C410 A2BE CB73 EF77 746E 9682 E2C4 91CE D20D 800F

About Us > RFC 2350

1 Document Information

This is a description of the SANReN Proactive CSIRT as per RFC 2350. It provides basic information about the CSIRT, services offered and contact information. The CSIRT is an academic sector, coordinating CSIRT providing services to research and education institutions of South Africa.

Due to the dual-organisational makeup of the South African National Research and Education Network (NREN), the CSIRT operates as a distributed team focusing on Reactive (TENET) and Proactive (SANReN) services respectively. This document is for the proactive side of the team.

For reactive services (e.g. incident response) please contact the Tertiary Education and Research Network of South Africa (TENET) directly at:
+27 21 7637 one-four-seven (24×7) or

1.1 Date of Last Update

v1.4, 2022/08/22.

1.2 Distribution List for Notifications

Updates are distributed via the CSIRT website and announcements mailing list. Subscription requests can be sent to “csirt-news+subscribe@sanren.ac.za”.

1.3 Locations where this Document May Be Found

The latest version of this document is available here (signed).

1.4 Authenticity of this Document

The text version of this document is signed with the team’s PGP key (see 2.8).

2 Contact Information

2.1 Name of the team

“SANReN CSIRT”: the South African National Research Network proactive Computer Security Incident Response Team.

2.2 Address

Building 43
2 Meiring Naudé Road, Brummeria, Pretoria, 0184
South Africa

2.3 Time Zone

SAST (UTC+0200)

2.4 Telephone Numbers

+27 12 8413 four-three-four – Renier van Heerden (business hours only)

2.5 Facsimile Number

Not advised. Please call/email upfront if required.

2.6 Other Telecommunication methods

Not available.

2.7 Electronic Mail Address

“csirt{a}sanren.ac.za”; relays to all SANReN CSIRT members. Use our PGP key to encrypt sensitive information.

2.8 Public Keys and Encryption Information

The CSIRT team PGP key can be found on the usual public key servers (link here).

“csirt{a}sanren.ac.za” PGP Key
KeyID: 0xE2C491CED20D800F
Fingerprint: C410 A2BE CB73 EF77 746E 9682 E2C4 91CE D20D 800F

Individual team member’s keys are available on request.

2.9 Team Members

Manager: Renier van Heerden
Engineer: Kgwadi Matenche
Analyst: Sicelo Ncekana
Analyst: Heloise Meyer
Analyst: Maajied Moos

2.10 Other Information

See our website

2.11 Points of Customer Contact

The preferred method for contacting the CSIRT is via e-mail “csirt{a}sanren.ac.za”. Note that requests for reactive (e.g. incident response) services should instead be sent to TENET “csirt{a}tenet.ac.za”. Please place your institution’s name in the subject line.

The team is typically available from 09:00-16:00 Monday to Friday except for public holidays and 25 December to 1 January. We do not provide a 24×7 service.

If it is not possible (or advisable for security reasons) to use e-mail, the proactive CSIRT can be reached by telephone (see 2.4 for numbers) during regular office hours (minimally 9am to 4pm SAST). Voice messages are reviewed.

3 Charter

3.1 Mission Statement

The mission of the SANReN CSIRT is to provide proactive IT security services to the sites and users of the SANReN network; with the goal of minimising the occurrence of incidents and equipping the constituency to better safeguard against malicious activity.

Note that this is intended to complement the TENET (reactive) CSIRT’s mission.

3.2 Constituency

The constituency are the beneficiaries of the SANReN network including customers of TENET defined as the “campuses of South African education and research institutions and associated support institutions in the public sector that connect to the network”.

More formally, the constituency can be defined as

  1. .ac.za domain registrants and/or
  2. users of systems and IP addresses in AS 2018 (TENET’s autonomous system)

as clarified by the TENET connection policy.

3.3 Sponsorship and/or Affiliation

The SANReN CSIRT is primarily funded via the Department of Science and Innovation (DSI) South Africa as part of the SANReN project. The SANReN team (including the CSIRT) is hosted by the Council for Scientific and Industrial Research (CSIR) Meraka Institute. The CSIRT is closely affiliated with the Tertiary Education and Research Network of South Africa (TENET) who operate the SANReN network and also provide the reactive CSIRT services. For further relationship detail please see the SANReN website.

Some services (e.g. vulnerability assessments) are charged for on a cost recovery basis.

3.4 Authority

The primary objective of the SANReN CSIRT is to proactively mitigate IT security-related issues affecting the SANReN network and constituency as described in the Services section. This is achieved in an advisory role. Accordingly, the team has limited/indirect authority over the constituency.

The TENET AUP defines acceptable use of the SANReN network and infringements could result in intervention by TENET.

4 Policies

4.1 Types of Incidents and Level of Support

The SANReN CSIRT does not directly handle incidents. The constituency is however welcome to contact the team for IT security related advice at any time (including during an incident). Response will be on a best effort basis depending on the current load and availability of team members.

For incident response services please contact TENET: “csirt{a}tenet.ac.za”.

4.2 Co-operation, Interaction and Disclosure of Information

The SANReN CSIRT follows the principle of responsible disclosure within the bounds of policy and legislation. The information security traffic light protocol is used to classify information handled by the CSIRT as follows:

  • TLP:RED – Not for disclosure, restricted to participants only (most sensitive)
  • TLP:AMBER – Limited disclosure, restricted to participants’ organisations on a need-to-know basis (sensitive)
  • TLP:GREEN – Limited disclosure, restricted to the community and related organisations (less sensitive)
  • TLP:WHITE – Unrestricted disclosure, public (not sensitive)
    For the SANReN CSIRT: participants = the CSIRT team member(s) involved in the exchange only, organisations = SANReN + TENET, and community = constituency.

A constituent may request that information be handled at a preferred level otherwise the CSIRT will classify at a level it deems appropriate. Where practicable, the CSIRT will seek authorisation from a constituent before sharing sensitive information, which will also be anonymised if it does not affect the value/use of the information (e.g. redaction of site identifiable information).

4.3 Communication and Authentication

In view of the types of information that the SANReN CSIRT will likely be dealing with, telephones will be considered sufficiently secure to be used even unencrypted. Unencrypted e-mail will not be considered particularly secure, but will be sufficient for the transmission of low-sensitivity data. If it is necessary to send highly sensitive data by e-mail, PGP should be used. Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data should be encrypted for transmission. Please contact the CSIRT prior to sending sensitive information if assistance is required (for example in setting up PGP or an alternative secure mechanism).

5 Services

For reactive services (e.g. incident response and support), please contact TENET “csirt{a}tenet.ac.za”. The SANReN CSIRT offers the following services as per our website. These services are only available to the constituency (exceptions on agreement).

5.1 Vulnerability Assessments

The SANReN CSIRT offers a vulnerability scanning service to constituents. This is a process to identify, classify, report on and provide remediation advice on the security weaknesses of specific IT infrastructure. The service helps institutions identify and remedy vulnerabilities to prevent an attack/compromise. Both external and internal scans can be performed.

5.2 Announcements

The SANReN CSIRT provides an “announcements” service to highlight recent cybersecurity news including alerts/warnings (e.g. intrusions, threats), advisories (e.g. vulnerabilities, bulletins), articles (e.g. interesting news) and any other security-related information (e.g. team updates) that may be of interest to the constituency.

Mechanisms for disseminating these announcements include the CSIRT website, mailing lists and RSS feeds (accessible from the website under specific services). The mailing lists are only available to constituency representatives.

6 Incident Reporting Forms

Not applicable. Please contact “csirt{a}tenet.ac.za” for incident support.

7 Disclaimers

This information is accurate at publication date.

While every precaution will be taken in the preparation of the website, information, notifications and alerts, the SANReN CSIRT (and sponsors/affiliates) assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained therein including this document.

The key signed version can be found here.