RFC 2350 - CSIRT BIGSECURE

Public information for BIGSECURE CSIRT

CSIRT-BIGSECURE RFC 2350

Public Content

View Spanish version

1. Document information

1.1. Date of last update

Version 1.0, approved and published on May 29, 2026.

This document describes the public information of CSIRT-BIGSECURE, including its contact details, community served, scope, authority, general policies and services related to cybersecurity incident management.

1.2. Distribution list for notifications

Changes to this document are not distributed through a public mailing list. Any inquiry, comment or request related to this document must be sent to the official CSIRT-BIGSECURE contact email address:

csirt@bigsecure.net

Relevant updates to this document will be published at the official location defined by BIGSECURE S.A.C.

1.3. Document location

The current version of this document will be available at the following official link:

http://www.bigsecure.net/csirt/rfc2350-en.html

If differences exist between versions, the version officially published and approved by BIGSECURE S.A.C. shall prevail.

2. Contact information

2.1. Team name

CSIRT-BIGSECURE

BIGSECURE S.A.C. Computer Security Incident Response Team.

CSIRT-BIGSECURE is formalized as a specialized unit within BIGSECURE S.A.C., supported by the existing capabilities of the Security Operations Center, the Information Security Management System based on ISO/IEC 27001:2022, the Integrated Management System processes, the cybersecurity technical team and the monitoring, response, vulnerability management and threat intelligence services.

2.2. Time zone

GMT –5 (Lima, Peru)

2.3. Other telecommunications

The main channel for reporting cybersecurity incidents is the official CSIRT-BIGSECURE email address.

2.4. Email address preferred method

The preferred method for contacting CSIRT-BIGSECURE is email.

To report critical incidents or high-urgency situations, the word [URGENTE] must be placed at the beginning of the email subject line in order to facilitate prioritization and escalation.

Subject example: 

[URGENTE] Cybersecurity incident report - [Client name]

2.5. Secure communication

For sensitive communications or the exchange of confidential information related to cybersecurity incidents, CSIRT-BIGSECURE may use secure communication mechanisms approved by BIGSECURE S.A.C.

As of the publication date of this version, CSIRT-BIGSECURE does not have a published PGP public key. The generation, validation and publication of the PGP public key will be managed as part of the progressive strengthening process of the team's secure communication capabilities.

Once generated, the PGP public key associated with csirt@bigsecure.net will be published at the official CSIRT-BIGSECURE location and/or incorporated into an updated version of this document. 

-----BEGIN PGP PUBLIC KEY BLOCK-----
[PENDING GENERATION AND PUBLICATION]
-----END PGP PUBLIC KEY BLOCK-----

The associated private key will not be shared under any circumstances and must be safeguarded in accordance with BIGSECURE S.A.C.'s internal information security guidelines.

2.6. Team members

The complete list of CSIRT-BIGSECURE members is not publicly available due to operational security and information protection reasons.

Team members will identify themselves to the reporting party through official channels during the handling of an incident, in accordance with the contractual scope, internal procedures and the criticality of the case.

2.7. Other information

General information about CSIRT-BIGSECURE may be found on the official portal:

http://www.bigsecure.net/csirt

Specific information about relevant updates, contact channels and applicable public documents will be published by BIGSECURE S.A.C. through the corresponding official media.

2.8. Customer contact points

The preferred method for contacting CSIRT-BIGSECURE in the event of cybersecurity incidents is to send an email to:

csirt@bigsecure.net

The message will be reviewed by the responsible team or referred to the corresponding backup personnel, depending on the criticality of the case, the contractual scope of the service, applicable service level agreements and BIGSECURE S.A.C.'s internal procedures.

For critical incidents or high-urgency situations, the word [URGENTE] must be placed at the beginning of the email subject line in order to facilitate prioritization and escalation.

2.9. Hours of operation

CSIRT-BIGSECURE incident response services are available 24x7.

Incident handling, triage, escalation and coordination will be performed in accordance with the scope of the services contracted by each client, the applicable service level agreements, the criticality of the incident and BIGSECURE S.A.C.'s internal procedures.

For general inquiries, document coordination or non-critical requests, CSIRT-BIGSECURE may prioritize handling according to the team's operational availability and the established channels.

3. Charter

3.1. Mission

The mission of CSIRT-BIGSECURE is to coordinate, analyze, manage and support the response to cybersecurity incidents affecting clients served by BIGSECURE S.A.C., as well as internal assets, services and processes linked to the scope of the Information Security Management System, when applicable.

CSIRT-BIGSECURE focuses its activities on strengthening the protection of the confidentiality, integrity and availability of information through the detection, analysis, containment, escalation, monitoring and continuous improvement of cybersecurity incidents, supported by the existing capabilities of the Security Operations Center —SOC—, the Integrated Management System, the cybersecurity technical team and the monitoring, response, vulnerability management and threat intelligence services.

3.2. Vision

The vision of CSIRT-BIGSECURE is to consolidate itself as a specialized cybersecurity incident response unit recognized for its technical capability, timely handling, traceability, collaboration and alignment with international good practices.

CSIRT-BIGSECURE seeks to progressively strengthen its operational, documentary and cooperation capabilities, with the objective of contributing to its clients' digital trust, actively participating in cybersecurity technical communities and supporting coordinated incident management at local, regional and international levels.

3.3. Community served

The community served by CSIRT-BIGSECURE is mainly composed of BIGSECURE S.A.C. clients who receive cybersecurity, monitoring, incident management, technical support, vulnerability management, threat intelligence or other services related to information protection and operational continuity.

Likewise, CSIRT-BIGSECURE may also provide support, coordination or recommendations regarding incidents affecting BIGSECURE S.A.C.'s internal assets, services or processes, provided that these are linked to the scope of the Information Security Management System or may impact the delivery of services to clients.

Incident handling will be performed in accordance with the contractual scope of the services contracted by each client, applicable service level agreements, incident criticality, the authority defined for intervention and BIGSECURE S.A.C.'s internal procedures.

CSIRT-BIGSECURE may also collaborate, when appropriate, with other incident response teams, CERTs, CSIRTs, technology providers, competent authorities, technical communities and national or international organizations, while respecting applicable confidentiality, data protection, information security and contractual restrictions.

3.4. Sponsorship and/or affiliation

CSIRT-BIGSECURE is sponsored by BIGSECURE S.A.C. and is formalized as a specialized unit within its organizational structure, with support from Senior Management, the Information Security Area, the Security Operations Center —SOC—, the Integrated Management System and the corresponding technical and support areas.

CSIRT-BIGSECURE is authorized to handle, coordinate and support the management of cybersecurity incidents related to the services provided by BIGSECURE S.A.C. to its clients, in accordance with the contractual scope, internal procedures, service level agreements and the authority defined for each case.

CSIRT-BIGSECURE aims to strengthen its participation in technical communities, cooperation networks and national and international spaces related to incident response, vulnerability management, threat intelligence and cybersecurity good practices.

The formal participation or affiliation of CSIRT-BIGSECURE in international communities, including FIRST or similar organizations, will be subject to compliance with applicable requirements, corresponding approval and formal acceptance by such communities. Until express acceptance exists, CSIRT-BIGSECURE will not declare formal membership in such organizations.

3.5. Authority

CSIRT-BIGSECURE acts as a specialized technical unit of BIGSECURE S.A.C., with the capacity to coordinate, analyze, record, escalate and support the response to cybersecurity incidents within the scope of the services contracted by clients and the internal procedures approved by the organization.

The authority of CSIRT-BIGSECURE is based on the guidelines established by BIGSECURE S.A.C., the Information Security Management System, the Integrated Management System, contractual agreements with clients, service level agreements and the decisions of Senior Management or designated responsible parties.

CSIRT-BIGSECURE may coordinate technical actions with the SOC, the Information Security Area, the Engineering Area, the IMS Manager, Legal/Compliance, Administration and other support areas, depending on the nature, criticality and impact of the incident.

In the case of critical incidents, such as ransomware, active system compromise, information leakage, significant availability impact, unauthorized access or events that may affect service continuity, CSIRT-BIGSECURE may activate the escalation, containment, communication and coordination mechanisms defined by BIGSECURE S.A.C., in accordance with the contractual scope and applicable internal procedures.

Containment, mitigation, eradication or recovery actions involving client assets, systems or information will be coordinated with the client's authorized representatives, unless there is prior contractual authorization or a specific procedure that allows BIGSECURE S.A.C. to act directly within the contracted service.

When strategic coordination, external communication, legal validation, contractual handling or high-impact decision-making is required, CSIRT-BIGSECURE will escalate the case to Senior Management, the Information Security Area, Legal/Compliance or the corresponding internal body.

In the event of disagreement over a technical action or response decision, an internal escalation channel will be applied under the following reference order:

  • → CSIRT-BIGSECURE operational leader or responsible party
  • → Information Security Area / CISO
  • → BIGSECURE S.A.C. Senior Management

All formal coordination related to incidents must be channeled through the official CSIRT-BIGSECURE email address: csirt@bigsecure.net.

4. Policies

CSIRT-BIGSECURE will carry out its activities in accordance with BIGSECURE S.A.C.'s internal policies, procedures, controls and guidelines, considering the scope of the services contracted by clients, applicable service level agreements, the Information Security Management System, the Integrated Management System and good practices for cybersecurity incident response.

4.1. General principles

CSIRT-BIGSECURE activities will be governed by the following general principles:

  • • Confidentiality: all information received, generated or processed during incident handling will be protected according to its sensitivity level, applicable contractual agreements and internal information security guidelines.
  • • Integrity: technical information, evidence, records, reports and communications related to incidents must remain complete, traceable and protected against unauthorized alteration.
  • • Availability: CSIRT-BIGSECURE will promote actions aimed at preserving or restoring the availability of affected services, according to the contractual scope and incident criticality.
  • • Traceability: all incident handling must be documented through records, tickets, logs, communications, technical evidence or reports, as applicable.
  • • Timeliness: incidents must be handled and escalated according to their criticality, impact, urgency, service level agreements and internal procedures.
  • • Coordination: incident management will be performed in coordination with the SOC, the Information Security Area, Engineering, the IMS Manager, Legal/Compliance, Administration, clients and other relevant parties.
  • • Continuous improvement: lessons learned, incident results, findings and improvement opportunities must be used to progressively strengthen prevention, detection, response and recovery capabilities.
4.2. Incident notification

Cybersecurity incidents must be reported to CSIRT-BIGSECURE through the official channel:

csirt@bigsecure.net

Notifications may be submitted by clients, BIGSECURE S.A.C. internal personnel, monitoring tools, authorized providers or other relevant parties, in accordance with the scope of the contracted services and the defined channels.

Every incident notification should include, to the extent possible, information that allows the initial analysis to be performed, such as:

  • • Name of the reporting person.
  • • Name of the affected organization or client.
  • • Contact phone number.
  • • Contact email address.
  • • Description of the incident.
  • • Approximate date and time of detection.
  • • Affected systems, services, assets or users.
  • • Known or potential impact.
  • • Available evidence, such as screenshots, alerts, records, indicators of compromise or related messages.
  • • Actions taken before reporting, if applicable.

For critical incidents or high-urgency situations, the word [URGENTE] must be placed at the beginning of the email subject line in order to facilitate prioritization and escalation.

CSIRT-BIGSECURE will record the received notification, perform the initial triage and determine the corresponding treatment according to criticality, impact, contractual scope and applicable internal procedures.

4.3. Classification and assessment

CSIRT-BIGSECURE will classify and assess reported or detected incidents considering criteria such as criticality, impact, urgency, scope, effect on confidentiality, integrity and availability, compromised services, number of affected users or assets, public exposure, contractual obligations, legal or regulatory risks and possible reputational impact.

The initial classification may consider reference levels such as:

  • • Critical: incident with significant or potential impact on service continuity, sensitive information, availability of critical systems, information leakage, ransomware, active compromise or relevant contractual impact.
  • • High: incident with important impact on assets, users, services or security controls, requiring priority handling and technical coordination.
  • • Medium: incident with limited, controlled or lower-scope impact, requiring analysis, monitoring and corrective or mitigation actions.
  • • Low: minor event or incident with no significant identified impact, requiring recording, assessment and possible preventive recommendation.

The classification may be updated during the incident lifecycle as new technical information, evidence, actual scope, confirmed impact or escalation decisions are obtained.

CSIRT-BIGSECURE will document the assessment performed, actions adopted, responsible parties involved, communications issued and the corresponding closure.

4.4. External communication

External communication related to cybersecurity incidents will be managed in a controlled, coordinated and documented manner.

CSIRT-BIGSECURE may participate in the preparation of technical communications addressed to clients, providers, incident response teams, technical communities, competent authorities or other interested parties, as appropriate according to the scope of the incident, contractual obligations, legal requirements or BIGSECURE S.A.C. decisions.

When external communication involves clients, regulators, authorities, the press, critical third parties or possible legal or reputational impacts, it must be coordinated with Senior Management, Legal/Compliance, the Information Security Area and the relevant areas.

All external communication must seek to ensure that information is clear, truthful, timely, proportional, technically supported and limited to what is necessary, avoiding disclosure of sensitive information, personal data, confidential client information, unvalidated indicators or details that may increase risk.

Issued and received communications must be recorded as part of the incident file, including date, channel, recipient, responsible party, general content and associated evidence.

5. Services

CSIRT-BIGSECURE provides services aimed at strengthening the capacity of BIGSECURE S.A.C. and its clients to prevent, detect, analyze, coordinate and respond to cybersecurity incidents, in accordance with the scope of contracted services, applicable service level agreements and the organization's internal procedures.

CSIRT-BIGSECURE services are grouped into proactive activities, reactive activities and security assessment.

5.1. Proactive activities

CSIRT-BIGSECURE proactive activities are intended to anticipate, identify and warn about conditions that may increase exposure to cybersecurity threats, as well as strengthen prevention, monitoring and preparedness capabilities.

These activities may include:

  • • Monitoring security events through the existing SOC capabilities.
  • • Reviewing and analyzing alerts generated by security platforms, event correlation and monitoring tools.
  • • Tracking relevant vulnerabilities that may affect clients, managed services or assets related to the CSIRT scope.
  • • Reviewing security bulletins, vendor alerts, technical sources, specialized communities and threat intelligence sources.
  • • Issuing alerts, recommendations or preventive technical communications when relevant threats are identified.
  • • Supporting the prioritization of vulnerabilities or security weaknesses, considering criticality, impact and exposure.
  • • Coordinating with internal technical teams to evaluate mitigation measures, preventive containment or configuration hardening.
  • • Identifying trends, patterns or recurring events that enable improved early detection and risk reduction.
  • • Participating in continuous improvement activities related to monitoring, detection, response and incident management.
5.2. Reactive activities

CSIRT-BIGSECURE reactive activities are intended to handle, analyze, coordinate, contain, escalate, document and close cybersecurity incidents reported or detected within the scope of the services provided by BIGSECURE S.A.C.

These activities may include:

  • • Receiving and recording cybersecurity incidents reported by clients, monitoring tools, internal personnel or other authorized parties.
  • • Initial classification of the incident according to criticality, impact, scope and urgency.
  • • Technical analysis of the incident, considering available evidence, alerts, logs, indicators of compromise or other relevant information.
  • • Coordination with the SOC, technical areas, client representatives and interested parties for incident handling.
  • • Recommendation or coordinated execution of containment, mitigation, eradication and recovery actions, according to the contractual scope and defined authority.
  • • Escalation of critical incidents to Senior Management, the Information Security Area, Legal/Compliance, Engineering or other relevant areas.
  • • Monitoring of the incident until its operational and documentary closure.
  • • Preparation of technical reports, logs, post-incident reports and lessons learned.
  • • Identification of improvement opportunities to strengthen monitoring, response, communication and future incident prevention processes.
5.3. Security assessment

CSIRT-BIGSECURE security assessment activities will be aimed at supporting the identification, analysis and prioritization of risks, vulnerabilities, control weaknesses or technical conditions that may affect information security, service continuity or incident response capability.

These activities may include:

  • • Supporting the identification of security risks associated with assets, services, processes or technology platforms.
  • • Reviewing vulnerabilities, configurations, alerts or technical findings reported by tools, vendors, clients or internal teams.
  • • Prioritizing security findings considering criticality, impact, exposure, possibility of exploitation and potential effect on confidentiality, integrity or availability.
  • • Recommending controls, mitigation measures, hardening, updating, segmentation, monitoring or technical improvements.
  • • Coordinating with the SOC, Engineering, Information Security and client representatives to address relevant findings.
  • • Monitoring corrective or preventive actions related to incidents, vulnerabilities or detected weaknesses.
  • • Generating technical recommendations to reduce the likelihood of incident recurrence.
  • • Supporting the continuous improvement of monitoring, detection, analysis, response and documentation capabilities.

Security assessment activities will be performed in accordance with the contractual scope, availability of information, corresponding authorization, internal procedures and security guidelines defined by BIGSECURE S.A.C.

6. Incident reporting forms

To report cybersecurity incidents, an email must be sent to the following official CSIRT-BIGSECURE address:

csirt@bigsecure.net

For critical incidents or high-urgency situations, it is recommended to place the word [URGENTE] at the beginning of the email subject line in order to facilitate prioritization and escalation.

Subject example: [URGENTE] Cybersecurity incident report - [Client name]

When notifying an incident, the following information should be provided, to the extent possible:

  • • Full name of the reporting person.
  • • Position or role of the reporting person.
  • • Name of the affected organization or client.
  • • Contact phone number.
  • • Contact email address.
  • • Approximate date and time of incident detection.
  • • Description of the observed or suspected incident.
  • • Systems, services, assets, users, IP addresses, domains or applications that may be affected.
  • • Known or potential impact of the incident.
  • • Level of urgency perceived by the reporting party.
  • • Available evidence, such as screenshots, alerts, records, suspicious emails, files, indicators of compromise, logs or other relevant technical information.
  • • Actions taken before the notification, if applicable.
  • • Confidentiality or information handling restrictions, if applicable.
  • • Person or area authorized to coordinate technical actions related to the incident.

CSIRT-BIGSECURE may request additional information during the initial analysis of the incident in order to validate its scope, criticality, impact and corresponding response actions.

The information received will be handled in accordance with BIGSECURE S.A.C.'s internal information security guidelines, applicable contractual agreements, confidentiality commitments and applicable legal or regulatory provisions.

7. Disclaimers

CSIRT-BIGSECURE will take reasonable precautions to ensure that the information, recommendations, alerts, reports and communications issued during incident management are clear, timely and technically supported, according to the information available at the time of issuance.

However, CSIRT-BIGSECURE does not guarantee that the information provided is complete, definitive or applicable to all scenarios, because cybersecurity incidents may evolve, present incomplete information or require additional technical validation.

Recommendations issued by CSIRT-BIGSECURE must be evaluated and applied considering the contractual scope of the service, client authorization, incident criticality, availability of evidence, internal procedures and the particular conditions of the affected environment.

CSIRT-BIGSECURE shall not be liable for damages, losses, interruptions, errors, omissions or consequences derived from the improper use, incorrect interpretation or unauthorized application of the information provided, unless there is an express obligation established in current contracts or service agreements with BIGSECURE S.A.C.

Information exchanged during incident handling will be treated with confidentiality and security criteria. However, the reporting party must avoid sending unnecessary, excessive or unauthorized information, especially personal data, credentials, private keys, technical secrets, confidential contractual information or sensitive data that are not essential for incident analysis.

This document does not replace contracts, service level agreements, internal policies, legal obligations, specific procedures or formal authorizations applicable between BIGSECURE S.A.C., its clients and other interested parties.