Skip to content Skip to main navigation Skip to footer
Choose language:
Choose language:

Iscte SOC Scope and RFC2350

Atualizado/Updated: 2026-01-23

PT

rfc2350-iscte-assinado

This document defines, in detail and in accordance with the definition of RFC2350 – “Expectations for Computer Security Incident Response”, the scope of the SOC (Security Operations Center) of “ISCTE – INSTITUTO UNIVERSITÁRIO DE LISBOA” (hereinafter referred to as ISCTE), and the CSIRT (Computer Security Incident Response Team) that is an integral part of it, as well as other relevant information.

2.1 Publication of Policies and Procedures

The definition and specification of policies and procedures concerning the Iscte SOC service and its CSIRT are detailed in the document entitled “Security Incident Response Plan” of Iscte.

The SOC service is not only responsible for the continuous implementation of policies and processes for monitoring Information Security Incidents (hereinafter referred to as Incident(s)) in the Iscte infrastructure and its components, but also for the implementation and maintenance of real-time detection mechanisms and response procedures.

2.2 Relationships between differents CSIRT

The Iscte SOC service is the internal entity that should serve as the point of contact for all communications with CSIRTs of other organizations or institutions and is also responsible for monitoring the lifecycle of all Incidents reported by them that are within the scope of Iscte.

2.3 Establishment of Secure Communications

Information security is an indispensable criterion for the functioning of the SOC service. Therefore, all stakeholders in the incident response process need well-established secure communication channels.

These communication channels are defined and listed in Chapter 6 of the document entitled “Security Incident Response Plan” of Iscte.

Public information on the PGP key associated with the mailbox of the email address for reporting incidents (Preferred Contact Method) can be found in the section “Information on Public Keys and Ciphers”.

3.1 Access to the Document

The updated version of this document must be made available to all Iscte employees who belong to a department or section that:

        • is involved in the incident response process;
        • has been previously defined; and/or
        • is one of the stakeholders in the service.

3.1.1 Last Updated

Last updated on January 22, 2026.

3.1.2 Distribution List for Notifications

Any changes to this document will be communicated by sending an email to all interested and involved parties present on the distribution list defined for this purpose, below:

            • Iscte SOC (soc@iscte-iul.pt);
            • SIIC Director;
            • URS Coordinator;
            • SDSI Coordinator;
            • UAI Coordinator;
            • Data Protection Officer;
            • Legal Representative;
            • Communication Manager; and
            • CNCS (cncs@cncs.gov.pt)

3.1.3 Document Location

The updated version of the document describing the Iscte SOC service, in accordance with RFC2350, is published at:

            • https://informatica.iscte-iul.pt/en/cybersecurity/rfc2350/

3.1.4 Document Authenticity

This document was signed with the Iscte SOC PGP key.

            • User ID: SOC ISCTE-IUL <soc@iscte-iul.pt>
            • Fingerprint: 7EE6 FE47 80EA D304 923A 2BDD D261 3476 A184 7050
            • Key type: RSA/4096
            • Available at: https://pgp.surf.nl/pks/lookup?op=get&search=0xD2613476A1847050

In order to validate the authenticity of this document, a plaintext version, signed with this PGP key, is available. That version can be found at https://informatica.iscte-iul.pt/rfc2350-iscte-assinado/.

3.2 Contact Information

3.2.1 Team Name

ISCTE SOC

3.2.2 Address

Av.ª das Forças Armadas, 1649-026 Lisboa, Portugal

3.2.3 Time zone

UTC/GMT Lisbon, London, Dublin – WEST (Western European Summer Time)

3.2.4 Office Hours

The ISCTE SOC service operates during normal business hours, between 9 am and 6 pm.

3.2.5 Phone

+351 210 464 500

3.2.6 Other Communications

For matters not related to incident reporting and response: soc@iscte-iul.pt

3.2.7 Preferred Contact Method

The preferred contact method of the Iscte SOC team is the email address used for incident reporting: csirt@iscte-iul.pt

3.2.8 Incident Reporting and Management Portal (for the Iscte community only)

          • https://iajuda.iscte-iul.pt/

3.2.9 Information on Public Keys and Ciphers

The SOC service provides a PGP key that should be used whenever there is a need to encrypt any type of information or file:

            • User ID: CSIRT ISCTE-IUL <csirt@iscte-iul.pt>
            • Fingerprint: 1D08 1964 6E48 A2E8 2932 EAF3 49E8 B051 87CF 1A3D
            • Key type: RSA/4096
            • Available at: https://pgp.surf.nl/pks/lookup?op=get&search=0x49E8B05187CF1A3D

3.2.10 Team Members

Coordinator: Paulo Manuel Correia Moreira (Paulo.Moreira@iscte-iul.pt)

Operational Team: soc@iscte-iul.pt

3.2.11 Other Information

For more information about Iscte, visit https://iscte-iul.pt/.

3.3 Guide

3.3.1 Mission

The purpose of Iscte’s SOC service is to serve its internal community and its clients in the context of responding to information security incidents, as well as protecting its services and the personal information related to them, and also preventing possible cyberattacks that may have an associated impact on the respective infrastructures and/or the institution’s business.

3.3.2 Community

The SOC service serves Iscte employees and its clients and is the entity responsible for collaborating in the incident response process with other internal, external and/or service provider entities involved and necessary.

The Iscte SOC service acts, not only but also, in the prevention and monitoring of the following IP address ranges, that belong to Iscte:

            • 192.92.146.0/24
            • 193.136.188.0/24
            • 193.136.189.0/24
            • 193.136.190.0/24
            • 193.136.191.0/24
            • 194.210.64.0/20
            • 194.210.80.0/22
            • 194.210.84.0/23
            • 194.210.86.0/24
            • 193.137.58.160/29
            • 193.137.2.90
            • 2001:690:21a0::/48
            • 2001:690:810:13::/64
            • iscte-iul.pt
            • iscte.pt

3.3.3 Affiliation

The SOC service is an Iscte service whose scope encompasses the institution’s systems and resources. The event sources collected and monitored by the SOC service are documented in Chapter 11 of the Iscte’s “Security Incident Response Plan” document.

3.3.4 Authority

The SOC service has the authority to respond to incidents occurring within the Iscte community, as well as to respond on behalf of the organization in incident response processes in collaboration with external entities.

3.4 Policies

3.4.1 Incident Types and Support Level

The Iscte SOC service adopts the taxonomy defined in Chapter 7 of the document entitled “Security Incident Response Plan” of Iscte. This, with the exception of the “Maintenance” category, is in full compliance with the taxonomy adopted nationally by the Portuguese National Cybersecurity Centre (CNCS) and the members of the National Network of CSIRT in December 2019, and at the European level, also in 2019, by ENISA, the entity for Network and Information Security of the European Union.

The level of support given to each Incident may vary depending not only on its Severity for Iscte, according to the values ​​defined in Chapter 8 of the document designated as “Security Incident Response Plan” of Iscte, but also by the available SOC resources. Although all incidents are handled as quickly as possible by the SOC service, these differences are detailed in Chapter 9 of the document called “Security Incident Response Plan” of Iscte.

3.4.2 Cooperation, Interaction and Privacy Policy

The SOC Privacy and Data Protection Policy stipulates that any type of information considered sensitive will only be passed on to third parties in cases of extreme necessity and always with the prior authorization of the individual, department or entity to which it belongs.

3.4.3 Communication and Authentication

The email and telephone number indicated in this document are considered sufficient for transmitting information to the Iscte SOC service that is not sensitive and/or confidential. If necessary, the PGP key of the email for incident reporting, available in the section “Information on public keys and ciphers”, can be used to send encrypted messages that may have sensitive or private content.

3.5 Services

3.5.1 Incident Response

The Iscte SOC service provides a coordination and response service for IT security incidents related to the entire Iscte community.

3.5.1.1 Incident Triage

In the Triage phase, incidents are triaged and an initial analysis is performed to determine if they effectively constitute an incident and to assign them a classification appropriate to their context.

3.5.1.2 Incident Coordination

In this phase, a more detailed analysis is performed to determine the causes that led to the occurrence of the incident and the immediate countermeasures needed to mitigate it. If necessary, other stakeholders, internal or external, are contacted.

3.5.1.3 Incident Resolution

Finally, the respective eradication and/or mitigation measures for the Incident are outlined and applied, and whenever justified and necessary, a subsequent analysis of lessons learned, a more detailed report, and a meeting with the teams involved are conducted.

3.5.2 Monitoring

The SOC service ensures the monitoring, correlation, and analysis of events originating from Iscte’s security tools integrated into the SIEM, as outlined in Chapter 11 of the document entitled “Security Incident Response Plan” of Iscte.

3.5.3 Proactive Activities

The SOC service is constantly monitoring potential threats that may arise and will proactively alert the community and other stakeholders defined for this purpose whenever an Incident related to them occurs.

3.6 Forms

3.6.1 Post-Mortem Form

A report is prepared with a more detailed analysis of all the details of the respective Incident, following the template defined for this purpose, present in chapter 16 of the document designated as “Security Incident Response Plan” of Iscte, indicating the timeline of the Incident lifecycle, the measures taken at each stage, the people involved and the lessons learned to try to eradicate similar future Incidents, among other information.

3.7 Disclaimer

Despite all precautions taken in preparing the information that is disseminated, whether on the Internet or through distribution lists, the Iscte SOC assumes no responsibility for errors or omissions whose origin is not the SOC itself, as well as for the occurrence of Incidents that may arise from the use of this same information.

 

Scope of ISCTE’s SOC and Response to RFC2350                     Serviços de Informática e Infraestruturas de Comunicações | Ver. 1.1 | PUBLIC

Iscte − Instituto Universitário de Lisboa · Av. Forças Armadas, 1649-026 Lisboa
+351 217 903 000 | geral@iscte-iul.p