Computer Security Incident Response Team (CSIRT)

As part of fulfilling the Cybersecurity Maturity Index (IKAS) assessment conducted by the National Cyber and Crypto Agency (BSSN), every institution or corporation that has established a Computer Security Incident Response Team (CSIRT) is required to demonstrate readiness, transparency, and accountability in managing cybersecurity incidents. One of the key indicators assessed is the existence of a publicly available CSIRT profile document (RFC 2350).

The publication of a CSIRT profile based on RFC 2350 on the company’s official website serves several strategic and functional purposes, namely:

1. Transparency and Public Credibility

The RFC 2350 document serves as the official CSIRT profile outlining its mandate, scope, structure, contact information, and incident handling procedures. Its publication demonstrates the company’s commitment to accountable cybersecurity governance, while also strengthening public, regulatory, and strategic partner trust.

2. Fulfillment of BSSN’s IKAS Assessment

Within the IKAS assessment framework, the Policy & Governance and Incident Response aspects require documented evidence of a CSIRT aligned with international standards. One of the verifiable evidences is the availability of a publicly accessible RFC 2350 document through the organization’s official website. This confirms that the CSIRT has met the requirements of formalization, external communication, and operationalization of incident response functions.

3. CSIRT Interconnectivity and Collaboration

RFC 2350 serves as a global reference for ensuring interoperability and communication among CSIRTs—both nationally (through ID-SIRTII/BSSN) and internationally (FIRST, APCERT). Its publication facilitates identification, verification, and coordination in the event of cross-entity or cross-sector incidents.

4. Enhanced Corporate Reputation and Compliance

By officially publishing the CSIRT profile, the company demonstrates compliance with national standards and regulations, such as Presidential Regulation No. 82/2022 on the Management of Critical Information Infrastructure (CII) and BSSN Guidelines on CSIRT Formation and Operations. This initiative also reinforces the company’s position as an entity strongly committed to national cybersecurity and resilience.

5. Support for Audit and Maturity Assessment Processes

The publication of RFC 2350 also serves as an external verification element accessible to auditors, assessors, and regulators as verifiable evidence of the company’s cybersecurity policy implementation. This facilitates the assessment process and contributes to higher IKAS scoring.