CSIRT Description for CSIRT GOV

1. About this document

The document includes a description of CSIRT GOV according to RFC 2350. It provides basic information on CSIRT GOV, its tasks and the communication channels employed. 

1.1 Date of last update

Document Version: 1.00, published on 23 December 2022

1.2. Distribution list for notifications

Currently CSIRT GOV does not use any distribution list to notify of any changes made to this document.

1.3. Locations where this document may be found 

The latest version of a document on CSIRT GOV is available on the website: 
https://csirt.gov.pl/cee/main-site/77,About-us.html

1.4. Authenticating this Document

This document has been signed with a PGP key, available at: 
https://csirt.gov.pl/cee/pgp-public-key/75,PGP-PUBLIC-KEY.html

2. Contact Information:

2.1. Name of the Team

The Computer Security Incident Response Team CSIRT GOV 

2.2. Address Details

CSIRT GOV
UL. Rakowiecka 2a
00-993 Warszawa
Polska

2.3. Time Zone 

Central European Time (GMT +0100, GMT +0200 between the last Sunday of March and last Sunday of October)

2.4. Telephone Numbers

+48 22 5859 373

2.5. Facsimile Number

+48 22 58 58 833

2.6. Other telecommunication

Unavailable

2.7. Electronic Mail Address

csirt@csirt.gov.pl 

2.8. Public Keys and Other Encryption Information

PGP key used by CSIRT GOV is available at: https://csirt.gov.pl/cee/pgp-public-key/75,PGP-PUBLIC-KEY.html

2.9. Other Information 

General information available at: https://csirt.gov.pl

2.10. Points of Customer Contact

In order to ensure integrity and confidentiality a preferred method of contact is an e-mail forwarded with a PGP key.
IT incidents should be reported to CSIRT GOV by filling out the form available on its website:
https://csirt.gov.pl
in the ‘reporting incident’ tab and forwarding it to the following address: 
incydent@csirt.gov.pl
The IT incident can also be reported via fax on the following number: +48 22 58 58833 or by a postal mail to the following address: 
CSIRT GOV
UL. Rakowiecka 2a
00-993 Warszawa
Polska
If urgent contact is required, please contact call CSIRT GOV Duty Officer on +48 22 58 59 373 telephone number

3. Charter

3.1. Mission Statement

The Computer Security Incidence Response Team CSIRT GOV, under the supervision of the Head of Internal Security Agency, operates as the national level CSIRT Team responsible for coordinating the process of response to the IT incidents occurring within the area set out in Article 26 paragraph 7 of the Act of 05 July 2018 on the National Cybersecurity System (Journal of Laws 2022, item 1863). One of its basic tasks involves recognising, preventing and detecting threats which may affect the security, and are fundamental for maintaining the continuity of functioning of the state, IT systems of the public bodies and government departments and the IT systems and networks included in the consolidated list of facilities, installations, devices and services being part of the critical infrastructure as well as the IT systems of the owners and holders of facilities, installations or devices of the critical infrastructure, referred to in Article 5b paragraph 7 item 1 of the Act of 26 April 2007 on Crisis Management (Journal of Laws 2022, item 261).

3.2. Constituency

CSIRT GOV's constituency:
-	entities of the public finance sector, as referred to in Article 9 paragraph 1, 8 and 9 of the Law of August 27, 2009 on public finance, except those listed in paragraphs 5 and 6 of the Law of July 5, 2018 on the national cyber security system; 
-	entities subordinate to or supervised by the President of the Council of Ministers (Prime Minister);
-	National Bank of Poland;
-	National Holding Bank [Bank Gospodarstwa Krajowego];
-	systems or IT networks covered by a consolidated list of facilities, installations, devices, and services included in the critical infrastructure, as well as the IT systems of the owners and holders of the facilities, installations, devices and services being part of critical infrastructure, as referred to in 5b paragraph 7 item 1 of the Crisis Management Act of April 26, 2007;

Incidents reported to CSIRT GOV which fall outside its scope of operation are immediately forwarded to the relevant CSIRT, pursuant to Article 26 paragraph 8 of the Act on the National Cyber Security System of July 5, 2018.

3.3. Sponsorship and/or Affiliation

CSIRT GOV is operated by the Head of Internal Security Agency ABW and functions as CSIRT Team at the national level.

3.4. Authority

Legal Acts governing the scope of operation of the CSIRT GOV:
Act of 05 July 2018 on the National Cybersecurity System;
Act of 24 May 2002 on the Internal Security Agency and Intelligence Agency;
Act of 10 June 2016 on Anti-terrorist Activities;

4. Policies

4.1. Types of Incidents and Level of Support

CSIRT GOV Team handles all types of computer security incidents within its remit. CSIRT GOV may prioritise the tasks.

4.2. Co-operation, Interaction and Disclosure of Information

CSIRT GOV cooperates with the CSIRT NASK, CSIRT MON teams, authorities competent for cybersecurity, the minister competent for computerisation and the Government Plenipotentiary for Cybersecurity, ensuring a consistent and complete risk management system at the national level, executing activities aimed at counteracting cybersecurity threats of cross-sectoral and cross-border nature and providing coordination in handling the reported incidents.

CSIRT GOV cooperates with law enforcement agencies, judicial authorities and special services while executing its statutory tasks. 

CSIRT GOV, while coordinating the handling of incidents which may lead to the personal data protection breach, cooperates with the authority competent for personal data protection.

CSIRT GOV processes personal data acquired in relation with the incidents and security threats:
-	regarding the IT systems users and the users of telecommunications terminal/end devices;
-	regarding the telecommunications terminal devices;
-	collected by key services operators and digital services providers in relation to services provision;
-	collected by public entities in relation to the execution of the public tasks, with regard to the entities reporting the incident.

For the purposes of execution of the tasks set out in the Act of 05 July 2018 on the National Cybersecurity System the CSIRT GOV, CSIRT MON, CSIRT NASK and the sectoral cybersecurity teams can share the above data, within the scope necessary to execute these tasks and cooperate with an authority competent for personal data protection.

4.3. Communication and Authentication

To ensure the confidentiality of the information forwarded we recommend using PGP/GPG encryption (this standard is globally used by the CSIRT teams). Software supporting PGP encryption for non-commercial purposes is available free of charge. It is available for almost all hardware platforms. In order to send an encoded message, the CSIRT GOV public key is needed, available at: https://csirt.gov.pl/cee/pgp-public-key/75,PGP-PUBLIC-KEY.html.

5. Services

5.1. Prevention

CSIRT GOV focuses on raising awareness and preventing threats within its remit. It monitors on a current basis the identified cybersecurity threats, collects data regarding the incidents which occurred and Indicators of Compromise (IoC) obtained in the course of analyses conducted. The conclusions from the analyses are subsequently made available in the form of published recommendations and warnings.

5.2. Incident Response

CSIRT GOV is responsible for coordinating and supporting incidents related to the IT security that were reported by the entities remaining within the statutory remit of its operations. The CSIRT GOV portfolio incorporates the entire process of response to incidents, in particular:
-	preparation for incident handling,
-	detection and analysis,
-	containment, eradication, and recovery,
-	analysis on request based on the evidence gathered,
-	recommendations.

6. Incident reporting forms

Incident reporting guideline and the form is available on a website: 
https://csirt.gov.pl/cee/cyber-security-incident-report/978,Cyber-security-incident-reporting.html

7. Indemnification clause

While every precaution will be taken in the preparation of information, notifications and security alerts, CSIRT GOV assumes no responsibility for any errors or omissions, or for any damages resulting from the use of the information contained within.