Co-Operation, Interaction & Disclosure of Information
All information handled by UniMS-CERT is treated as confidential by default and will only be shared on an as-needed basis. Team members signed a non-disclosure agreement (NDA) and agreed to comply with common sharing policies, e.g. the Traffic Light Protocol (TLP). UniMS-CERT strives to comply with the Trusted Introducer (TI) CSIRT Code of Practice (CCoP).
Because of the nature of their responsibilities and consequent expectations of confidentiality, management members of University of Münster and the CIT are entitled to receive whatever information is necessary to facilitate the handling of IT security incidents which occur in their jurisdictions. IT security officers (IV-SB) and system administrators at University of Münster are, by virtue of their responsibilities, trusted with confidential information. However, unless such people are also members of UniMS-CERT, they will be given only that confidential information which they must have in order to assist with an investigation, or in order to secure their own systems. Users of services offered by the University of Münster are entitled to information regarding the safety of their own user accounts and will be notified if their account is believed to have been compromised.
Since UniMS-CERT wants to support the IT security community, it encourages and supports the sharing of incident related information, e.g. IOAs/IOCs, with other trusted teams or institutions. If specific information is deemed useful to prevent or solve incidents at other institutions, it will be shared freely. In order to respect ethical and legal restrictions, measures to anonymize personally identifiable information (PII) and other sensitive details will be used as far as possible.
UniMS-CERT co-operates with law enforcement entities, in accordance with the IT usage policy for the university (see here), and sharing of confidential information may be needed or even legally required in certain cases to pursue an investigation. Those cases will usually be handled through the university's legal department. The amount of shared information will always be restricted to the necessary minimum.
Confidential information will not be disclosed to the whole constituency or even the general public. Should the release of information at a large scale be necessary, it will be handled through the university's legal or public relations departments.