CSIRT Description for CERT Allegro
=================================
1. About this document
This document contains a description of CERT Allegro, based on the RFC 2350.
The document delivers basic information about CERT Allegro, such as:
Contacts,
Responsibilities,
Services.
1.1 Date of Last Update
Version 2.1 . Published 15.09.2019 . Last update 26.08.2022
1.2 Distribution List for Notifications
Notifications about updates are delivered to Trusted Introducer via following e-mail address: <ti@trusted-introducer.org>.
1.3 Locations where this Document May Be Found
The current version of this CERT description document is available at the CERT Allegro website; its URL is: /
1.4 This Document’s Authenticity
This document has been signed with the CERT Allegro PGP key. The signatures are also available at: /cert/
2. Contact Information
2.1 Name of the Team
CERT Allegro
2.2 Address
CERT Allegro
Allegro Sp. z o.o.
1B Wierzbięcice Street
61-569 Poznan
Poland
2.3 Time Zone
Central European Time (GMT+0100, GMT+0200 from April to October)
2.4 Telephone Number
+48 61 630 60 01
2.5 Fax Number
Not available.
2.6 Other Telecommunication
Not available.
2.7 Electronic Mail Address
<cert@allegro.com> This e-mail serves as an alias for the inbox operated by the CERT personnel currently on duty.
2.8 Public keys and Other Encryption Information
PGP key used by CERT Allegro
User ID: CERT Allegro <cert@allegro.com>
Key ID: 0x91E2C228
Fingerprint: 424EFCEF97573F09F2B29F1BD5D5B90291E2C228
The key and its signatures can be found at the usual large public keyservers.
2.9 Other Information
General information about CERT Allegro can be found at: /cert
2.10 Points of Customer Contact
The preferred method for contacting CERT Allegro is via e-mail at certall@allegro.pl. We encourage using the PGP encryption when sending sensitive information to CERT Allegro.
CERT Allegro operates on working 24/7.
3. Charter
3.1 Mission Statement
The mission of CERT Allegro is to:
prevent and anticipate computer security incidents by implementing adequate processes, tools, policies in order to improve the reactivity in case of an incident,
provide operational support for handling serious computer security incidents which can affect Allegro.pl assets and interests, including Allegro.pl Customers,
provide support for employees, partners, shareholders and other Allegro.pl departments in the implementation of safe and secure IT solutions.
3.2 Constituency
CERT Allegro provides IT security incident response and security services for Allegro.pl employees and its customers.
3.3 Sponsorship and/or Affiliation
CERT Allegro is a private CERT, operating in the e-commerce sector. It maintains relationships with different CERTs/CSIRTs in Poland and in Europe, as a member of Trusted Introducer, since January 2015.
https://www.trusted-introducer.org/directory/teams/cert-allegro.html
3.4 Authority
CERT Allegro operates as authorised by and under the auspices of the Chief Security Officer of Allegro.pl Sp. z o.o.
4. Policies
4.1 Types of Incidents and Level of Support
CERT Allegro is authorized to address all types of computer security incidents which occur, or threaten to occur, in its constituency. All the incident reports received by CERT Allegro are analysed, classified and prioritized according to internal regulations, so that an efficient and appropriate level of service is provided.
4.2 Co-operation, Interaction and Disclosure of Information
CERT Allegro exchanges all necessary information with other CSIRTs and entities included in the Polish national cyber security system, as well as with administrators of the affected parties. No personal nor overhead data is exchanged, unless explicitly authorized.
In connection with the obligation to protect the privacy of its constituency, CERT Allegro (under normal circumstances) provides the possibility to share information only in a confidential manner.
CERT Allegro operates under the legal restrictions imposed by the Polish law, e.g. Personal Data Protection Law and the Act on the National Cyber Security System.
4.3 Communication and Authentication
CERT Allegro protects sensitive information in accordance with the relevant Polish and European regulations and policies. For standard communication, not containing sensitive information, CERT Allegro might use conventional methods, like unencrypted e-mail, telephone or verbal. For secure communication, PGP-encrypted e-mail will be used, or other properly secured channels. CERT Allegro also recognizes and supports the ISTLP (Information Sharing Traffic Light Protocol).
5. Services
5.1 Incident Response
CERT Allegro will assist system administrators in handling the technical and organizational aspects of incidents. In particular, it will provide assistance or advice with respect to the following aspects of incident management:
5.1.1 Incident Triage
Investigating, whether the incident actually occurred and is authentic.
Determining the extent of the incident, assessing and prioritizing it.
5.1.2 Incident Coordination
CERT Allegro coordination includes:
Determining the initial cause of the incident (vulnerability exploited).
Facilitating contact with other sites which may be involved.
Facilitating contact with appropriate law enforcement officials, if necessary.
Preparing reports and analyses, if applicable.
Drawing up announcements to users, if applicable.
5.2 Proactive Services
Proactive services provide means to reduce the number of actual incidents by maintaining proper and suitable information regarding potential incidents to CERT’s constituency. CERT Allegro will perform proactive activities to improve performance and capabilities, such as:
· following current trends in technology and security,
· conducting security awareness trainings and campaigns,
· providing cybersecurity support and advice.
6. Incident Reporting Forms
CERT Allegro provides contact e-mail address <cert@allegro.pl> to receive information about potential incidents. Additional communication forms are described on the /cert page.
7. Disclaimers
Every precaution will be taken while preparing information, notifications and alerts, however CERT Allegro assumes no responsibility for errors, omissions or for damages caused by the use of the information contained within.