About Us

RFC 2350

This is a description of the SANReN Proactive CSIRT as per RFC 2350. It provides basic information about the CSIRT, services offered and contact information.

1. Document Information

   The CSIRT is an academic sector, coordinating CSIRT providing services to research and education institutions of South Africa.

   Due to the dual-organisational makeup of the South African National Research and Education Network (NREN), the CSIRT operates as a distributed team focusing on Reactive (TENET) and Proactive (SANReN) services respectively. This document is for the proactive side of the team.

   For reactive services (e.g. incident response) please contact the Tertiary Education and Research Network of South Africa (TENET) directly at:
   +27 21 7637 one-four-seven (24x7) or csirt {at} tenet.ac.za

1. Date of Last Update

   v1.5, 2023/09/22

2. Distribution List for Notifications

   Updates are distributed via the CSIRT website and announcements mailing list. Subscription requests can be sent to "csirt-news+subscribe@sanren.ac.za".

3. Locations where this Document May Be Found

   The latest version of this document is available here (signed).

4. Authenticity of this Document

   The text version of this document is signed with the team's PGP key (see 2.8).

2. Document Information
1. Name of the Team

   "SANReN CSIRT": the South African National Research Network proactive Computer Security Incident Response Team.

2. Name of the Team

   SANReN CSIRT

   CSIR

   Building 43

   2 Meiring Naudé Road, Brummeria, Pretoria, 0184

   Pretoria, South Africa

3. Time Zone

   SAST (UTC+0200)

4. Telephone Numbers

   +27 12 8427 six-five-eight - Heloise Meyer (business hours only)

5. Facsimile Number

   Not advised. Please call/email upfront if required.

6. Other Telecommunication methods

   Not available.

7. Electronic Mail Address

   "csirt{at}sanren.ac.za"; relays to all SANReN CSIRT members. Use our PGP key to encrypt sensitive information.

8. Public Keys and Encryption Information

   The CSIRT team PGP key can be found on the usual public key servers (link here).

   "csirt{at}sanren.ac.za" PGP Key

   KeyID: 0xE2C491CED20D800F

   Fingerprint: 8E0A 2756 1B3E 2B99 4246 C1AA 04A1 B821 AA99 CA2C

   Individual team member's keys are available on request.

9. Team Members

   Operations Manager: Heloise Meyer

   Senior Cyber Security Analyst: Kgwadi Matenche

   Senior Cyber Security Analyst: Sicelo Ncekana

   Cyber Security Analyst: Maajied Moos

10. Other Information

    See our website

11. Points of Customer Contact

    The preferred method for contacting the CSIRT is via e-mail "csirt{at}sanren.ac.za". Note that requests for reactive (e.g. incident response) services should instead be sent to TENET "csirt{at}tenet.ac.za". Please place your institution's name in the subject line.

    The team is typically available from 09:00-16:00 Monday to Friday except for public holidays and 25 December to 1 January. We do not provide a 24x7 service.

    If it is not possible (or advisable for security reasons) to use e-mail, the proactive CSIRT can be reached by telephone (see 2.4 for numbers) during regular office hours (minimally 9am to 4pm SAST). Voice messages are reviewed.

3. Charter
1. Mission Statement

   The mission of the SANReN CSIRT is to provide proactive IT security services to the sites and users of the SANReN network; with the goal of minimising the occurrence of incidents and equipping the constituency to better safeguard against malicious activity.

   Note that this is intended to complement the TENET (reactive) CSIRT's mission.

2. Constituency

   The constituency are the beneficiaries of the SANReN network including customers of TENET defined as the "campuses of South African education and research institutions and associated support institutions in the public sector that connect to the network".

   More formally, the constituency can be defined as

   .ac.za domain registrants and/or

   users of systems and IP addresses in AS 2018 (TENET's autonomous system)

   as clarified by the TENET connection policy.

3. Sponsorship and/or Affiliation

   The SANReN CSIRT is primarily funded via the Department of Science and Innovation (DSI) South Africa as part of the SANReN project. The SANReN team (including the CSIRT) is hosted by the Council for Scientific and Industrial Research (CSIR) Meraka Institute. The CSIRT is closely affiliated with the Tertiary Education and Research Network of South Africa (TENET) who operate the SANReN network and also provide the reactive CSIRT services. For further relationship detail please see the SANReN website.

   Some services (e.g. vulnerability assessments) are charged for on a cost recovery basis.

4. Authority

   The primary objective of the SANReN CSIRT is to proactively mitigate IT security-related issues affecting the SANReN network and constituency as described in the Services section. This is achieved in an advisory role. Accordingly, the team has limited/indirect authority over the constituency.

   The TENET AUP defines acceptable use of the SANReN network and infringements could result in intervention by TENET.

4. Policies
1. Types of Incidents and Level of Support

   The SANReN CSIRT does not directly handle incidents. The constituency is however welcome to contact the team for IT security related advice at any time (including during an incident). Response will be on a best effort basis depending on the current load and availability of team members.

   For incident response services please contact TENET: "csirt{at}tenet.ac.za".

2. Co-operation, Interaction and Disclosure of Information

   The SANReN CSIRT follows the principle of responsible disclosure within the bounds of policy and legislation. The information security traffic light protocol is used to classify information handled by the CSIRT as follows:

   TLP:RED - Not for disclosure, restricted to participants only (most sensitive).

   TLP:AMBER - Limited disclosure, restricted to participants' organisations on a need-to-know basis (sensitive). Note that TLP:AMBER+STRICT restricts sharing to the organization only.

   TLP:GREEN - Limited disclosure, restricted to the community and related organisations (less sensitive).

   TLP:CLEAR - Unrestricted disclosure, public (not sensitive).

   For the SANReN CSIRT: participants = the CSIRT team member(s) involved in the exchange only, organisations = SANReN + TENET, and community = constituency.

   A constituent may request that information be handled at a preferred level otherwise the CSIRT will classify at a level it deems appropriate. Where practicable, the CSIRT will seek authorisation from a constituent before sharing sensitive information, which will also be anonymised if it does not affect the value/use of the information (e.g. redaction of site identifiable information).

3. Communication and Authentication

   In view of the types of information that the SANReN CSIRT will likely be dealing with, telephones will be considered sufficiently secure to be used even unencrypted. Unencrypted e-mail will not be considered particularly secure, but will be sufficient for the transmission of low-sensitivity data. If it is necessary to send highly sensitive data by e-mail, PGP should be used. Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data should be encrypted for transmission. Please contact the CSIRT prior to sending sensitive information if assistance is required (for example in setting up PGP or an alternative secure mechanism).

5. Services

   For reactive services (e.g. incident response and support), please contact TENET “csirt{at}tenet.ac.za”. The SANReN CSIRT offers the following services as per our website. These services are only available to the constituency (exceptions on agreement).

1. Vulnerability Assessments

   The SANReN CSIRT offers a vulnerability scanning service to constituents. This is a process to identify, classify, report on and provide remediation advice on the security weaknesses of specific IT infrastructure. The service helps institutions identify and remedy vulnerabilities to prevent an attack/compromise. Both external and internal scans can be performed.

2. Announcements

   The SANReN CSIRT provides an "announcements" service to highlight recent cybersecurity news including alerts/warnings (e.g. intrusions, threats), advisories (e.g. vulnerabilities, bulletins), articles (e.g. interesting news) and any other security-related information (e.g. team updates) that may be of interest to the constituency.

   Mechanisms for disseminating these announcements include the CSIRT website, mailing lists and RSS feeds (accessible from the website under specific services). The mailing lists are only available to constituency representatives.

3. Resources

   The SANReN CSIRT provides an "resources" service that offers a collection of cyber security incident response playbooks providing a consistent approach to follow when remediating a cybersecurity incident.

6. Incident Reporting Forms

   Not applicable. Please contact "csirt{at}tenet.ac.za" for incident support.

7. Disclaimers

   This information is accurate at publication date.

   While every precaution will be taken in the preparation of the website, information, notifications and alerts, the SANReN CSIRT (and sponsors/affiliates) assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained therein including this document.

   The key signed version can be found here.