CSIRT-CAN – Centro de Respuesta a Incidentes de Seguridad de Canarias

CSIRT-CAN RFC 2350

1. Document Information

1.1. Date of last update: version 1.0, published on 3 July 2025.

1.2. Distribution Lists: There is no distribution channel for notifying changes to this document. Changes are announced via notification at: www.csirtcan.org

1.3. Document Location: The latest version of the document is published at:

  • Spanish
  • English
  • German

1.4. Document Authentication: This document has been digitally signed by CSIRT-CAN.

2. Contact Information

2.1. Team Name: CSIRT-CAN, Canary Islands Government Incident Response Centre, under the Directorate-General for Digital Transformation of Public Services (hereinafter DGTDSP).

2.2. Address:

  • C/ Rubens Marichal López 12, 38071. Santa Cruz de Tenerife
  • C/ Cebrián, 3 3ª planta, 35003. Las Palmas de Gran Canaria 

2.3. Time Zone: CET / CEST

2.4. Telephone Number: 928 557 228 - 922 760 228

2.5. Fax Number: Not available

2.6. Other Communications: Not available

2.7. Email Addresses:

  • Exchange of information regarding incidents: info.srv@csirtcan.org
  • General enquiries: info.srv@csirtcan.org

2.8. Public Keys and Information Encryption: Contact emails and associated PGP keys are published at www.csirtcan.org

2.9. Team Members: Not available

2.10. Further Information: General information about the services provided by CCN-CERT and about the organisation itself is published on the website: www.csirtcan.org

2.11. Hours of operation: The incident response team is available during the following hours:

  • Service enquiries: office hours (8:00 a.m. to 4:00 p.m.)
  • Incidents classified as low, medium or high risk: office hours (8:00 a.m. to 4:00 p.m.)
  • Incidentes catalogados con peligrosidad muy alta o crítica: 24/7/365.

2.12. Points of contact for the community: Communication between the CSIRT-CAN Team and the organisations it supports is mainly carried out through:

  • Email address associated with the subject matter to be consulted: www.csirtcan.org
  • Telephone numbers provided during the membership process or incident support.

3. Constitution

3.1. Mission: CSIRT-CAN is the Information Security Incident Response Capability of the Government of the Canary Islands, attached to the DGTDSP. This service was created in 2024 as a CERT for public entities in the Canary Islands, including local entities with territorial affiliation in the Autonomous Community of the Canary Islands.

Its mission is to contribute to the improvement of cybersecurity in the Canary Islands, acting as an alert and response centre that cooperates and helps to respond quickly and efficiently to cyberattacks and actively tackle cyberthreats, including coordination at national level with the various Incident Response Capabilities or Cybersecurity Operations Centres that exist for incidents of particular relevance. This complies with the National Security Scheme, which provides for public administrations to develop their own incident response capabilities, under the coordination of the CCN, and with Royal Decree 43/2021 of 26 January, which implements Royal Decree-Law 12/2018 of 7 September on the security of networks and information systems.

All this with the ultimate aim of achieving a more secure and reliable cyberspace, preserving classified and sensitive information, training expert personnel, applying security policies and procedures, and employing and developing the most appropriate technologies for this purpose.

3.2. Community served:

The CSIRT-CAN plans to implement the service in phases. In the first phase, services will be provided to local entities in the Canary Islands (island councils and town councils), and in subsequent phases, they will be extended to the rest of the public sector in the Canary Islands.

In the case of essential services, cyber incidents will be managed by the CSIRT-CAN in coordination with the other competent entities at the regional or national level.

3.3. Sponsorship / Affiliation: The CSIRT-CAN is part of the DGTDSP of the Government of the Canary Islands.

3.4. Authority: The authority of the CSIRT-CAN derives from the following legislation:

  • Royal Decree 311/2022, of 3 May, regulating the National Security Scheme.
  • Royal Decree 43/2021, of 26 January, implementing Royal Decree-Law 12/2018, of 7 September, on the security of networks and information systems.

4. Policies

4.1. Type of incidents and level of support:

The types of cyber incidents handled by CSIRT-CAN are listed in section 6.1, ‘Classification of cyber incidents,’ of the CCN-STIC-817 guide. CSIRT-CAN collaborates with all public bodies and companies of strategic interest in the detection, notification, assessment, response, handling and learning from information security incidents or cyber incidents that may affect their systems.

4.2. The level of support provided by CSIRT-CAN and its response time will depend on the level of danger of the incident and other factors set out in the CCN-STIC-817 Cyber Incident Management Guide, according to the following criteria:

  • Type of threat (malicious code, intrusions, fraud, etc.)
  • Origin of the threat: internal or external.
  • The security category of the affected systems.
  • The profile of the affected users, their position in the organisational structure of the entity and, consequently, their access privileges to sensitive or confidential information.
  • The number and type of affected systems.
  • The impact that the incident may have on the organisation from the points of view of information protection, service provision, legal compliance and/or public image.
  • Legal and regulatory requirements.

CSIRT-CAN also provides information on the state of cybersecurity to its community, with the aim of reducing technical (hardware and software), human and organisational vulnerabilities. To this end, it periodically reports the following information:

  • Alerts: threats/vulnerabilities detected by CSIRT-CAN itself.
  • Alerts: same as above, but with a higher criticality.
  • Vulnerabilities: daily from major manufacturers.
  • Malicious code reports.
  • Best practice reports.
  • Threat reports.

4.3. Cooperation, Interaction and Dissemination of Information: The information handled by CSIRT-CAN is treated with absolute confidentiality in accordance with the Incident Management policies and procedures established for CSIRT-CAN, the CCN policies and standards, and the security standards for the protection of classified information.

4.4. Communication and Authentication: The means available for communication with CSIRT-CAN are:

  • Email: info.srv@csirtcan.org
  • Telephone numbers provided during the membership process or incident support.

5. Services

5.1. Prevention

The CSIRT-CAN carries out various activities to raise awareness and prevent incidents. These include:

  1. Definition of security policies
  2. Support and coordination for the treatment of vulnerabilities
  3. Reports, alerts and warnings about new threats and vulnerabilities in information systems, compiled from various reputable sources, including its own.
  4. Research and dissemination of best practices in information security.
  5. Training and awareness-raising on cybersecurity for public employees with different profiles and levels of training. And training and awareness-raising for the general public.
  6. Organisation of and participation in cybersecurity conferences and congresses.

5.2. Incident Response

The CSIRT-CAN offers technical and operational support at the different stages of the incident management process: detection, analysis, notification, containment, eradication and recovery. This process includes evaluating and prioritising the available information (triage), validating and verifying it, gathering any additional evidence that may be necessary, communicating with the relevant parties and, finally, resolving the incident.

It also advises teams on the most appropriate actions to take, monitors the management of the incident and requests the relevant reports (those responsible for the organisation issue a Cyber Incident Report detailing its root cause, its cost and the measures the organisation must take to prevent future cyber incidents of a similar nature).

5.3. Incident Coordination

CSIRT-CAN coordinates incident management with CCN and other national and international entities. 

5.4. Monitoring

CSIRT-CAN has implemented an Early Warning System (EWS) for detecting incidents in organisations within its community, developed by CCN-CEST.

5.5. Development of cybersecurity solutions and tools

CSIRT-CAN promotes the development of solutions that guarantee system security and contribute to better cybersecurity management in any organisation. These solutions focus mainly on detection, analysis, auditing and information exchange.

5.6. Forensic and malware analysis

CSIRT-CAN has specialised equipment and personnel to perform forensic analysis of equipment involved in complex incidents.
Similarly, CSIRT-CAN has the capacity to perform static and dynamic analysis of malicious code samples to generate detection patterns.

6. Ways to report incidents

Incidents can be reported via:

  • Specific email address: info.srv@csirtcan.org
  • LUCIA: Incident reporting tool.
  • Telephone numbers provided during the membership process or incident support.

7. Disclaimer

The CSIRT-CAN Team is not responsible for any misuse of the information contained herein.