Information security is about protecting the availability, integrity and confidentiality of information. It is not limited to data stored in IT systems; all valuable information, regardless of the way it is recorded or stored, needs to be safeguarded. Such data includes not only privacy-sensitive information but also research data and copyrighted materials.
Below the following subjects will be elaborated in more detail: CERT (Computer Incident Response Team), network policy en Responsible disclosure.
The aim of the Wageningen UR Computer Emergency Response Team (WUR-CERT) is to safeguard the IT facilities at Wageningen UR. WUR-CERT is responsible for preventing and solving any computer and network security incidents facing Wageningen UR. WUR-CERT provides the following services:
- Coordinating security incidents: organising and running a reporting centre for security incidents, coordinating and monitoring an adequate response to such incidents, including escalation to the line management or Executive Board.
- Providing information about preventing incidents and current threats. This includes passing on warnings from other CERTs, informing the management of the University in the event of national or large-scale malware attacks and enacting necessary measures at Wageningen UR.
- Making recommendations on Wageningen UR IT security aspects and security policy. WUR-CERT is authorised to give solicited and unsolicited advice to help resolve or reduce Wageningen UR-specific security problems.
The CERT team as of April 2013
Only publicly available members are listed (in alphabetical order by last name) in the table below, all others can be reached via email@example.com
- Wilfred Hoefakker (service manager)
- Remon Klein Tank (security specialist)
- Ramon Kroese (desktop specialist)
- Erik Molenaar (network specialist)
- Sander van den Steen van Ommeren (application specialist)
- Raoul Vernède (security manager)
- Edwin op de Woert (web application specialist)
For the world
In case of a security incident the preferred method for contacting the WUR-CERT is via e-mail at firstname.lastname@example.org
All other non-critical questions and remarks should be sent to the Servicedesk at email@example.com
For the Students and employees of Wageningen University & Research
Students and employees of Wageningen University & Research should by default report security incidents to the Servicedesk FB-IT (firstname.lastname@example.org). They will relay the message to the WUR-CERT team or a specialist. In case of confidential information or incidents with high priority WUR-CERT can be contacted by telephone through the FB-IT Servicedesk (dial 0317-488888 and ask for WUR-CERT). Outside of working hours high priority issues can be sent directly to email@example.com
Encrypting and signing
Confidential information can be encrypted using the WUR-CERT PGP key. The key can also be used to verify the digital signature of WUR-CERT. Based on our email address firstname.lastname@example.org<mailto:email@example.com> the key can be downloaded from well-known public key servers, specifically pgp.surfnet.nl. The WUR-CERT PGP key has the fingerprint 9A04 EDCC DA55 791D EC14 0A30 5269 787D 921F 47E6. It is important to check before downloading from a public key server that the fingerprint match with each other.
Hours of operation
The WUR-CERT's hours of operation are generally restricted to regular business hours (08:30-17:00 from Monday to Friday except public holidays in the Netherlands). Outside the business hours, the mailbox will be checked on best-effort principle with reasonable intervals.
The WUR-CERT operates in timezone CET/CEST (UTC+01:00, and UTC+02:00 from April to October).
When reporting an incident it’s important to include any relevant information, including but not limited to:
- Time/Date, including timezone (don’t forget timezone of log information)
- Location (physical or system environment)
- Repeating event, if so when and how often
- IP/URL information of source/target systems
- Error messages and log files
At the Wageningen UR, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.
If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems.
Please do the following:
- E-mail your findings to firstname.lastname@example.org. Encrypt your findings using our PGP key to prevent this critical information from falling into the wrong hands. The WUR-CERT PGP key KeyID can be found on the CERT webpage,
- Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data,
- Do not reveal the problem to others until it has been resolved,
- Do not use social engineering, distributed denial of service, spam, applications of third parties or attacks our physical security, and
- Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible.
What we promise:
- We will respond to your report within 5 business days with our evaluation of the report and an expected resolution date,
- If you have followed the instructions above, we will not take any legal action against you in regard to the report,
- We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission,
- We will keep you informed of the progress towards resolving the problem,
- In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise).
We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.
This Responsible disclosure is based on an example written by Floor Terra (http://responsibledisclosure.nl).