buildings that represent Noesis clients

RFC 2350 – CSIRT Noesis


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

RFC 2350 – CSIRT Noesis 
English Version 

1. Document Information 
This document describes the incident response coordination service provided by Noesis Portugal, SA, a Portuguese technology consulting company, within the scope of its Security Operations Center (SOC) and in alignment with national cybersecurity practices, following the structure defined in RFC 2350. 
This document complies with the structure recommended by RFC 2350, including all relevant information regarding communication channels, roles, services, scope and operational procedures of CSIRT Noesis. 
 
1.1 Date of Last Update 
This is version 1.3, published on 2026/06/01. 
 
1.2 Distribution List for Notifications 
There is currently no public distribution channel for notifications; updates are carried out at a frequency of six months or less. 
 
1.3 Location of this Document 
Portuguese version: https://www.noesis.pt/csirt/rfc-2350-pt 
English version: https://www.noesis.pt/csirt/rfc-2350-en 

1.4 Authenticating this Document 
This document is signed with the official PGP key of CSIRT Noesis. 

1.5 Expiration 
This document is valid until superseded by a more recent version and will be reviewed periodically to ensure its accuracy and relevance.


2. Contact Information 

2.1 Name of the Team 
Full name: Cyber Security Incident Response Team Noesis 
Short name: CSIRT Noesis 

2.2 Address 
Noesis Portugal – Information Technology Consulting 
Torres de Lisboa – Rua Tomás da Fonseca, Torre E, 14th floor, 1600-209 Lisbon, Portugal 

2.3 Time Zone 
Portugal, Lisbon Time (GMT+0, GMT+1 during daylight saving time) 

2.4 Telephone Number 
+351 21 423 5430 

2.5 Fax Number 
Not available. 

2.6 Other Telecommunications 
Not available. 

2.7 Electronic Mail Address 
Any general information related to CSIRT Noesis should be communicated through: csirt@noesis.pt 

2.8 Public Keys and Encryption Information 
PGP Key ID: 8F30 4DCD 3B2D 0622 
PGP Fingerprint: 9BEE BC7F F0E9 9E6A 0DC6 27A1 8F30 4DCD 3B2D 0622 
Key available at: https://www.noesis.pt/csirt/pgp-key.asc 

2.9 Team Members 
The CSIRT Noesis team is composed of a team lead, security analysts and information security and intelligence technologists. 
The team reports to the Noesis Privacy and Security Committee. 

2.10 Other Information 
More information about Noesis and its security services: https://www.noesis.pt 

2.11 Points of Contact 
Refer to sections 2.2 to 2.7 for communications by letter, email and telephone contact. 

2.12 Languages of Operation 
The team operates in Portuguese and English, according to the needs of its constituency.


3. Mission 

3.1 Mission Statement 
The mission of CSIRT Noesis is to support the security and resilience of the digital operations within its constituency, providing specialized incident response, continuous monitoring and threat intelligence services. CSIRT Noesis also promotes a strong security culture within its community and fosters cooperation with national authorities and European partners, contributing to the collective strengthening of cybersecurity. 

3.2 Scope of Activity 
CSIRT Noesis responds to cybersecurity incidents affecting Noesis processes and services, covering its public assets (systems, networks, applications and users) in the national and international environments in which the organization operates, also providing services to entities with which contractual agreements and established cooperation frameworks exist. 

3.3 Sponsorship and/or Affiliation 
CSIRT Noesis is affiliated with Noesis Portugal, SA and maintains affiliations with various CSIRTs and CERTs in Portugal, Europe and other regions of the world, according to operational needs, the information shared and the principles of cooperation that guide its mission and values. 

3.4 Authority 
CSIRT Noesis operates under the authority of the Noesis Privacy and Security Committee, exercising its competences within the scope of its mission, formalized in an internal Service Order, as well as when delegated by its clients through contractual agreements. 
Its mission, scope and responsibilities are formally defined in internal governance instruments approved at top management level. 
CSIRT Noesis provides technical and operational support in the prevention, detection and management of cybersecurity events and incidents. It does not replace, assume or transfer the legal obligations relating to governance, risk management, incident handling or incident notification incumbent on entities subject to Directive (EU) 2022/2555 (NIS 2) or its national transposition Decree-Law No. 125/2025, of 4 December. 
Responsibility for compliance with applicable legal and regulatory obligations always remains with the affected entity, unless expressly stated otherwise by contract. 
CSIRT Noesis acts exclusively in a support and coordination capacity and does not exercise decision-making powers on behalf of clients, except where this is clearly defined by contract. 
The framework, mission and policies of CSIRT Noesis are integrated into the organization's information security governance system and are subject to periodic review. 
CSIRT Noesis may coordinate with the competent national authorities or other CSIRTs upon client request or when required by applicable law, strictly within the limits of its mandate and contractual scope.


4. Policies 

4.1 Types of Incidents and Level of Support 
CSIRT Noesis responds to a wide range of cybersecurity incidents, adopting the CNCS taxonomy: 
Malicious code 
Availability 
Information gathering 
Intrusion attempts 
Intrusion 
Information content security 
Fraud 
Abusive content 
Vulnerability 
Other 

The level of support provided by CSIRT Noesis depends on the type, severity and scope of the incident, as well as the resources available for its handling. 
The level of support (L1, L2 and/or L3 of the SOC teams) depends on the impact of the incident. Incidents classified as critical receive an immediate response, while the remainder are handled during business hours or in accordance with predefined procedures. 
Coordination with CERT.PT is activated in major incidents or events of systemic impact. 

4.2 Cooperation, Interaction and Disclosure of Information 
Noesis follows a strict confidentiality model. Sensitive incident data will only be shared externally (for example, with CERT.PT or authorities) upon prior approval by Noesis or, in client scenarios and scope, when required by regulation. The TLP (Traffic Light Protocol) is used throughout all external information disclosure. 

4.3 Communication and Authentication 
Non-sensitive communications may take place by telephone or unencrypted email. Sensitive data must be encrypted with a PGP key, the details of which are provided in section 2.8. TLP classification is used for sensitive data. 

4.4 Protection of Personal Data 
CSIRT Noesis extends the protection policy for sensitive data, in terms of access, storage and handling, in compliance with Article 28 of the General Data Protection Regulation (GDPR). 
In the context of its services, CSIRT Noesis may have limited access to personal data of third parties. In such cases, CSIRT Noesis acts exclusively as a processor, within the meaning of Article 28 of the General Data Protection Regulation (GDPR), processing personal data exclusively in accordance with the documented instructions of the third party and within the agreed limits. 
The processing of personal data complies with the principles of data minimization, purpose limitation and storage limitation, with data being retained only for the period strictly necessary for incident management or compliance with legal obligations.


5. Services 
CSIRT Noesis intends to provide support on the technical and organizational aspects of security incidents, both internally and as a provided service. 
All services and solutions are delivered from Portugal, with CSIRT Noesis headquartered in the Lisbon offices. We do not rule out, now or in the future, having some technical support or investigation solutions in private or public cloud, integrated with AI agents under our modules and data control. 

5.1 Security Monitoring 
Implement and optimize security solutions to collect, filter and correlate logs 
Continuous monitoring of security events in near real time to detect and identify threats 
Active monitoring collaboration for sources reported as suspicious by national entities designated for this purpose 

5.2 Incident Response 
5.2.1 Incident Triage and Notification 
Verify the authenticity of a reported incident 
Collect and record information in the context of the incident 
Classify and assign priority based on the severity and potential impact of the incident 
Initial recommendations to support the appropriate response or mitigation actions 
Assign, notify or escalate the incident 
Monitor the incident until closure 

5.2.2 Incident Coordination 
Identify the root cause and contributing factors of the security incident 
Engage the appropriate security teams, internal or external 
Contact the affected organizations to support the investigation 
Coordinate and share relevant information with national and international entities involved, such as CSIRTs, registrars and cloud providers 

5.2.3 Incident Response and Resolution 
Provide technical guidance to systems and network administration teams on appropriate containment and mitigation measures 
Support the response process until normal operation is restored 
Collect evidence and produce technical documentation about the incident 
Respond to third-party inquiries, where applicable 
In service and operation engagements, contact and coordinate containment and mitigation activities with clients 

5.3 Vulnerability Alerting and Disclosure 
Monitor vulnerability databases (for example, NVD, CVE, CISA KEV, vendor advisories), news, blogs and social media 
Track zero-day disclosures and actively exploited exploits 
Alert relevant internal parties about critical vulnerabilities 

5.4 Digital Forensics Incident Response 
Collection of events from the Noesis platform 
Collection or extraction of artifacts 
Analysis of the result of artifact simulation in simulation environments, sandbox 
Network traffic analysis 
Analysis of malware, ransomware, trojans and other forms 
Analysis of compromised accounts and their associated activities 
Identification of the root cause and contributing factors of the security incident 
Documentation and security recommendations 
Collection and analysis of events from client platforms


6. Incident Reporting Forms 
Noesis does not require a standardized incident reporting form. Incidents should be reported by email to csirt@noesis.pt, with a detailed description of the occurrence, including the affected systems, timeline and available technical evidence. The use of PGP encryption is recommended for sensitive content.


7. Disclaimers 
All information provided by CSIRT Noesis, whether through this document, direct communication or public channels, is provided in good faith and based on the best knowledge available at the time. 
CSIRT Noesis accepts no liability for direct or indirect damages resulting from the use or interpretation of such information, including missed detections, delayed response or reliance on advisory content. 
CSIRT Noesis is not a law enforcement authority and holds no investigatory or punitive powers. Any suspected criminal activity must be reported to the competent national authorities by the affected parties. The CSIRT may support clients in preparing technical documentation or providing relevant evidence, only upon express request and where legally possible. 
Information shared with CSIRT Noesis is handled under strict confidentiality agreements and is only disclosed to third parties, such as other CSIRTs or CERT.PT, with prior client approval or when legally required. 
Although we have endeavoured to carefully translate the original document from Portuguese into English, we cannot guarantee that both documents express the same thoughts with the same level of detail and accuracy. In all cases where there is divergence between the two versions, the Portuguese version prevails.


-----BEGIN PGP SIGNATURE-----

iKIEARYKAEoWIQT9sYfuvhJFSW0vlOC54dmGY9AAlQUCaiAsOxsUgAAAAAAEAA5t
YW51MiwyLjUrMS4xMiwyLDEQHGNzaXJ0QG5vZXNpcy5wdAAKCRC54dmGY9AAlRbE
AP4r4W2BCL6jV7/zSZhffA/4C4BsUZXPJBjrTXFtHRHjAAD/bGNqs5VbJktOsd9b
kBkkbAH4X85wGVkcKxr4+cYbYg8=
=FKp2
-----END PGP SIGNATURE-----