the participants’ organisation is CSIRT.net.za and ISPA, and the community is the members of CSIRT.net.za.
A constituent may request that information be handled at a preferred level otherwise the CSIRT will classify at a level it deems appropriate. Where practicable, the CSIRT will seek authorisation from a constituent before sharing sensitive information, which will also be anonymised if it does not affect the value/use of the information (e.g. redaction of site identifiable information).
4.3 Communication and Authentication
In view of the types of information that CSIRT.net.za will likely be dealing with, telephones will be considered sufficiently secure to be used even unencrypted. Unencrypted email will not be considered particularly secure, but will be sufficient for the transmission of low-sensitivity data. If it is necessary to send highly sensitive data by email, PGP will be used. Network file transfers will be considered to be similar to email for these purposes: sensitive data should be encrypted for transmission. Please contact the CSIRT prior to sending sensitive information if assistance is required.
CSIRT.net.za provides the following services. These services are limited to the members of the CSIRT unless otherwise stated below.
5.1 Nodal point coordination
CSIRT.net.za will act as a nodal point for the Internet services sector, consisting of the members of CSIRT.net.za. The CSIRT will distribute information regarding cyber incidents to other entities within the sector, nodal points for other sectors, other CSIRTs and/or the Cybersecurity Hub, as appropriate.
5.2 Providing network incident alerts
CSIRT.net.za will make available to members any information regarding security problems that is provided to the CSIRT by partners and other sources.
5.3 Abuse desk capacity building
CSIRT.net.za facilitates workshops on abuse desk operation during industry events.
CSIRT.net.za supports the iCode project. More information on this is available at http://www.icode.org.za.
6. Incident Reporting Forms
There are no CSIRT.net.za reporting forms available yet. This section will be updated once reporting forms are available.
While every precaution will be taken in the preparation of information, notifications and alerts, CSIRT.net.za assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.