Maastricht Universitair Medisch Centrum+ (MUMC+) The following profile of MUMC-SOC has been established in adherence to RFC-2350. 1. Document Information This document complies with RFC-2350 1.1. Date of Last Update This is version 1.0 as of January 31, 2019. 1.2. Distribution List for Notifications This profile is kept up-to-date on the location specified in 1.3. E-mail notifications of updates are sent to: - MUMC-SOC management and analysts MUMC-SOC is affiliated with SURFcert (https://www.surf.nl/diensten-en-producten/surfcert/index.html) SURFnet B.V. which requires notification of updates also to SURFcert. Members of MUMC-SOC participate in SCIRT (SURFnet Community of Incident Response Teams). Any specific questions or remarks can be send to the MUMC-SOC e-mail address: soc@mumc.nl 1.3. Locations where this Document May Be Found The current version of this profile is always available at https://www.mumc.nl/over-mumc/soc 2. Contact Information 2.1. Name of the Team Full name: Maastricht UMC+ Security Operations Center Short name: MUMC-SOC 2.2. Address Maastricht Universitair Medisch Centrum+ Stafdirectoraat MIT MUMC-SOC P.O.Box 5800 NL - 6202 AZ Maastricht The Netherlands 2.3. Time Zone Central European Time (GMT+1, GMT+2 with DST, according to EC rules) 2.4. Telephone Number MUMC-SOC telephone number: +31-43-3872700 (24/7) 2.5. Facsimile Number Not applicable. 2.6. Other Telecommunication Not applicable. 2.7. Electronic Mail Address Send incident reports that relate to MUMC-SOC services, including copyright issues, spam, incidents and abuse to soc@mumc.nl. 2.8. Public Keys and Encryption Information Please encrypt any sensitive e-mail with the MUMC-SOC PGP-key and send to soc@mumc.nl. MUMC-SOC PGP-key: 41CB 4091 F417 C390 and its fingerprint is 3070 F632 0D3B E845 6ACF D41E 41CB 4091 F417 C390, published on http://pgp.surfnet.nl/. Please sign your message using your own key, it helps if that key is verifiable using public PGP keyservers. 2.9. Team Members MUMC-SOC team members are drawn from the ranks of MUMC+ IT-professionals, contact information about individual team members is confidential. Chair and secretary are provided by Medische Instrumentatie en Informatie Technologie (MIT), the MUMC+ IT-department. Further details can be found at https://www.mumc.nl/over-mumc/soc. 2.10. Other Information Further information about MUMC-SOC can be found at https://www.mumc.nl/over-mumc/soc. 2.11. Points of Customer Contact The preferred method for contacting MUMC-SOC is e-mail. - For general inquiries, please send e-mail to: soc@mumc.nl - For abuse or security issues, please use: soc@mumc.nl - In case of emergency, contact MUMC-SOC through (secure) e-mail MUMC-SOC's hours of operation are restricted to regular business hours (except for public holidays): - Monday to Friday: 08:00 - 17:30 The MUMC-SOC's 24/7/365 watch desk will respond to emergencies outside of normal business hours. The MUMC-SOC's watch desk can be contacted through the regular methods. EMERGENCY cases: Use the MUMC-SOC phone number with back-up of mail containing all known details (putting EMERGENCY in subject line is recommended). The escalation manager (not a MUMC-SOC team member) decides if MUMC-SOC will be involved directly or not. 3. Charter 3.1. Mission Statement MUMC-SOCís mission is to coordinate the resolution of IT-security incidents related to the Maastricht Universitair Medisch Centrum+ (MUMC+), and to help prevent such incidents from occurring. For the world, MUMC-SOC is the MUMC+ interface with regards to IT-security incident response. All IT-security incidents (including abuse) related to MUMC+ can be reported to MUMC-SOC. 3.2. Constituency Maastricht Universitair Medisch Centrum+ (MUMC+), with all its organizations and institutions connected to MUMC+ís network, with all related employees and students. 3.3. Sponsorship and/or Affiliation MUMC-SOC is part of the MUMC+ IT-department (MIT). 3.4. Authority MUMC-SOC performs investigations, security-monitoring services and coordinates security incidents on behalf of MUMC+ and has no authority reaching further than that. MUMC-SOC is however expected to make operational recommendations in the course of its work. Such recommendations can include for instance blocking addresses or networks. The implementation of such recommendations is not a responsibility of MUMC-SOC however, but solely of those to whom the recommendations were made. 4. Policies 4.1. Types of Incidents and Level of Support All incidents are considered normal priority unless they are labeled EMERGENCY. MUMC-SOC itself is the authority that can set and reset the EMERGENCY label. An incident can be reported to MUMC-SOC as EMERGENCY, but it is up to MUMC-SOC to decide whether to uphold that status. 4.2. Co-operation, Interaction and Disclosure of Information All incoming information is handled confidentially by MUMC-SOC, regardless of its priority. Information that is evidently very sensitive in nature is only communicated and stored in a secure environment, if necessary using encryption technologies. When reporting an incident of very sensitive nature, please state so explicitly (e.g. by using the label VERY SENSITIVE in the subject field of e-mail) and if possible use encryption as well. MUMC-SOC supports the Traffic Light Protocol (TLP - see https://www.first.org/tlp/docs/tlp-v1.pdf) - information that comes in with the tags WHITE, GREEN, AMBER or RED will be handled appropriately. MUMC-SOC will use the information you provide to help solve security incidents, as all CSIRTs/CERTs do or should do. This means explicitly that the information will be distributed further only on a need-to-know base, and preferably in an anonymized fashion. If you object to this default behavior of MUMC-SOC, please make explicit what MUMC-SOC can do with the information you provide. MUMC-SOC will adhere to your policy, but will also point out to you if that means that MUMC-SOC cannot act on the information provided. MUMC-SOC does not report incidents to law enforcement, unless Dutch law requires so as in the case of first-degree crime. Likewise, MUMC-SOC cooperates with law enforcement in the course of an official investigation only, meaning a court order is present, AND in case a MUMC-SOC constituent requests that MUMC-SOC cooperates in an investigation or formal report. In the latter case, when a court order is absent, MUMC-SOC will only provide information on a need-to-know base. 4.3. Communication and Authentication See 2.8 above. Usage of PGP in all cases where sensitive information is involved is highly recommended. 5. Services 5.1. Incident Response (Triage, Coordination, and Resolution) MUMC-SOC assists MUMC+ in handling the technical and organizational aspects of incidents and helps them to return to business as usual in a quick and responsible manner. In particular, it will provide assistance or advice with respect to the following aspects of incident management: 5.1.1 Incident Triage - Investigating whether indeed an incident occurred. - Determining the extent of the incident. 5.1.2 Incident Coordination - Determining the initial cause of the incident (vulnerability exploited). - Facilitating contact with other parties, which may be involved. - Facilitating contact with appropriate law enforcement officials, if necessary. - Making reports to other CSIRTs. - Composing announcements to users, if applicable. 5.2 Incident Resolution MUMC-SOC is responsible for the coordination of security incidents somehow involving MUMC+. MUMC-SOC therefore handles both the triage and coordination aspects. Incident resolution is left to the responsible administrators within MUMC+ and externally. 5.2. Proactive Activities MUMC-SOC pro-actively advises its constituency with regards to recent vulnerabilities and trends in hacking/cracking. MUMC-SOC advises MUMC+ on matters of computer and network security. It can do so pro-actively in urgent cases, or on request. Both roles are roles of consultancy, MUMC-SOC is not responsible for implementation. 6. Incident Reporting Forms Not available. Incidents are reported in MUMC+ís central IT-incident registration system. 7. Disclaimers A generic disclaimer stating confidentiality and need to know-status of specific information is available below. In due cases this disclaimer will be adopted according to the nature of the incident and persons/organizations involved. -------------start generic disclaimer------------------ , You are receiving this information due to your involvement in an incident dealt with by MUMC-SOC (https://www.mumc.nl/over-mumc/soc). You must treat this information as strictly confidential. Copies of this information in your possession (electronic and/or hard copy) must be stored in a manner, which is not accessible to unauthorized third parties. If it should be necessary to further distribute this information in the process of handling the incident involved, this should be done on an individual basis, making use of this disclaimer and with a copy being sent to MUMC-SOC. -------------end generic disclaimer------------------