RFC-2350

1 Document information

This document contains a description of CERT-IS in accordance with RFC-2350.

1.1 Date of Last Update

This document was updated on 2020-09-01.

1.2 Distribution List for Notifications

No explicit distribution list for notifications is implemented. Constituents and other interested parties are directed to the current on-line version as described in 1.3.

1.3 Locations Where This Document May Be Found

The current version of this profile is always publicly available on https://www.cert.is/rfc2350.

2 Contact Information

2.1 Name of the Team

  • Full name: Computer Emergency Response Team - Iceland
  • Short name: CERT-IS

2.2 Address

Mailing address:
    Post and Telecom Administration
    c/o CERT-IS
    Sudurlandsbraut 4
    108 Reykjavik
    Iceland

2.3 Time Zone

Greenwich Mean Time (GMT) all year.

2.4 Telephone Number

  • CERT-IS: +354-510-1540
  • PTA main switchboard: +354-510-1500

2.5 Facsimile Number

  • +354-510-1509 (NOTE not a secure fax) - mark CERT-IS clearly on any facsimile material

2.6 Other telecommunications

  • TETRA encrypted radio communications with other responders, as well as those constituents so equipped
  • Duty Officer's mobile number available to constituents upon request

2.7 Electronic Mail Address

2.8 Public Keys and Encryption Information

CERT-IS supports PGP/GnuPG for secure communications. The current keys for our e-mail addresses (see 2.7) can be found on major keyservers and on https://www.cert.is/pgp. Fingerprints and other key information can also be found at the same location.

Please use the appropriate PGP keys when you encrypt messages that you send to CERT-IS. When due, CERT-IS will sign messages using the same key. Please sign your messages using your own key. It helps if the key is verifiable using public keyservers. Please ensure CERT-IS can locate your public key if you want to communicate securely with CERT-IS.

2.9 Team Members

Please use our team e-mail address when you need to establish contact with individual team members.

2.10 Other information

Refer to the CERT-IS web page - https://www.cert.is.

CERT-IS is a member of FIRST.

CERT-IS is a listed team by the Trusted Introducer for CERTs in Europe.

2.11 Points of Customer Contact

Refer to our telepone numbers [2.6] and e-mail addresses [2.7]. CERT-IS regular response hours are 9:00 to 16:00 Monday-Friday, except Icelandic public holidays, otherwise on best-effort basis.

3 Charter

3.1 Mission Statement

The mission of CERT-IS is to reduce risk in the networks and computer systems of the constituents, as well as assist in coordinating and mitigating incidents.

CERT-IS acts as the national point-of-contact for matters related to cyber security in Iceland, and as such, develops cooperation and information exchange with partners in other countries. CERT-IS assists on best-effort basis in reducing risk and mitigating incidents that occur in or affect Icelandic networks and systems.

CERT-IS continuously assesses the status of the Icelandic constituency through information gathering and analysis. The situation as reflected by the analysis is disseminated to the constituency in an effort to incrementally improve the overall status of cyber security.

CERT-IS contributes to the overall cyber security in Iceland by providing alerts and contributing to publicly available educational material, including the website netöryggi.is.

3.2 Constituency

CERT-IS is the national CERT of Iceland and as such the national point-of-contact for cyber security related incidents. CERT-IS is the CSIRT of last-resort, i.e. directs incident reports to the parties most suitable to handle them effectively. CERT-IS welcomes all incident reports of significance to Icelandic interests regardless of the reporter's nationality or affiliation.

By law, the constituency of CERT-IS are registered telecommunications operators in Iceland and parties that have contracted for the services of the team. From september 1st, 2020, the constituency of CERT-IS includes critical infrastructure providers as defined by law 78/2019, which also includes certain essential government entities. A complete description of the constituency is available at the CERT-IS homepage.

3.3 Sponsorship and/or Affiliation

CERT-IS an organisational unit under the Post and Telecom Administration in Iceland.

3.4 Authority

CERT-IS coordinates security incidents on behalf of its constituency in accordance with Icelandic laws. As a coordinating and advisory body, CERT-IS advises constituents but does not have the authority to demand certain actions. However, CERT-IS is expected to make operational recommendations regarding cyber security, including best practices, vulnerabilities and vulnerability management, mitigation of incidents and incident handling. Recommendations in handling individual incidents may include mitigating measures such as temporarily blocking IP addresses or networks and disabling potentially malicious webs. Implementation is solely the responsibility of the parties that receive and implement the recommendations of CERT-IS.

The authority and mandate of CERT-IS is further detailed in Icelandic laws and regulations, including

4 Policies

4.1 Types of Incidents and Level of Support

CERT-IS accepts and triages all incidents reported, regardless of the affected sector or party. Incidents are prioritized and handled on a best-effort basis after triage. Incidents believed to affect the constituency of CERT-IS are prioritized.

CERT-IS advises the National Commissioner of the Icelandic Police on escalation and handling of crritical incidents, such as those that potentially affect the security of the country or population at large.

4.2 Co-operation, Interaction and Disclosure of Information

CERT-IS handles all incoming information confidentially, regardless of its source and priority. When reporting an incident of sensitive nature, please state so explicitly, e.g. by using the label SENSITIVE or CONFIDENTIAL in the subject of the e-mail message. Encryption of sensitive material in e-mail messages is highly recommended.

CERT-IS observes the Traffic Light Protocol (TLP) and handles information labeled as WHITE, GREEN, AMBER and RED accordingly.

CERT-IS will use information provided to help mitigate security incidents, as all CERTs do. CERT-IS will respect IS-TLP and other confidentiality labels but reserves the right to act on all actionable indications of threats and malicious behavior that can be of threat to the onstituency. Information will be anonymized as far as practical and disseminated on a need-to-know basis. Please state clearly in communications if you object to this practice and wish to impose stricter limitations on dissemination. CERT-IS will respect your policy but will also point out if that means that CERT-IS cannot act on the information provided.

CERT-IS is obliged by law to notify the National Commissioner of the Icelandic Police of incidents that may constitute serious risk to critical infrastructure or the general public.

CERT-IS is obliged to notify the relevant authorities of critical incidents reported by operators of essential services and digital services providers under the provisions of law 78/2019.

CERT-IS operates under the restrictions imposed by Icelandic law.

4.3 Communication and Authentication

Usage of PGP/GnuPG (See 2.8 regarding PGP public keys) or other pre-approved, cryptographic means is highly recommended in cases where sensitive information is submitted to CERT-IS, both for signing and encryption. In particular, use of PGP keys is highly recommended when sending TLP:AMBER and above material to CERT-IS. Please advise CERT-IS of your public PGP keys if you wish to receive encrypted communications from us. Please contact CERT-IS if you are unable or not willing to use PGP encrypted e-mail communications for advice regarding secure exchange of sensitive information.

CERT-IS reserves the right to verify the authenticity of information provided and/or sources by any legal means. CERT-IS authenticates all communications by signing with either the team key or by one of the staff keys.

5 Services

5.1 Reactive Services (Incident Response, Triage, Co-ordination and Resolution)

CERT-IS triages and coordinates reported security incidents that involve its constituents as defined in [3.2] and for the prioritization of incidents [4.1].

CERT-IS reserves the right to reject or redirect any incident report that believed to be out-of-scope for its mandate. CERT-IS prioritizes incidents according to the affected constituency and severity and reserves the right to reject or handle at a best-effort basis any incidents received during periods of high demand.

CERT-IS incident handling is limited to co-ordination, consultation and information dissemination as needed to mitigate the immediate threat posed by an cyber incident. Preventive or mitigating actions are the responsibility of the owners/operators of the affected systems, whether or not those parties are constituents. CERT-IS offers support and advice as requested. CERT-IS is not responsible for implementation of recommended preventive or mitigation measures.

5.2 Proactive Services

CERT-IS proactively advises their constituents regarding vulnerabilities and cyber security trends. Reports are produced on a regular basis and disseminated to a) the public, b) groups of constituents or c) individual constituents. Reports may be restricted in accordance with the IS-TLP as appropriate. CERT-IS is not responsible for implementation of recommended policies.

CERT-IS contributes to the public cybersecurity awareness by producing public advisories and cooperating with public interest groups. For instance, CERT-IS contributes to netöryggi.is - an Icelandic public website on network and computer security.

6 Incident Reporting Forms

Please report incidents in plain text via e-mail [2.7] (PGP encrypted if possible) or by phone [2.4]. Operators of essential services and digital services providers can utilize an electronic form available at https:/oryggisatvik.island.is to report incidents.

7 Disclaimers

While every precaution is taken in the preparation of information, notifications and alerts, CERT-IS assumes no responsibility for errors or omissions, or for damages resulting from the use of information contained within.