Communication & Authentication
In view of the types of information that UniMS-CERT will likely be dealing with, telephones will be considered sufficiently secure to be used even unencrypted. Unencrypted e-mail will not be considered particularly secure, but will be sufficient for the transmission of low-sensitivity data. If it is necessary to send highly sensitive data by e-mail, PGP or S/MIME end-to-end encryption will be used. Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data should be end-to-end encrypted for transmission. To verify the source and the integrity of transmitted data, digital signatures will be used where possible. For this purpose all e-mails containing official statements on behalf of the team or team members will be signed using PGP or S/MIME signatures.
UniMS-CERT supports the use of the Traffic Light Protocol (TLP) and will respect sharing restrictions.
Where it is necessary to establish trust, for example before relying on information given to UniMS-CERT, or before disclosing confidential information, the identity and bona fide of the other party will be ascertained to a reasonable degree of trust. Within University of Münster, and with known CERTs or CSIRTs, referrals from known trusted people will suffice to identify someone. Otherwise, appropriate methods will be used, such as a search of FIRST members, the use of WHOIS and other Internet registration information, along with telephone call-back or signed e-mail mail-back to ensure that the party is not an impostor. Incoming e-mails whose data must be trusted will be checked with the originator personally or by means of digital signatures (PGP or S/MIME are supported).