Mandate (RFC 2350) of the Educational Computer Emergency Response Team CSIRT-ED of ISCIP Igor Sikorsky Kyiv Polytechnic Institute

1. Document Information
	This document provides a description of CSIRT-ED in accordance with RFC 2350. It includes core information about CSIRT-ED, its communication channels, as well as its roles and responsibilities.

1.1. Date of Last Update
	This document was updated on December 20, 2024. Version 1.0.

1.2. Distribution List
	CSIRT-ED does not intend to make frequent changes to this document; please refer to Section 1.3 for downloads.

1.3. Location of the document
	The current version of this document can be found at the following link:
	https://iszzi.kpi.ua/csirt/assets/files/rfc2350.txt

1.4. Document Authenticity
	This document is signed with the CSIRT-ED PGP key. For additional information, see Section 2.8.

1.5. Document Identification
	Title: rfc2350.txt
	Version: 1.0
	Document Date: December 2024
	Expiration: This document remains valid until it is replaced by a new version.

2. Contact Information

2.1. Name of the Team
	Educational Computer Emergency Response Team of the Institute of Special Communications and Information Protection National Technical University of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute” (hereinafter referred to as the Institute)
	Short name: CSIRT-ED.

2.2. Address
	ISCIP Igor Sikorsky Kyiv Polytechnic Institute, CSIRT-ED
	03056, Kyiv, Verkhnoklyuchova St., 4
	Ukraine

2.3. Time Zone
	Time Zone: Europe/Kyiv (GMT+2)

2.4. Telephone Number
	+38 (044) 204-91-51

2.5. Facsimile number
	None

2.6. Other telecommunication
	None

2.7. Electronic Mail Address
	Team Email Address: csirt-ed@iszzi.kpi.ua
	Working Days/Hours: 08:00 to 17:00, Monday to Friday

2.8. Public keys and encryption
	PGP/GPG is supported for secure communication.
	PGP User ID: CSIRT-ED csirt-ed@iszzi.kpi.ua
	PGP ID: 0xE5ECC8E2727EE1F3 
	Key type: RSA Key size: 4096 
	Expires: November 6, 2029
	Fingerprint: 6C72 4F73 E088 0C91 BC5E 8E39 E5EC C8E2 727E E1F3
	Location: https://iszzi.kpi.ua/csirt/assets/files/csirt-ed.asc

2.9. Team members
	The head of the CSIRT-ED team is Igor Subach, Doctor of Technical Sciences, Professor, Head of Special Department No. 5 of Institute.
	CSIRT-ED is an external structure with 9 permanent team members.
	The full list of CSIRT-ED team members is not available due to confidentiality reasons.

3. Charter

3.1. Mission Statement
	The organization and provision of cybersecurity for the Institute's constituency through monitoring, detection, and rapid response to cyber incidents, as well as enhancing the effectiveness of personnel training in the field of cybersecurity by involving Institute students in the team's activities under the supervision of permanent CSIRT-ED team members.

3.2. Constituency
	The constituency of CSIRT-ED are the Institute's community.
	The scope of responsibility covers networks connected to the Institute's Educational Cybersecurity Situation Center.

3.3 Sponsoring Organization / Affiliation
	CSIRT-ED is an external structure within the Institute.
	The Institute covers all operational costs related to the functioning of CSIRT-ED, providing premises, communication, as well as networks and technical resources within the Institute's Educational Cybersecurity Situation Center.

3.3. Authority
	CSIRT-ED was established in 2024.
	Its activities are regulated by the Regulations on the Educational Computer Emergency Response Team CSIRT-ED of the Institute of Special Communication and Information Protection of the National Technical University of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute” approved by the Institute's Order No. 257 on December 20, 2024.

4. Policies
4.1. Types of Incidents and Level of Support
	CSIRT-ED is authorized to handle all types of cybersecurity incidents that occur or may occur in client networks.
	The level of support provided by CSIRT-ED depends on the type, severity, and scale of the current incidents, as well as the resources available to address them.

4.2. Co-operation, Interaction and Disclosure of Information
	CSIRT-ED places great importance on operational cooperation and information sharing between CSIRTs, CERTs, and other organizations that may contribute to the development of their services or benefit from them.
	CSIRT-ED operates within the legal framework of Ukraine.

4.3. Communication and Authentication
	CSIRT-ED protects confidential information in accordance with the relevant rules and policies in Ukraine.
	Email and phone communication are considered sufficiently secure methods for transmitting non-confidential data in an unencrypted form.
	Communication security (encryption and authentication) is achieved through various means: email encryption based on PGP or other agreed methods, depending on the sensitivity and context.
	CSIRT-ED adheres to the general rules for the exchange of cybersecurity incident information (Traffic Light Protocol, TLP) and processes it accordingly.


5. Services

5.1. Incident Response
	CSIRT-ED supports the Institute's constituency in handling cybersecurity incidents.
	The capabilities of CSIRT-ED cover the entire incident response process:
	- preparation;
	- detection and analysis;
	- containment, eradication and recovery;
	- conclusion drafting, analysis of collected evidence, and recommendations.

5.1.1. Incident Triage
	- verification of whether an incident has actually occurred;
	- determination of the scope and priority of the incident.

5.1.2. Incident Coordination
	- identification of the root cause of the incident (vulnerability exploited);
	- analysis of artifacts and digital forensics data;
	- communication with parties involved in the incident to investigate the incident and take appropriate actions;
	- creation of reports;
	- user notifications, if necessary;
	- facilitation of contact with the Institute's security administrators.

5.1.3. Incident Resolution
	- providing recommendations for mitigating existing vulnerabilities and the consequences of a cybersecurity incident;
	- direct participation in addressing vulnerabilities and the consequences of a cybersecurity incident, if possible;
	- assisting in the collection of evidence and interpretation of data for notifying the government incident response team CERT-UA about the incident.

5.2. Proactive Activities
	CSIRT-ED coordinates and supports the following services, to the extent possible, depending on available resources:

	Situational Awareness:
	- collection and analysis of cybersecurity threat data using honeypots;
	- monitoring various sources reporting on cyber incidents;
	- monitoring open sources for potential cybersecurity threats, information operations planning, confidential information leakage, and updating databases of information resources involved in cybersecurity activities;
	- analysis and dissemination of collected information;
	- communication with the constituency to prevent repeat attacks.

	Knowledge Transfer:
	- raising awareness of the constituency by disseminating information about cyber incidents;
	- professional development of the team members through participation in cybersecurity events (courses, CTF competitions, hackathons), and practicing skills on various cybersecurity training platforms;
	- development, implementation, and testing of scenarios for the cybersecurity training platform of the Institute's Educational Situational Cybersecurity Center;
	- collecting information about incidents processed by the team in the MISP (Malware Information Sharing Platform) system;
	- organizing practical training exercises for students as part of the team.

6. Incident Reporting Forms
	CSIRT-ED does not provide a public form for reporting incidents.
	Any member of the Institute's constituency can submit information about security incidents, threats, or related information by filling out the template provided on the CSIRT-ED website and sending it via email, including encrypted email, to 
	csirt-ed@iszzi.kpi.ua.
	The cyber incident reporting template is available at the following link: https://iszzi.kpi.ua/csirt/assets/files/incident-report-template.docx

7. Disclaimers
	This document is provided "as is" and does not imply any guarantee of services by CSIRT-ED.
	While all necessary measures will be taken to prepare and distribute security information and alerts, CSIRT-ED does not accept any liability to external (non-institute) organizations or users for errors, omissions, or damages arising from the use of the information provided in this document or our security notifications.