ServicesReport IncidentsBest PracticesResources
Site search:
Report your Incident Report your Incident
Contact us Contact us
Latest news:


Legal/FORTH CERT Policies

Information Handling Policy

Information handling policy FORTH CERT wishes to acknowledge the spirit of cooperation that created the Internet. Therefore, while appropriate measures will be taken to protect the identity of members of our constituency and members of neighbouring sites, FORTH CERT will otherwise share information freely in order to assist with the resolution and/or prevention of security incidents.
FORTH CERT may release information to any third party or to governing authorities whenever there is a legal obligation to do so. However, FORTH CERT may in some cases delay this action until such it has been established irrevocably, e.g. by court order. FORTH CERT will in such cases always notify the affected persons or organisations. Information being considered for release will be handled as follows:

1. " Private information is information about particular users, or applications, which must be considered confidential for legal, contractual, and/or ethical reasons.
Private information will be released outside FORTH CERT after all identifying parts have been removed "

2. Intruder information, and in particular identifying information, will not be released to the public (unless it becomes a matter of public record). However it will be exchanged freely with system administrators and CSIRT's tracking an incident.

3. " Private site information will not be released without the permission of the site in question.

4. " Vulnerability information will be released freely, though every effort will be made to inform and work with the relevant vendor before the general public is informed. "

5. Statistical information will be released at the discretion of FORTH CERT. "

6. Other sites and CSIRT's, when they are partners in the investigation of a computer security incident, can be trusted with confidential information. This will happen only if the other site's credentials can be verified and the information transmitted will be limited to that which is likely to be helpful in resolving the incident.

7. " Law enforcement officers will receive legally required cooperation from FORTH CERT.

Use on Cryptography Policy

According to the types of information that FORTH CERT, will likely be dealing with, telephones will be considered sufficiently secure to be used even unencrypted. Unencrypted e-mail will not be considered particularly secure, but will be sufficient for the transmission of low-sensitivity data.
If it is necessary to send highly sensitive data by e-mail, PGP encryption will be used. Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data should be encrypted before transmission.
Where it is necessary to establish trust, for example before relying on information given to FORTH CERT, or before disclosing confidential information, the identity and trust level of the other party will be ascertained to a reasonable degree.
Within the constituency, and referrals from known trusted people will suffice to identify someone. Otherwise, appropriate methods will be used, such as a search of FIRST or TI members, the use of WHOIS and other Internet registration information, along with telephone call-back or e-mail mail-back to ensure that the party is not an impostor. Incoming e-mail whose data must be trusted will be checked with the originator personally, or by means of digital signatures (PGP in particular is supported).



FORTH Logo