Policies

Types of Incidents and Level of Support

CERT.at is authorized to address all types of computer security incidents which occur, or threaten to occur, in our constituency and which require cross-organizational coordination.

The level of support given by CERT.at will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and CERT.at's resources at the time. Special attention will be give to issues affecting critical infrastructure.

Note that no direct support will be given to end users; they are expected to contact their system administrator, network administrator, or department head for assistance. CERT.at will support the latter people.

CERT.at is committed to keeping its constituency informed of potential vulnerabilities, and where possible, will inform this community of such vulnerabilities before they are actively exploited.

Co-operation, Interaction and Disclosure of Information

CERT.at will cooperate with other Organisations in the Field of Computer Security. This Cooperation also includes and often requires the exchange of vital information regarding security incidents and vulnerabilities. Nevertheless CERT.at will protect the privacy of their customers, and therefore (under normal circumstances) pass on information in an anonymized way only unless other contractual agreements apply.

CERT.at operates under the restrictions imposed by Austrian law. This involves careful handling of personal data as required by Austrian Data Protection law, but it is also possible that - according to Austrian law - CERT.at may be forced to disclose information due to a Court's order.

Communication and Authentication

For normal communication not containing sensitive information CERT.at will use conventional methods like unencrypted e-mail or fax.

For secure communication PGP-Encrypted e-mail or telephone will be used. If it is necessary to authenticate a person before communicating, this can be done either through existing webs of trust (e.g. FIRST, TI, …) or by other methods like call-back, mail-back or even face-to-face meeting if necessary.