1 Document information The document provides information on the response and handling of computer security incidents by the ESKOM SOC in a format compliant with the RFC 2350 standard. 1.1 Date of last update This is version 1.1 published on 02 August 2023. 1.2 Distribution list for notifications Currently SOC ESKOM does not use any distribution lists to notify about changes in this document. 1.3 Locations where the document is available The current version of the document "RFC 2350 for SOC ESKOM" is available at URL: https://eskom.eu/RFC2350-en.txt 1.4 Authentication of this document This document has been signed using a PGP key. SHA256 file shortcuts can be found at the URL: https://eskom.eu/soc-en.sha 2 Contact information 2.1 Team name SOC ESKOM 2.2 Address ESKOM IT Sp. z o.o., 543 Pulawska Street, 02-844 Warsaw, Poland 2.3 Time zone Central European Time UTC+1 Central European Summer Time UTC+2 (from the last Sunday in March to the last Sunday in October). 2.4 Telephone number +48 22 100 55 79 2.5 Fax number Not applicable. 2.6 Other communication Not applicable. 2.7 E-mail address The address dbi@eskom.eu is used to contact the team. 2.8 Public keys and encryption information GPG key SOC ESKOM: User ID: SOC ESKOM Key ID: 8BDE AD5A 3F77 8E0A Key type: RSA Key size: 4096 Expires: never Fingerprint: 336029BE91BA6F9281C4C1556A49A759F681889E Key is available at: https://www.eskom.eu/soceskom.asc Document signature file: https://www.eskom.eu/RFC2350-en.txt.sig 2.9 Team members The SOC ESKOM team consists of practitioners and security engineers with many years of experience in IT security, holding certifications such as ISO 27001, ISO 22301, CISA, CISM, CISSP, OSCP, CEH, among others. 2.10 Other information General information about ESKOM IT Sp. z o.o. can be found at https://eskom.eu/. 2.11 Additional contact information The preferred method of contacting SOC ESKOM is by e-mail to dbi@eskom.eu. All e-mails sent to this address are forwarded to the responsible person on duty. If it is not possible (or if it is not advisable for security reasons) to use e-mail, the SOC ESKOM can be contacted by telephone during normal office hours (08.00 - 16.00, Mon - Fri). 3. Charter 3.1 Mission Statement SOC ESKOM's mission is to serve private and public customers in responding to and handling computer security incidents. 3.2 Constituency The area of operation of the ESKOM SOC includes private and public customers with whom ESKOM IT Sp. z o.o. has an agreement with in terms of support in responding to computer security incidents. 3.3 Sponsorship and/or Affiliation SOC ESKOM operates as part of ESKOM IT Sp. z o.o. 3.4 Authority SOC ESKOM operates under the direction and authority of the Management Board of ESKOM IT Sp. z o.o., on the basis of contracts concluded with customers. 4 Policies 4.1 Types of incidents and level of support The level of support provided by SOC ESKOM depends on the type, severity and scope of the incident. The SOC ESKOM classifies incidents according to the contracts concluded with its customers. 4.2. Co-operation, interaction and disclosure of information Information related to the handling of incidents is treated as confidential and is secured under contracts and confidentiality of information documents. Information related to incident handling may be provided to interested third parties (e.g. CSIRT, CERT) on an anonymous basis, for incident handling purposes only. 4.3 Communication and authentication The ESKOM SOC safeguards the information obtained in accordance with the relevant laws and internal regulations on information classification (inter alia resulting from the ISO 27001 ISMS). In order to guarantee the confidentiality and integrity of the communication, the SOC ESKOM recommends the use of PGP (described in section 2.8). All relevant information that is transmitted should be encrypted. 5 Services ESKOM's SOC provides Security Operations Centre (SOC) services in an 'as-a-service' (SOCaaS) model which includes incident response services. More information on cyber security services can be found at https://eskom.eu/technologie. 5.1 Incident response SOC ESKOM's response to incidents consists of four steps: 1) Incident preparedness, 2) Identification and analysis of incidents, 3) Reduction, elimination and restoration after an incident, 4) Post incident actions and learning from incidents. 5.2 Proactive activities The proactive measures taken by SOC ESKOM consist of the following activities: 1) Building user safety awareness, 2) Conducting vulnerability and social engineering tests, 3) Implementation of security solutions, 4) Maintenance and development of security solutions, 5) Communicating vulnerability and threat warnings. 5.3 Incident reporting forms Incident reporting forms have not been developed for the ESKOM SOC. Incident reports can be sent to dbi@eskom.eu. We recommend the use of a PGP key (described in section 2.8) to encrypt any private or confidential information. When contacting SOC ESKOM, please pass on the information: 1) Contact details of the person/organisation (name, function, e-mail, telephone number), 2) A brief summary of the incident, 3) Details of the incident - in which system(s) was it observed, which systems were affected, 4) Observed impact of the incident on the operation of the organisation, 5) Additional information gathered and actions taken to date. 5.4 Disclaimers Although every precaution has been taken in the preparation of the information, notices and warnings, SOC ESKOM shall not be liable for any errors or omissions, nor for any damages arising from the use of the information contained therein.