RFC 2350 EN

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512

RFC2350 CSIRT-SPMS

1. Document information

1.1. Date of last update
Version 2.1 published 2025/09/10.

1.2. Distribution list for notifications
There is no distribution channel to notify changes to this document.

1.3. Locations where this document may be found
The updated version of this document is available at https://www.spms.min-saude.pt/rfc-2350-en/

1.4. Authenticity of this document
This document is signed with CSIRT-SPMS PGP key.

2. Contact information

2.1. Team name
Full name: SPMS Cybersecurity Incident Response Team
Short name: CSIRT-SPMS

2.2. Address
Cybersecurity Unit / CSIRT-SPMS
SPMS – Shared Services of the Ministry of Health
Av. da República 61
1050-099 Lisboa
Portugal

2.3. Time zone
Europe/Lisbon (GMT+0,GMT+1 DST)

2.4. Telephone number
+351 933 811 273 (Regular response hours: weekdays from 8 AM to 8 PM)
+351 963 033 650 (Emergency contact, outside regular response hours)

2.5. Fax
Non-existent.

2.6. Other telecommunications
Non-existent.

2.7. Electronic mail address
Reports of cybersecurity events or incidents should be sent to: csirt@spms.min-saude.pt

2.8. Public keys and other encryption information
PGP Key ID: 0x49F2C213
PGP Fingerprint: 8AC3 8A4D AD11 13A3 0F73 88F2 4002 57DF 49F2 C213
The key is available at https://www.spms.min-saude.pt/csirt-spms-pgp/

2.9. Team Members
Members: Information about team members is available by request only.

2.10. Other Information
More information about SPMS can be found at https://www.spms.min-saude.pt/

2.11. Points of Customer Contact
CSIRT-SPMS points of contact are listed in sections 2.2, 2.4 to 2.7.

3. Charter

3.1. Mission Statement
CSIRT-SPMS aims to protect the central IT infrastructures that support SPMS’s internal application services, as well as the services provided to external entities. CSIRT-SPMS also contributes to strengthening cybersecurity for entities linked to the Health Information Network (RIS), encompassing limited services for eSIS (Health Information Systems Ecosystem) consisting of entities from the Ministry of Health and National Health Service (MS/SNS).
CSIRT-SPMS coordinates incidents within its constituent community and scope of action, assisting in their resolution within the framework of internal policies.
CSIRT-SPMS contributes to improving information security across the SPMS and eSIS, promoting the adoption of good practices in this area and fostering a culture of cybersecurity.

3.2. Constituency
CSIRT-SPMS coordinates the response to cybersecurity incidents involving:
1) Information assets that constitute the core infrastructure of SPMS
2) Address space belonging to AS34873 (ACSS – Central Administration of the Health System, I.P.), as well as other specified networks.
Addresses included in the networks:
193.164.0.0/24 (AS34873)
213.13.151.0/24
194.79.78.0/23
194.79.80.0/24
194.65.16.85
3) Software produced by SPMS as a product.
Configuration, maintenance, or installation issues that are the responsibility of entities outside SPMS are NOT covered.
4) Community of internal users of SPMS IT systems.
5) Health Security Operational Coordination Element (ECOS).
Responsible for validating cybersecurity incidents reported by eSIS entities and for the centralized coordination of these incidents.
6) Limited services for the eSIS ecosystem.

3.3. Filiation
CSIRT-SPMS is a service that is part of the Cybersecurity Unit of SPMS, EPE. This service maintains affiliations with various SOCs, CSIRTs, and CERTs in Portugal, Europe, and globally, in accordance with the needs and principles of cooperation of its mission and values.

3.4. Authority
CSIRT-SPMS is a service that is part of the Cybersecurity Unit of SPMS, EPE, whose powers are set out in Internal Regulations, approved by resolution of the Board of Directors on November 17, 2023, and ratified by the supervisory authority on November 30, 2023. In addition to this structure, responsibilities are also assigned under Order No. 1348/2017, which establishes the Health Security Operational Coordination Element (ECOS), which must ensure the operationalization of the Notification Procedure and act as a single point of contact for the Ministry of Health with the National Cybersecurity Center and in Order No. 8877/2017, which establishes the governance model for the implementation of the health cybersecurity policy.

4. Policies

4.1. Incident types and support level
CSIRT-SPMS responds to all types of cybersecurity incidents that occur within its academic community, including those that result in a security breach of the following types:
a) Abusive Content
b) Malicious Code
c) Information Gathering
d) Intrusion Attempt
e) Intrusion
f) Availability
g) Information Content Security
h) Fraud
i) Vulnerable
j) Other
The level of support given by CSIRT.SPMS varies depending on the type, severity and scope of ongoing incidents and the resources available for its treatment.

4.2. Cooperation, interaction and privacy policy
CSIRT-SPMS cooperates with other entities and cooperation networks on matters related to cybersecurity and IT security. This cooperation includes the exchange of anonymized information on threats, security incidents, attack campaigns, and vulnerabilities, as well as mitigation techniques.
The SPMS privacy and data protection policy establishes that sensitive information may be transmitted to third parties only and exclusively when necessary and with the prior express authorization of the individual or entity to whom that information pertains, unless the sharing of information results from compliance with a legal obligation or court order.

4.3. Communication and authentication
Of the means of communication provided by CSIRT-SPMS, telephone and unencrypted email are considered sufficient for the transmission of non-sensitive information. For the transmission of sensitive information, the use of PGP encryption, identified in section 2.8 of this document, is mandatory.

5. Services

5.1. Handling security incidents within the constituent scope
Handling security incidents is the main service provided by CSIRT-SPMS, which will always take into account the scope of the incident, including, among others:
1) Liaison and communications facilitator with internal SPMS teams and/or eSIS entities;
2) Technical security analyses and investigations;
3) Support and/or containment and eradication of security incidents;
4) Development of incident documentation;
5) Production of recommendations and follow-up actions to prevent future incidents.
6) Communication with CNCS, suppliers, etc.

5.2. Proactive security monitoring
CSIRT-SPMS ensures continuous and proactive monitoring of the security of systems, networks, and services within its scope through cyber threat intelligence tools and processes, correlation, and real-time analysis, with a view to:
1) Early detection of potential security incidents;
2) Collecting, analyzing, and sharing information on digital threats;
3) Identifying attack patterns and anomalous behavior;
4) Strengthening risk prevention and mitigation capabilities;
5) Providing actionable information for a swift and effective response.

5.3. Dissemination of security alerts
To the entire community served and interested parties, CSIRT-SPMS proposes to issue security alerts and recommendations, while also providing the necessary information for their protection and/or remediation through reliable sources and forums or proactively gathered information.

5.4. Coordination of incident response within the eSIS community
Within the scope of the responsibilities of the Health Operational Security Coordination Element (ECOS) (Order No. 1348/2017), CSIRT-SPMS is responsible for the centralized coordination of incidents within eSIS.
This includes the total or partial, temporary or permanent interruption of services when necessary to protect other entities, the RIS, or the internet in general.

5.5. Cybersecurity support for the eSIS community
Cybersecurity support for the eSIS community provides, on a best-effort basis, specialised technicians from CSIRT-SPMS to analyse and respond to local cybersecurity incidents. Depending on specific needs, this support may include, among other things:
1) Malicious code analysis;
2) Traffic analysis;
3) Forensic analysis of machines or hardware;
4) Production of recommendations to prevent similar incidents in the future;
5) Support in the local application of mitigation and resolution measures.

5.6. Other proactive cybersecurity activities
Proactive activities include the following:
1) Design, development, installation, configuration and implementation, support and maintenance of technical security solutions;
2) Vulnerability analyses and security audits (pentests);
3) Threat hunting;
4) Training on responding to security incidents;
5) Workshops and awareness campaigns on information security and cybersecurity issues.

5.7. Cooperation and Information Sharing
CSIRT-SPMS ensures participation in various networks and forums for cooperation and information sharing at all levels, between SOCs, CSIRTs, CERTs, and similar entities, as well as with other organizations.
CSIRT-SPMS also ensures the representation of the health sector in these cybersecurity forums and initiatives, ensuring that the specific characteristics and critical needs of the sector are duly reflected.
This service aims to contribute to anticipation and proactivity, resulting from the sharing of information and intelligence on threats, and to improve the overall security posture.

6. Incident reporting forms
   No forms are available for this purpose.
   
   
7. Safeguarding of liability
   Although all precautions are taken in the preparation of the information disclosed in the Internet portal or through distribution lists, CSIRT-SPMS assumes no responsibility for errors or omissions, or for damages resulting from the use of this information.

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCgAdFiEEisOKTa0RE6MPc4jyQAJX30nywhMFAmjBi1IACgkQQAJX30ny
whM6fhAA3vq5AfcK6boq8YzVBq3QQehsHTV4X2AKqbw3peGM2Tlngt533ljnnWFS
PAMPfO85o0ILy6b7u31QDhwxrndGuNFjLHE0HdV3sjvZNHr5NQkMyDi8nZ/QZXN5
5Ej+aUQJSzmPpUr3EIU0uyF21+3sryCHE4zNeJrCeRNSSqsJHnqwPz1Rl//V3Wf/
qcAHii8Omm/3p4f0JWCIUel0n1Ie1Bi1cwz0i7aToCpSHTaYYmY5UEBtSWRXluhU
llB3kkMaDFNQDLz5iUko62ZrGBg8iWxuWFM3dCPedlJpcBWl7eVV/J01EkyXSyhA
wfEtXhTMD9+kJ/1IEXnnczEWxaCR/Brscl5MxRaNHCgFiTOQZbTv/UvsSViA0pve
7AqZwX4WWoi+AKBqtM/+GrdfqNGnoF+UhNfQSIFzCVaedAYlTjWAms9lGk09GzA6
FxltCScoqLAylwEIhrEhDQnjdyzRnInTKLmmHxrfosAHSwOZOsfdNmjXR3hVfWlq
WbWEhDmToKBF6zprp67/ahdrCqsmG2ATYANLRH53tEF1xMprB4dwAQSfxmV3dJf7
LF6xrikFRehbU8848nRmHug6QPUM3pMUDJ40cj6CRNkry8Ho+jFlrHIJ4G+lXMqU
tOF9+7b5h/uLqouxXQcrNjS7raqxvZpceLk9aSxCi7ByBEBmFaE=
=553g
—–END PGP SIGNATURE—–