Outcomes CSIRT Maturity Meeting in Seoul

News item | 15-06-2016

The 2nd GFCE Expert Meeting on CSIRT Maturity was held in the margins of the FIRST Conference in Seoul following a previous meeting in Prague in February. Around 30 global experts, both public and private, gathered to discuss further progress on the development and ultimately adoption of a CSIRT Maturity Kit.

Report of the meeting is available here.

Participants of the CSIRT Maturity Expert Meeting in Seoul

Typology of CSIRTs

The meeting was opened and moderated by Prof. Dr. Klaus-Peter Kossakowski (Hamburg University) followed by an opening speech of Ms. Petra Nijenhuis-Timmers (MFA, the Netherlands) who stressed the importance of an open, free and secure cyber space as an important precondition for democracy, freedom, innovation and economic growth. The strengthening of CSIRT capacity on a global scale is in that regard of vital importance.

Maarten van Horenbeeck (FIRST) spoke on the typology of CSIRTs. Important, because in various areas, like CSIRT maturity, or the services portfolio, or indeed seen from a political and funding point of view, it does matter what “type” a CSIRT is. Hence a clarification of the typology would be beneficial.

After that Peter Allor (FIRST Board Member) gave an update on the current status of the SIRT services framework which has been developed by the global incident response community under the guidance of FIRST and seeks to provide a reference standard for both CSIRT and PSIRT services. 

Ms. Petra Nijenhuis-Timmers (MFA, the Netherlands) stressed the importance of an open, free and secure cyber space

CSIRT Maturiy Kit

In building new CSIRTs, one of the important questions to tackle is what services will they offer, and at what quality level. in his session, Luc Dandurand presented the ITU’s vision on the SIRT services framework, that has been introduced in the previous presentation. Different types of CSIRT will make a different selection from this collection of services, based on the needs of their constituency.

Don Stikvoort (on behalf of the NSCS-NL )presented the current CSIRT Maturity Kit developed by the Dutch NCSC. The purpose of this “CSIRT Maturity Kit” ( check.ncsc.nl ) is to help emerging and existing CSIRTs increase their maturity level. The CMK has a set of best practices embedded in a 5-tier framework based on the SIM3 CSIRT Maturity Model: Foundation, Organisation, Human aspects, Tools and Processes. This work has been reviewed by a global review committee of experts, and continues to be updated and improved.

Finally Serge Droz (SWITCH) discussed the Security Incident Management Maturity Model with the participants. This model identifies 40+ parameters that measure categories of maturity: Organization, Human, Tools, Processes and Foundation. Droz reasons that it is important to have a more objective approach towards maturity, also allowing comparisons and benchmarking in due course. 

Outcomes & next steps

All in all a very good meeting with agreement of all participants on the next steps:

  • Regarding the Adoption of the Cyber Maturity Kit:
    • Participants are requested to comment on the current draft before the end of June
    • Subsequently a final draft will be made available before the end of July
  • Support within the GFCE will be further harmonized: who can support what and under what conditions
  • Proposal baseline n/g CSIRTs will be ready by the end of year
  • Proposal for toolbox to go with baseline will be ready by the end of year
  • Next expert meeting will be organized end 2016 / early 2017