CERT Finanziario Italiano (CERTFIN) - RFC 2350
1. Document Information
This document contains a description of CERT Finanziario Italiano (in the following referred to as CERTFIN) according to RFC 2350 (http://www.rfc-base.org/txt/rfc-2350.txt).
It defines the basic information related to CERTFIN, including a brief explanation of the tasks and services offered and how it can be contacted
1.1. DATE OF LAST UPDATE
This is version 1.0.0 published on May 6th, 2019.
1.2. DISTRIBUTION LIST FOR NOTIFICATIONS
Notifications will be sent to the representatives of the constituency
1.3. LOCATIONS WHERE THIS DOCUMENT MAY BE FOUND
The document is available on CERTFIN’s website at the following URLs:
Make sure to always use the updated version.
2. Contact Information
2.1. NAME OF THE TEAM
CERT Finanziario Italiano
Short name: CERTFIN
CERTFin c/o ABI Lab
Via alle Botteghe Oscure, 4
2.3. TIME ZONE
Central European Time (UTC+1), and observing Daylight Saving Time (UTC+2) from the last Sunday of March to the last Sunday of October.
2.4. TELEPHONE NUMBER
(+39) 06 6767.327
Emergency Points of Contact
(+39) 331 662.8967
(+39) 346 218.6137
(+39) 348 429.0304
Subscription, Partnership, Collaborations
(+39) 345 162.1558
2.5. FACSIMILE NUMBER
(+39) 06 6767.9466 (this is not a secure fax)
2.6. OTHER TELECOMMUNICATION
2.7. ELECTRONIC MAIL ADDRESS
CERTFIN can be reached at email@example.com.
Messages sent to this address can be read by all members of the team of CERTFIN
2.8. PUBLIC KEYS AND ENCRYPTION INFORMATION
PGP/GPG is supported for secure communication.
· ID: FinISAC <firstname.lastname@example.org>
· Fingerprint: 7E4B B1EE 4230 8560 35D5 E9ED B3DA 72A4 0664 0DCF
All team members of CERTFIN have a personal PGP/GPG key for exchange of classified information.
2.9. TEAM MEMBERS
CERTFIN team consists of qualified cyber security analysts.
The Chief Operating Officer is Romano Stasi.
The Technical Coordinator is Mario Trinchera.
2.10. OPERATING HOURS
The preferred method for contacting CERTFIN is via email at email@example.com. The mailbox is monitored from Monday to Friday 09.00 - 17.00, except during public holidays in Italy.
A telephone number (operating 24/7) has been provided to representatives of the constituency. Please use PGP/GPG if you intend to send sensitive information.
2.11. OTHER INFORMATION
General information about CERTFIN can be found at https://certfin.it.
3.1. MISSION STATEMENT
CERTFIN is the focal point for the collection, analysis and sharing of information related to cyber threats, and for the coordination of activities to prevent and support response to cyber emergencies that could harm IT-assets of the Italian financial and assurance organizations participating in the Constituency.
The main goal of CERTFIN are:
· to provide prompt information regarding potential cyber-threats that could damage banks and insurance organizations;
· to act as Point of Contact between financial operators and other relevant public institutions as far as cyber protection;
· to facilitate the response to large-scale security incidents;
· to support crisis management process in case of cyber incidents;
· to cooperate with national and international institutions and other actors, from both public and private sector, which are involved in cyber security, by promoting the cooperation among them;
· to improve cyber-security awareness and culture;
The CERTFIN’s constituency includes financial and insurance organizations adherent to CERTFIN.
3.3. SPONSORSHIP AND/OR AFFILIATION
Banca d’Italia, ABI and ABI Lab promotes CERTFIN as a CERT for the Italian financial sector with the aim to enhance cyber resilience of organization operating in banking, financial and assurance organizations.
CERTFIN operates under the auspices of, and with authority delegated by, Banca d’Italia and ABI.
CERTFIN is not an authoritative body. It performs its functions through cooperation agreements and protocols.
4.1. TYPES OF INCIDENTS AND LEVEL OF SUPPORT
CERTFIN is authorized to support and coordinate relevant cyber security incidents which occur, or threaten to occur, at participants to the constituency. Depending on the security incident’s nature, CERTFIN will gradually roll out its services which include incident response coordination, alerting, and escalation to the central bank.
The level of support given by CERTFIN will vary depending on the type and severity of the incident or issue, its potential or assessed impact, and the CERTFIN’s resources available at the time.
The CERTFIN is committed to keeping its constituency updated on potential vulnerabilities, possibly before they are actively exploited.
4.2. CO-OPERATION, INTERACTION AND DISCLOSURE OF INFORMATION
CERTFIN receives from its constituency alerts related to incidents or threats. It evaluates their possible impact for the financial and insurance sector, informs all the involved actors and coordinates them in order to find the most suitable solutions
CERTFIN regards the operational cooperation and information sharing with other CERTs and similar qualified organizations as of paramount importance. Therefore, while appropriate measures will be taken to protect the identity of members of the constituency and of neighbouring sites where necessary, unless otherwise expressly stated, CERTFIN ensures the confidentiality of its sources of information. The information received, possibly anonymized, may be shared with interested parties in order to solve or prevent specific issues.
CERTFIN operates within the current Italian and European legal frameworks, with specific regard to the handling and disclosure of information.
4.3. COMMUNICATION AND AUTHENTICATION
Telephones and unencrypted emails are considered sufficiently secure for the transmission of low-sensitive data. If it is necessary to send highly sensitive data by email, PGP/GPG will be used. Network file transfers will be similar to email for these purposes: sensitive data will be encrypted for transmission.
CERTFIN recognizes and supports the TLP (Information Sharing Traffic Light Protocol).
Where it is necessary to establish trust, for example before relying on information given to the CERTFIN or before disclosing confidential information, the identity and bona fide of the other party will be ascertained to a reasonable degree of trust by use of appropriate methods (e.g.: referrals from known trusted sources, checks with the originator, digital signatures).
5.1. incident RESPONSE
CERTFIN will support the affected constituents in handling the technical and organizational aspects of relevant cyber security incidents.
In case of a large-scale national event, CERT Nazionale activates the coordination process for the incident resolution., including sending out alerts and warnings to its constituency, for performing digital forensic analysis when necessary, and for providing assistance or advice with respect to the different incident response phases.
5.1.1 Incident Triage
CERTFIN assesses the triage label of the reported incidents. The events are analysed, verifying the reliability of the source, finding any other available information. Then they are categorized according to their seriousness.
In case of a large-scale national event, CERTFIN activates the escalation process for the incident resolution.
5.1.2 Incident Coordination
The steps for the Incident Coordination are following described:
1) To identify the organizations involved;
2) To establish contacts with all the stakeholders in order to analyse the incident and identify actions to be undertaken;
3) To facilitate contacts with other organizations that can provide support in solving the incident;
4) To promptly inform all the involved (or potentially involved) parties within their constituency;
5) To write reports and send them to other CERTs or interested organizations.
CERTFin acts primarily as an information gathering centre. Information collected are readily sorted within the constituency to facilitate the solution of cyber security incidents.
5.1.3 Incident Resolution
CERTFIN disseminates the information needed to counteract the incident and to restore the state of normality as quickly as possible in cooperation with the involved member constituency.
5.2. PROACTIVE ACTIVITIES
CERTFIN coordinates and maintains the following services for its constituency:
· Cyber Threat Intelligence based on the collection of intelligence using different external source intelligence with the aim of researching and analysing trends and technical developments in cyber areas.
· Information Sharing with the aim of exchanging and keeping updated information about threats and vulnerability and of preparing analysis about fraud end cyber-attacks (through MISP platform, periodical conference calls and reports delivery)
· Security Awareness for improving cyber security consciousness of banking and insurance customers
· Dissemination of useful information gathered through national and international main conferences and European projects
6. Incident Reporting Forms
CERTFIN does not provide any public form for reporting incidents.
Any member of the constituency can send information about security incidents, threats or related information to CERTFIN by sending an email, possibly encrypted, to firstname.lastname@example.org..
When reporting a cyber security incident to CERTFIN, please provide at least the following information:
· contact details and organizational information;
· type and description of the incident or threat;
· time and date of reported event, including the time zone;
· source of information;
· possible impacts;
· any relevant technical element with associated observation.
Member of the constituency can report incidents using the same reporting forms already used for communication to Institutional Bodies.
Please classify the information using the Traffic Light Protocol and apply encryption as appropriate.
Do not send malicious code or other attachments via Email without having previously agreed the transmission mode with CERTFIN.
While every precaution will be taken in the preparation of information, notifications and alerts, CERTFIN assumes no responsibility for errors or omissions, or for damages arising from the use of such information.
Appendix A: Glossary of Terms
Constituency: group of users, sites, networks or organizations served by the team. The team must be recognized by its constituency in order to be effective.
Security Incident: any adverse event which compromises some aspect of computer or network security.
The definition of an incident may vary between organizations, but at least the following categories are generally applicable:
- Loss of confidentiality of information.
- Compromise of integrity of information.
- Denial of service.
- Misuse of service, systems or information.
- Damage to systems.
Vulnerability: a characteristic of a piece of technology which can be exploited to perpetrate a security incident.
For further Terms please refer to the Cyber Lexicon of the Financial Stability Board (http://www.fsb.org/2018/11/cyber-lexicon/)