Incident handling by CERT.be: general conditions
Support regarding an incident
During the course of the incident response, access to all systems can be requested from you, meaning having access to all documents and files on those systems as well. We will handle the confidential information with care and only divulge it to people involved in the incident resolution on a need to know basis.
A copy of the hard disk, a memory dump of all the information in the memory of the enabled machine, or logs, can be requested for further investigation by the Police or CERT.be for forensics analysis. Those will be stored on an encrypted hard drive and CERT.be will not be kept longer than needed.
CERT.be might need to deploy additional software to your systems in order to be able to gather additional information. That software has been tested and vetted extensively, but CERT.be won’t be held responsible for any crash or unavailability of those systems.
Additional sharing of the information might be foreseen with our European national partner’s CERT in order to disseminate any indicator of compromise found, but it would be done in an anonymized way, with your authorization.
The incident might be reported to the Local or Federal Police if needed.
A “war room”, a place where people can exchange freely confidential information, on-site, might be required.