Information Handling Policy
Information handling policy FORTH CERT wishes
to acknowledge the spirit of cooperation that created the
Internet. Therefore, while appropriate measures will be taken
to protect the identity of members of our constituency and
members of neighbouring sites, FORTH CERT will
otherwise share information freely in order to assist with
the resolution and/or prevention of security incidents.
FORTH CERT may release information to any
third party or to governing authorities whenever there is
a legal obligation to do so. However, FORTH CERT
may in some cases delay this action until such it has been
established irrevocably, e.g. by court order. FORTH
CERT will in such cases always notify the affected
persons or organisations. Information being considered for
release will be handled as follows:
1. " Private information is information about particular users,
or applications, which must be considered confidential for
legal, contractual, and/or ethical reasons.
Private information will be released outside FORTH
CERT after all identifying parts have been removed
2. Intruder information, and in particular identifying information,
will not be released to the public (unless it becomes a matter
of public record). However it will be exchanged freely with
system administrators and CSIRT's tracking an incident.
3. " Private site information will not be released without
the permission of the site in question.
4. " Vulnerability information will be released freely, though
every effort will be made to inform and work with the relevant
vendor before the general public is informed. "
5. Statistical information will be released at the discretion
of FORTH CERT. "
6. Other sites and CSIRT's, when they are partners in the
investigation of a computer security incident, can be trusted
with confidential information. This will happen only if the
other site's credentials can be verified and the information
transmitted will be limited to that which is likely to be
helpful in resolving the incident.
7. " Law enforcement officers will receive legally required
cooperation from FORTH CERT.
Use on Cryptography Policy
According to the types of information that FORTH CERT,
will likely be dealing with, telephones will be considered sufficiently
secure to be used even unencrypted. Unencrypted e-mail will
not be considered particularly secure, but will be sufficient
for the transmission of low-sensitivity data.
If it is necessary to send highly sensitive data by e-mail,
PGP encryption will be used. Network file transfers will be
considered to be similar to e-mail for these purposes: sensitive
data should be encrypted before transmission.
Where it is necessary to establish trust, for example before
relying on information given to FORTH CERT,
or before disclosing confidential information, the identity
and trust level of the other party will be ascertained to a
Within the constituency, and referrals from known trusted people
will suffice to identify someone. Otherwise, appropriate methods
will be used, such as a search of FIRST
members, the use of WHOIS and other Internet registration
information, along with telephone call-back or e-mail mail-back
to ensure that the party is not an impostor. Incoming e-mail
whose data must be trusted will be checked with the originator
personally, or by means of digital signatures (PGP in particular