The organization has a (contracted) CSIRT.
The CSIRT is fully mandated to respond to active threats to limit the impact of potential security incidents.
Specification
The CSIRT has an average maturity according to the SIM3 maturity model for CSIRTS of 2 or higher on each of the O, H, T and P categories (see: https://www.trusted-introducer.org/SIM3-Reference-Model.pdf)
Contact information of the CSIRT is published in the RFC2350 format.
The CSIRT maturity is reviewed annually.
CSIRT members of SURF member organisations have at a miminum followed an incident response course.
ISO 27001 & 27002:2022
A5.2,
A5.26,
A5.27,
A5.29,
A5.30
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
IM.03 Incident respons on (cyber) security incidents
BC.05 Crisismanagement