CSIRT Description for CSIRT-CEZ (English version) ======================================================= 1. About this document This document contains a description of CSIRT-CEZ according to RFC 2350. 1.1 Date of last update This is version 1.4, published 2025/11/25. 1.2 Distribution List for Notifications Currently CSIRT-CEZ does not use any distribution lists to notify about changes in this document. 1.3 Location where this document may be found The current version of this CSIRT description is available on Centrum e-Zdrowia website: its URL is: https://cez.gov.pl/sites/default/files/2024-11/RFC2350EN_v.1.4.txt URL of Polish verion of this document: https://cez.gov.pl/sites/default/files/2024-11/RFC2350PL_v.1.4.txt Please make sure you are using the latest version. 1.4 Authenticating this Document This document has been signed with the CSIRT-CEZ PGP key. The signature may be verified with PGP public key specified in paragraph 2.7 of this document. 2. Contact Information 2.1 Name of the Team Short name: CSIRT-CEZ Full name: Sectoral Computer Security Incident Response Team 2.2 Address Centrum e-Zdrowia Sectoral Computer Security Incident Response Team ul. Stanisława Dubois 5a 00-184 Warszawa Poland 2.3 Time zone Central European Time (CET) - UTC + 1 Central European Summer Time (CEST) - UTC + 2 according to EU regulations (from the last Sunday of March to the last Sunday of October) 2.4 Telephone Number +48 573 205 962 2.5 Other Telecommunication None available 2.6 Electronic mail address csirt[at]cez.gov.pl 2.7 Public Keys and other Encryption Information PGP CSIRT-CEZ Key: Key ID: 784E 6C77 8BBC 67EE Fingerprint: 37C775358972DE361DC2D78C784E6C778BBC67EE Public key is available on CSIRT-CEZ website at: https://cez.gov.pl/sites/default/files/Klucz%20publiczny.asc 2.8 Points of Contact The preferred method for contacting CSIRT-CEZ is via e-mail. For general inquires please use adress: E-mail for incident reporting: For incident reporting a form is available at https://cez.gov.pl/pl/page/zglos-incydent 3. Charter 3.1 Mission statement The mission of CSIRT-CEZ is to contribute to cybersecurity efforts by development of competence and capability to avoid, identify and limit activities posing risk to security of network and information systems, confidentiality, integrity, availability and authenticity of data processed and supporting the ability to respond to and minimize impact of cyber threats in Polish healthcare sector. 3.2 Constituency Consituency of CSIRT-CEZ consists of entities constituting healthcare sector in Poland as indicated in Annex 1 to the Act of 5 July 2018 on the national cybersecurity system. 3.3 Sponsorship and Affiliation CSIR-CEZ operates within Centrum e-Zdrowia and is subject to its internal regulations. Day to day operation of the team is financed by the Centrum e-Zdrowia budget. 3.4 Authority CSIRT-CEZ was appointed by the Minister of Health of the Republic of Poland as a sectoral CSIRT under the Article 44 (1) of the Act of 5 July 2018 on the national cybersecurity system and operates under the provisions of this Act. 4. Policies 4.1 Types of Incidents and Level of Support CSIRT-CEZ is authorized to address all types of computer and network security incidents that might occur within its constituency (within the scope of services provided). CSIRT-CEZ prioritizes incidents according to their severity, extent, and matter. Incidents are handled according to their priority. The level of support provided by the CSIRT-CEZ will vary depending on the severity and type of the issue, as well as other relevant circumstances. 4.2 Co-operation, interaction and Disclosure of Information CSIRT-CEZ cooperates with national level CSIRTs witin the national cybersecurity system. CSIRT-CEZ may transmit to other countries, including European Union Member States, and receive from those countries information on incidents. CSIRT-CEZ may receive reports of an incident from another European Union Member State. CSIRT-CEZ exchanges all necessary information for cooperation with national CSIRTs, law enforcement as well as with the other interested parties on the need-to-know basis. CSIRT-CEZ processes personal data obtained in connection with incidents and security threats: - concerning users of IT systems and users of telecommunications terminal equipment; - concerning telecommunications terminal equipment; - collected by operators of essential services in connection with the provision of services; - collected by public entities in connection with the implementation of public tasks, concerning entities reporting an incident. All sensitive data (such as PII, system configurations, known vulnerabilities with their locations, etc.) are encrypted if they must be transmitted over an unsecured environment. 4.3 Communication and authentication The CSIRT-CEZ is bound to comply with Polish and EU regulations regarding handling of sensitive information. For normal communication not containing sensitive information, the CSIRT-CEZ might use conventional methods like unencrypted email or telephone. For secure communication, PGP-encrypted email will be used. If it is necessary to authenticate a person before communicating, this can be done either through existing webs of trust (e.g., CSIRT network) or by other methods like call-back, mail-back, or even face-to-face meetings if necessary. CSIRT-CEZ also recognizes and supports the ISTLP (Information Sharing Traffic Light Protocol). 5. Services 5.1 Incident Response CSIRT-CEZ assists its constituency in security incidents' response. CSIRT-CEZ's capabilities cover incident response: - incident detection and analysis; - incident coordination; - incident resolution. 5.1.1 Incident detection and analysis The service includes: - security incident report receipt; - investigating whether an incident occured; - analysis of evidence; - severity assessment; - determining the extent of the incident; - prioritizing. 5.1.2 Incident Coordination Incidents are coordinated with with involved parties including affected entity, national CSIRT(s) and competent authorities. Coordinantion inlcludes: - determining the root cause of the incident (vulnerability exploited). - facilitating contact with other parties which may be affected. - facilitating contact with national level CSIRT and law enforcement officials, if necessary. 5.1.3 Incident Resolution CSIR-CEZ supports its constituency in incident resolution which may include: - supporting response planning; - technical assistance to systems and network administrators in eradiction or elimination of the cause of a security incident (the vulnerability exploited), and its effects; - collection of evidence to start legal actions if necessary; - recommendation of the security improvements to system administrators and management; - reporting. 5.2 Proactive activites CSIRT-CEZ act proactively to enhance constituents' resilience to security incidents and to limit the impact of incidents that occur. The activities include: - provision of information regarding known vulnerabilities, patches or resolutions of past problems, - education and training, - assisting operators of essential services in fulfilling their statutory obligations arising from the Act of 5 July 2018 on the national cybersecurity system. - auditing and consulting. 6. Incident Reporting Form For incident reporting a form is available at https://cez.gov.pl/pl/page/zglos-incydent 7. Disclaimers While every precaution will be taken in the preparation of information, notifications and alerts, CSIRT-CEZ assumes no resposibility for errors or omissions, or for damages resulting from the use of the information this document provides. Although we tried to carefully translate the original document from Polish into English, we can not be certain that both documents express the same thoughts in the same level of detail and correctness. In all cases, where there is a difference between both versions, the Polish version will prevail.