

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
RFC 2350 – CSIRT Noesis
English Version
1. Document Information
This document describes the incident response coordination service provided by Noesis Portugal, SA, a Portuguese technology consulting company, within the scope of its Security Operations Center (SOC) and in alignment with national cybersecurity practices, following the structure defined in RFC 2350.
This document complies with the structure recommended by RFC 2350, including all relevant information regarding communication channels, roles, services, scope and operational procedures of CSIRT Noesis.
1.1 Date of Last Update
This is version 1.3, published on 2026/06/01.
1.2 Distribution List for Notifications
There is currently no public distribution channel for notifications; updates are carried out at a frequency of six months or less.
1.3 Location of this Document
Portuguese version: https://www.noesis.pt/csirt/rfc-2350-pt
English version: https://www.noesis.pt/csirt/rfc-2350-en
1.4 Authenticating this Document
This document is signed with the official PGP key of CSIRT Noesis.
1.5 Expiration
This document is valid until superseded by a more recent version and will be reviewed periodically to ensure its accuracy and relevance.
2. Contact Information
2.1 Name of the Team
Full name: Cyber Security Incident Response Team Noesis
Short name: CSIRT Noesis
2.2 Address
Noesis Portugal – Information Technology Consulting
Torres de Lisboa – Rua Tomás da Fonseca, Torre E, 14th floor, 1600-209 Lisbon, Portugal
2.3 Time Zone
Portugal, Lisbon Time (GMT+0, GMT+1 during daylight saving time)
2.4 Telephone Number
+351 21 423 5430
2.5 Fax Number
Not available.
2.6 Other Telecommunications
Not available.
2.7 Electronic Mail Address
Any general information related to CSIRT Noesis should be communicated through: csirt@noesis.pt
2.8 Public Keys and Encryption Information
PGP Key ID: 8F30 4DCD 3B2D 0622
PGP Fingerprint: 9BEE BC7F F0E9 9E6A 0DC6 27A1 8F30 4DCD 3B2D 0622
Key available at: https://www.noesis.pt/csirt/pgp-key.asc
2.9 Team Members
The CSIRT Noesis team is composed of a team lead, security analysts and information security and intelligence technologists.
The team reports to the Noesis Privacy and Security Committee.
2.10 Other Information
More information about Noesis and its security services: https://www.noesis.pt
2.11 Points of Contact
Refer to sections 2.2 to 2.7 for communications by letter, email and telephone contact.
2.12 Languages of Operation
The team operates in Portuguese and English, according to the needs of its constituency.
3. Mission
3.1 Mission Statement
The mission of CSIRT Noesis is to support the security and resilience of the digital operations within its constituency, providing specialized incident response, continuous monitoring and threat intelligence services. CSIRT Noesis also promotes a strong security culture within its community and fosters cooperation with national authorities and European partners, contributing to the collective strengthening of cybersecurity.
3.2 Scope of Activity
CSIRT Noesis responds to cybersecurity incidents affecting Noesis processes and services, covering its public assets (systems, networks, applications and users) in the national and international environments in which the organization operates, also providing services to entities with which contractual agreements and established cooperation frameworks exist.
3.3 Sponsorship and/or Affiliation
CSIRT Noesis is affiliated with Noesis Portugal, SA and maintains affiliations with various CSIRTs and CERTs in Portugal, Europe and other regions of the world, according to operational needs, the information shared and the principles of cooperation that guide its mission and values.
3.4 Authority
CSIRT Noesis operates under the authority of the Noesis Privacy and Security Committee, exercising its competences within the scope of its mission, formalized in an internal Service Order, as well as when delegated by its clients through contractual agreements.
Its mission, scope and responsibilities are formally defined in internal governance instruments approved at top management level.
CSIRT Noesis provides technical and operational support in the prevention, detection and management of cybersecurity events and incidents. It does not replace, assume or transfer the legal obligations relating to governance, risk management, incident handling or incident notification incumbent on entities subject to Directive (EU) 2022/2555 (NIS 2) or its national transposition Decree-Law No. 125/2025, of 4 December.
Responsibility for compliance with applicable legal and regulatory obligations always remains with the affected entity, unless expressly stated otherwise by contract.
CSIRT Noesis acts exclusively in a support and coordination capacity and does not exercise decision-making powers on behalf of clients, except where this is clearly defined by contract.
The framework, mission and policies of CSIRT Noesis are integrated into the organization's information security governance system and are subject to periodic review.
CSIRT Noesis may coordinate with the competent national authorities or other CSIRTs upon client request or when required by applicable law, strictly within the limits of its mandate and contractual scope.
4. Policies
4.1 Types of Incidents and Level of Support
CSIRT Noesis responds to a wide range of cybersecurity incidents, adopting the CNCS taxonomy:
• Malicious code
• Availability
• Information gathering
• Intrusion attempts
• Intrusion
• Information content security
• Fraud
• Abusive content
• Vulnerability
• Other
The level of support provided by CSIRT Noesis depends on the type, severity and scope of the incident, as well as the resources available for its handling.
The level of support (L1, L2 and/or L3 of the SOC teams) depends on the impact of the incident. Incidents classified as critical receive an immediate response, while the remainder are handled during business hours or in accordance with predefined procedures.
Coordination with CERT.PT is activated in major incidents or events of systemic impact.
4.2 Cooperation, Interaction and Disclosure of Information
Noesis follows a strict confidentiality model. Sensitive incident data will only be shared externally (for example, with CERT.PT or authorities) upon prior approval by Noesis or, in client scenarios and scope, when required by regulation. The TLP (Traffic Light Protocol) is used throughout all external information disclosure.
4.3 Communication and Authentication
Non-sensitive communications may take place by telephone or unencrypted email. Sensitive data must be encrypted with a PGP key, the details of which are provided in section 2.8. TLP classification is used for sensitive data.
4.4 Protection of Personal Data
CSIRT Noesis extends the protection policy for sensitive data, in terms of access, storage and handling, in compliance with Article 28 of the General Data Protection Regulation (GDPR).
In the context of its services, CSIRT Noesis may have limited access to personal data of third parties. In such cases, CSIRT Noesis acts exclusively as a processor, within the meaning of Article 28 of the General Data Protection Regulation (GDPR), processing personal data exclusively in accordance with the documented instructions of the third party and within the agreed limits.
The processing of personal data complies with the principles of data minimization, purpose limitation and storage limitation, with data being retained only for the period strictly necessary for incident management or compliance with legal obligations.
5. Services
CSIRT Noesis intends to provide support on the technical and organizational aspects of security incidents, both internally and as a provided service.
All services and solutions are delivered from Portugal, with CSIRT Noesis headquartered in the Lisbon offices. We do not rule out, now or in the future, having some technical support or investigation solutions in private or public cloud, integrated with AI agents under our modules and data control.
5.1 Security Monitoring
Implement and optimize security solutions to collect, filter and correlate logs
Continuous monitoring of security events in near real time to detect and identify threats
Active monitoring collaboration for sources reported as suspicious by national entities designated for this purpose
5.2 Incident Response
5.2.1 Incident Triage and Notification
• Verify the authenticity of a reported incident
• Collect and record information in the context of the incident
• Classify and assign priority based on the severity and potential impact of the incident
• Initial recommendations to support the appropriate response or mitigation actions
• Assign, notify or escalate the incident
• Monitor the incident until closure
5.2.2 Incident Coordination
• Identify the root cause and contributing factors of the security incident
• Engage the appropriate security teams, internal or external
• Contact the affected organizations to support the investigation
• Coordinate and share relevant information with national and international entities involved, such as CSIRTs, registrars and cloud providers
5.2.3 Incident Response and Resolution
• Provide technical guidance to systems and network administration teams on appropriate containment and mitigation measures
• Support the response process until normal operation is restored
• Collect evidence and produce technical documentation about the incident
• Respond to third-party inquiries, where applicable
• In service and operation engagements, contact and coordinate containment and mitigation activities with clients
5.3 Vulnerability Alerting and Disclosure
• Monitor vulnerability databases (for example, NVD, CVE, CISA KEV, vendor advisories), news, blogs and social media
• Track zero-day disclosures and actively exploited exploits
• Alert relevant internal parties about critical vulnerabilities
5.4 Digital Forensics Incident Response
• Collection of events from the Noesis platform
• Collection or extraction of artifacts
• Analysis of the result of artifact simulation in simulation environments, sandbox
• Network traffic analysis
• Analysis of malware, ransomware, trojans and other forms
• Analysis of compromised accounts and their associated activities
• Identification of the root cause and contributing factors of the security incident
• Documentation and security recommendations
• Collection and analysis of events from client platforms
6. Incident Reporting Forms
Noesis does not require a standardized incident reporting form. Incidents should be reported by email to csirt@noesis.pt, with a detailed description of the occurrence, including the affected systems, timeline and available technical evidence. The use of PGP encryption is recommended for sensitive content.
7. Disclaimers
All information provided by CSIRT Noesis, whether through this document, direct communication or public channels, is provided in good faith and based on the best knowledge available at the time.
CSIRT Noesis accepts no liability for direct or indirect damages resulting from the use or interpretation of such information, including missed detections, delayed response or reliance on advisory content.
CSIRT Noesis is not a law enforcement authority and holds no investigatory or punitive powers. Any suspected criminal activity must be reported to the competent national authorities by the affected parties. The CSIRT may support clients in preparing technical documentation or providing relevant evidence, only upon express request and where legally possible.
Information shared with CSIRT Noesis is handled under strict confidentiality agreements and is only disclosed to third parties, such as other CSIRTs or CERT.PT, with prior client approval or when legally required.
Although we have endeavoured to carefully translate the original document from Portuguese into English, we cannot guarantee that both documents express the same thoughts with the same level of detail and accuracy. In all cases where there is divergence between the two versions, the Portuguese version prevails.
-----BEGIN PGP SIGNATURE-----
iKIEARYKAEoWIQT9sYfuvhJFSW0vlOC54dmGY9AAlQUCaiAsOxsUgAAAAAAEAA5t
YW51MiwyLjUrMS4xMiwyLDEQHGNzaXJ0QG5vZXNpcy5wdAAKCRC54dmGY9AAlRbE
AP4r4W2BCL6jV7/zSZhffA/4C4BsUZXPJBjrTXFtHRHjAAD/bGNqs5VbJktOsd9b
kBkkbAH4X85wGVkcKxr4+cYbYg8=
=FKp2
-----END PGP SIGNATURE-----