RFC 2350 EN

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512

RFC2350 CSIRT-SPMS

1. Document information

1.1. Date of last update
Version 2.0 published 2025/08/06.

1.2. Distribution list for notifications
There is no distribution channel to notify changes to this document.

1.3. Locations where this document may be found
The updated version of this document is available at https://www.spms.min-saude.pt/rfc-2350-en/

1.4. Authenticity of this document
This document is signed with CSIRT-SPMS PGP key.

2. Contact information

2.1. Team name
Full name: SPMS Cybersecurity Incident Response Team
Short name: CSIRT-SPMS

2.2. Address
Cybersecurity Unit / CSIRT-SPMS
SPMS – Shared Services of the Ministry of Health
Av. da República 61
1050-099 Lisboa
Portugal

2.3. Time zone
Europe/Lisbon (GMT+0,GMT+1 DST)

2.4. Telephone number
+351 933 811 273 (Regular response hours: weekdays from 8 AM to 8 PM)
+351 963 033 650 (Emergency contact, outside regular response hours)

2.5. Fax
Non-existent.

2.6. Other telecommunications
Non-existent.

2.7. Electronic mail address
Computer security incident reports should be sent to: csirt@spms.min-saude.pt

2.8. Public keys and other encryption information
PGP Key ID: 0x49F2C213
PGP Fingerprint: 8AC3 8A4D AD11 13A3 0F73 88F2 4002 57DF 49F2 C213
The key is available at https://www.spms.min-saude.pt/csirt-spms-pgp/

2.9. Team Members
Members: Information about team members is available by request only.

2.10. Other Information
More information about SPMS can be found at https://www.spms.min-saude.pt/

2.11. Points of Customer Contact
CSIRT-SPMS points of contact are listed in sections 2.2, 2.4 to 2.7.

3. Charter

3.1. Mission Statement
CSIRT-SPMS aims to protect the central IT infrastructures that support SPMS’s internal application services, as well as the services provided to external entities. To this end, CSIRT-SPMS coordinates incidents within its constituent community and scope of action, assisting in their resolution, within the framework of internal policies, namely the Information Security Policy and Incident Handling Policy.
CSIRT-SPMS contributes to improving information security across the entire SPMS, promoting the adoption of good internal practices in this area and fostering a culture of cybersecurity.

3.2. Constituency
CSIRT-SPMS coordinates the response to cybersecurity incidents involving:
1) Information assets that constitute the core infrastructure of SPMS
2) Address space belonging to AS34873 (ACSS – Central Administration of the Health System, I.P.), as well as other specified networks.
Addresses included in the networks:
193.164.0.0/24 (AS34873)
213.13.151.0/24
194.79.78.0/23
194.79.80.0/24
194.65.16.85
3) Software produced by SPMS as a product.
Configuration, maintenance, or installation issues that are the responsibility of entities outside SPMS are NOT covered.
4) Community of internal users of SPMS IT systems.
5) Health Security Operational Coordination Element (ECOS).
Responsible for validating cybersecurity incidents reported by MS/SNS entities, for the centralised coordination of these incidents within eSIS (Health Information Systems Ecosystem), and for the subsequent mandatory centralised notification through CNCS communication channels.
6) Limited services for the community of institutions, hospitals and ULS health centres
Best effort support for eSIS, with the exception of the email service provided by SPMS to eSIS, which is considered a central service and is therefore covered by the point ‘Information assets that constitute the central infrastructure or are under the management of SPMS’ above.

3.3. Filiation
CSIRT-SPMS is a service that is part of the Cybersecurity Unit of SPMS, EPE.

3.4. Authority
CSIRT-SPMS is a service that is part of the Cybersecurity Unit of SPMS, EPE, whose powers are set out in the Internal Regulations, approved by resolution of the Board of Directors on 17 November 2023 and ratified by the supervisory authority on 30 November 2023. In addition to this structure, responsibilities are also assigned under Order No. 1348/2017, which establishes the Health Security Operational Coordination Element (ECOS), which must ensure the operationalisation of the Notification Procedure and act as a single point of contact for the Ministry of Health with the National Cybersecurity Centre and in Order No. 8877/2017, which establishes the governance model for the implementation of the health cybersecurity policy.

4. Policies

4.1. Incident types and support level
CSIRT-SPMS responds to all types of cybersecurity incidents that occur within its academic community, including those that result in a security breach of the following types:
a) Abusive Content
b) Malicious Code
c) Information Gathering
d) Intrusion Attempt
e) Intrusion
f) Availability
g) Information Content Security
h) Fraud
i) Vulnerable
j) Other
The level of support given by CSIRT.UMinho varies depending on the type, severity and scope of ongoing incidents and the resources available for its treatment.

4.2. Cooperation, interaction and privacy policy
The SPMS privacy and data protection policy stipulates that sensitive information may be disclosed to third parties solely and exclusively when necessary and with the express prior authorisation of the individual or entity to whom that information relates.

4.3. Communication and authentication
Of the means of communication provided by CSIRT-SPMS, telephone and unencrypted email are considered sufficient for the transmission of non-sensitive information. For the transmission of sensitive information, the use of PGP encryption, identified in section 2.8 of this document, is mandatory.

5. Services

5.1. Handling security incidents within the constituent scope
Handling security incidents is the main service provided by CSIRT-SPMS, which will always take into account the scope of the incident, including, among others:
1) Coordination and facilitation of communications with internal SPMS teams and/or other entities such as CNCS, suppliers, MS/SNS entities, etc.;
2) Technical security analyses and investigations;
3) Support and/or containment and eradication of security incidents;
4) Development of incident documentation;
5) Production of recommendations and follow-up actions to prevent future incidents.

A cybersecurity incident is defined as:
1) Any security event that is likely to impact assets within the scope of CSIRT SPMS must be submitted for investigation by CSIRT.
2) Alerts of imminent attacks (e.g. hacktivism warnings, public DoS, manifestos, alerts and warnings from authorities – CNCS, police forces or other credible sources).
3) Recurring security events related to a specific system (high severity).
4) High number of SPMS systems affected by a security event
5) Security events within the scope of CSIRT-SPMS reported by accredited external sources.

5.2. Dissemination of security alerts
To the entire community served and interested parties, CSIRT-SPMS proposes to issue security alerts and recommendations, also providing the necessary information for their protection and/or remediation through sources such as NCSC-PT and other national authorities, as well as information proactively gathered, received and published from other reliable sources and forums.

5.3. Coordination of incident response within the eSIS community
Within the scope of the responsibilities of the Health Operational Security Coordination Element (ECOS) (Order No. 1348/2017), CSIRT-SPMS is responsible for the centralised coordination of incidents within eSIS, which includes:
1) Screening incident notifications, technical and forensic analysis;
2) Liaising with the entities involved;
3) Implementing mitigation and/or resolution measures at the central level;
4) Producing recommendations for mitigation and/or resolution of the incident at the local level;
5) Reporting incidents to the NCSC-PT.

5.4. Cybersecurity support for the eSIS community
Cybersecurity support for the eSIS community provides, on a best-effort basis, specialised technicians from CSIRT-SPMS to analyse and respond to local cybersecurity incidents. Depending on specific needs, this support may include, among other things:
1) Malicious code analysis;
2) Traffic analysis;
3) Forensic analysis of machines or hardware;
4) Production of recommendations to prevent similar incidents in the future;
5) Support in the local application of mitigation and resolution measures.

5.5. Proactive cybersecurity activities
Proactive activities include the following:
1) Proactive monitoring of security events using technological tools to detect malicious activity;
2) Threat hunting;
3) Design, development, installation, configuration and implementation, support and maintenance of technical security solutions;
4) Vulnerability analyses and security audits (pentests);
5) Training on responding to security incidents;
6) Workshops and awareness campaigns on information security and cybersecurity issues.

5.6. Cooperation and Information Sharing
CSIRT-SPMS considers cooperation and information sharing at all levels to be extremely important, between CERTs, CSIRTs, SOCs and similar entities, as well as with other organisations. This service aims to contribute to anticipation and proactivity, resulting from the sharing of information and intelligence on threats, and to improve overall security posture.
This service aims to develop and promote platforms, frameworks and databases for information sharing, creating bonds of cooperation between CSIRT-SPMS and its constituents and other entities.

6. Incident reporting forms
   No forms are available for this purpose.
7. Safeguarding of liability
   Although all precautions are taken in the preparation of the information disclosed in the Internet portal or through distribution lists, CSIRT.UMinho assumes no responsibility for errors or omissions, or for damages resulting from the use of this information.
   —–BEGIN PGP SIGNATURE—–

iQIzBAEBCgAdFiEEisOKTa0RE6MPc4jyQAJX30nywhMFAmiTljoACgkQQAJX30ny
whNrYxAAx/wxe9MZm/wqWoac76QqdQiLtIxyIkHCtO1yjFfBYPmHosVK0z7fTwDP
X9LBHw3qAPd/3D9WB7a95RShJuHPT/Aa0NkrI2rmXU3E9Gudm5z1zSzGoppq2O7V
45srBH1NTXrdn0CMF9Ose5lG9VbqINxkpZjA6QnEm54dDygqr+SDCBCzJZC5Q+jF
pk1t+cqjQxmLcW6K63rF8ywo+HHZuqsTzGrgw3xzhJ46px25IgJFHJNijc5cD5FF
AgmS+Pvzo5vj2ZjuROGi7OGcjQUGHCbnVuwivhfKGveZFjjcv3SPpnujMW+iBy9k
MRAXQNH3LTdv91E9LrV5aFx+bKJaBrTol6+8eSGSMK0S2A7lUfX8PzfINjtkfoK4
6Cmkjg6KyA7D1UeNLIiUOZi8Lp/A71O0WAE0rY81bZPYTeSpNUMZ7H5rfj2rOqdD
yT5zc7QPTtoId3pj6p9XS6lHLjn4k1YTXBXmkpZOCKmrQn2B6gJgt6yNwNcExarL
pCkjviucruUUhX8CrBggEzKZn2f9UftI7h2zwNpqXrFWq+/hz3pjazh2F8wO55nt
rBUekscmz8srpFEv20r0KGhBLj7DBYdeixxst2W9v9MfUtFLv7PgB2ddlfWfne1Z
PAIKwkixZApP/rczS7rGRVlZy3sZQw8K1xF8IpjxyteBSn3hyzo=
=03wP
—–END PGP SIGNATURE—–