CSIRT-CAN – Centro de Respuesta a Incidentes de Seguridad de Canarias

2.1. Team Name: CSIRT-CAN, Incident Response Centre of the Government of the Canary Islands, under the Directorate General for Digital Transformation of Public Services (hereinafter DGTDSP).

2.2. Address:

• C/ Rubens Marichal López 12, 38071. Santa Cruz de Tenerife
• C/ Cebrián, 3 3rd floor, 35003. Las Palmas de Gran Canaria

2.3. Time Zone: CET / CEST

2.4. Phone Number: 928 557 228 - 922 760 228

2.5. Fax Number: Not available

2.6. Other Communications: Not available

2.7. Email Addresses:

• Exchange of incident-related information: info.srv@csirtcan.org
• General enquiries: info.srv@csirtcan.org

2.8. Public Keys and information encryption: Contact email addresses and associated PGP keys are published at www.csirtcan.org

2.9. Team Members: Not available

2.10. Further Information: General information about the services provided by CCN-CERT and the organisation itself is published on the web portal: www.csirtcan.org

2.11. Office Hours: The incident response team is available during the following hours:

• Service enquiries: office hours (8:00-16:00)
• Incidents classified as low, medium or high severity: office hours (8:00-16:00)
• Incidents classified as very high or critical severity: 24x7x365.

2.12. Community contact points: Communication between the CSIRT-CAN team and the organisations it supports is carried out mainly through:

• Mailbox associated with the subject of the enquiry: www.csirtcan.org
• Phone numbers provided during the onboarding process or incident support.

3.1. Mission: CSIRT-CAN is the Information Security Incident Response Capability of the Government of the Canary Islands, attached to the DGTDSP. This service was established in 2024 as a CERT for public entities in the Canary Islands, including local entities of territorial affiliation within the Autonomous Community of the Canary Islands.

Its mission is to contribute to the improvement of cybersecurity in the Canary Islands, acting as an alert and response centre that cooperates and helps to respond quickly and efficiently to cyberattacks and to actively address cyber threats, including coordination at national level with the various Incident Response Capabilities or Cybersecurity Operations Centres for incidents of particular relevance. This fulfils the requirements of the National Security Framework, which provides that public administrations may develop their own incident response capabilities, under the coordination of the CCN, and in accordance with Royal Decree 43/2021, of 26 January, implementing Royal Decree-Law 12/2018, of 7 September, on the security of network and information systems.

All of this with the ultimate aim of achieving a safer and more reliable cyberspace, protecting classified and sensitive information, training specialist personnel, applying security policies and procedures, and deploying and developing the most appropriate technologies for this purpose.

3.2. Community served:

CSIRT-CAN envisages a phased implementation. In the first phase, services will be provided to local entities of the Canary Islands (Cabildos and Ayuntamientos); in subsequent phases, coverage will be extended to the remaining public sector of the Canary Islands.

In the case of essential services, cyber incident management will be carried out by CSIRT-CAN in coordination with other competent bodies at regional or national level.

3.3. Sponsorship / Affiliation: CSIRT-CAN is part of the DGTDSP of the Government of the Canary Islands.

3.4. Authority: The authority of CSIRT-CAN derives from the following legislation:

• Royal Decree 311/2022, of 3 May, regulating the National Security Framework.
• Royal Decree 43/2021, of 26 January, implementing Royal Decree-Law 12/2018, of 7 September, on the security of network and information systems.

4.1. Types of Incidents and Support Level:

The types of cyber incidents handled by CSIRT-CAN are set out in guide CCN-STIC-817, section 6.1 "Classification of Cyber Incidents". CSIRT-CAN collaborates with all public bodies and companies of strategic interest in the detection, notification, assessment, response, handling and lessons-learned process for information security incidents or cyber incidents that may affect their systems.

4.2. The level of support provided by CSIRT-CAN and its response time will depend on the severity level of the incident and other factors set out in Guide CCN-STIC-817 Cyber Incident Management, in accordance with the following criteria:

• Type of threat (malicious code, intrusions, fraud, etc.)
• Origin of the threat: internal or external.
• The security category of the affected systems.
• The profile of the affected users, their position in the organisational structure of the entity and, consequently, their access privileges to sensitive or confidential information.
• The number and type of affected systems.
• The impact the incident may have on the organisation, from the perspectives of information protection, service delivery, legal compliance and/or public image.
• Legal and regulatory requirements.

CSIRT-CAN also provides its Community with information on the state of cybersecurity, with the aim of reducing both technical (hardware and software) and human and organisational vulnerabilities. To this end, it periodically disseminates the following information:

• Advisories: threats/vulnerabilities detected by CSIRT-CAN itself.
• Alerts: same as the above, but with higher criticality.
• Vulnerabilities: daily updates from major vendors.
• Malicious code reports.
• Best practice reports.
• Threat reports.

4.3. Cooperation, Interaction and Information Disclosure: Information handled by CSIRT-CAN is treated with strict confidentiality in accordance with the policies and procedures for Incident Management established for CSIRT-CAN, the CCN policies and standards, and the security rules for the protection of classified information.

4.4. Communication and Authentication: The available means of communication with CSIRT-CAN are:

• Email: info.srv@csirtcan.org
• Phone numbers provided during the onboarding process or incident support.

5.1. Prevention

CSIRT-CAN carries out various activities to raise awareness and prevent incidents. These include:

1. Definition of security policies
2. Support and coordination for vulnerability management
3. Reports, alerts and advisories on new threats and vulnerabilities affecting information systems, gathered from various reputable sources, including its own.
4. Research and dissemination of best practices in information security.
5. Cybersecurity training and awareness for public employees with varying profiles and levels of expertise, as well as training and awareness for the general public.
6. Organisation of and participation in cybersecurity conferences and events.

5.2. Incident Response

CSIRT-CAN provides technical and operational support at the various stages of the incident management process: detection, analysis, notification, containment, eradication and recovery. This process includes the assessment and prioritisation (triage) of available information, its validation and verification, the collection of additional evidence required, communication with relevant parties and, finally, incident resolution.

It also advises teams on the most appropriate actions, monitors incident management and requests relevant reports (the responsible bodies issue a Cyber Incident Report detailing its root cause, its cost and the measures the organisation must take to prevent future cyber incidents of a similar nature).

5.3. Incident Coordination

CSIRT-CAN coordinates incident management with the CCN and other national and international entities.

5.4. Monitoring

CSIRT-CAN has implemented an Early Warning System (SAT) for incident detection in organisations within its community, developed by CCN-CERT.

5.5. Development of cybersecurity solutions and tools

CSIRT-CAN promotes the development of solutions that ensure the security of systems and contribute to better cybersecurity management in any organisation. These solutions focus primarily on detection, analysis, auditing and information sharing.

5.6. Forensic and malware analysis

CSIRT-CAN has the equipment and specialised staff to carry out forensic analysis of devices involved in complex incidents.

Likewise, CSIRT-CAN has the capability to perform static and dynamic analysis of malicious code samples in order to generate detection patterns.

Incidents can be reported via:

• Dedicated mailbox: info.srv@csirtcan.org
• LUCIA: Incident notification tool.
• Phone numbers provided during the onboarding process or incident support.

The CSIRT-CAN team accepts no responsibility for any misuse that may be made of the information contained herein.