Report on the “CSIRT Maturity” Open Webinar Session

Report | GFCE V-Meeting “CSIRT Maturity | 20 May 2020

During this open webinar session, The Netherlands/TNO spoke about the CSIRT Maturity Initiative that is part of GFCE Working Group B – Task Force CIM. The focus of the session was on measuring and enhancing maturity as essential aspect of national CSIRT capacity building. The speakers addressed the Global CSIRT Maturity Frameworkand how it can be used. Moreover, FIRST, Cyprus and WACREN (West and Central African Research and Education Network) provided practical examples of how maturity is addressed by different countries and organisations worldwide. The session was aimed for anyone interested in building their CSIRT maturity as well as those willing to add value/comments to the Global CSIRT Maturity Framework.

The session was chaired and moderated by Ms. Annemarie Zielstra, Director Cyber Security & Resilience at TNO. Ms. Zielstra explained that the CSIRT Maturity Initiative is part of GFCE Working group B, Taskforce Cyber Incident Management, and the Dutch Ministry of Foreign Affairs and NCSC NL, together with the Dutch Applied Research Organisation (TNO) are working on the development of the Global CSIRT Maturity Framework (GCMF).

To kick-off the meeting, opening remarks were given by Ms. Petra Timmers, Coordinating Policy Officer International Cyber from the Dutch Ministry of Foreign Affairs. Ms. Timmers highlighted that states should establish a national Computer Emergency Response Team and support and facilitate the functioning of and cooperation among national CSIRTS, as referenced in the 2015 UNGGE report. Since the Netherlands aims to help other states by contributing to the GFCE Working Group B through research and implementation, Ms. Timmers particularly asked government participants of developing countries to address the needs on establishing a National CSIRT.

Next, Mr. Don Stikvoort, a contract partner of TNO and expert in the field of CSIRTs and Cyber Capacity Building, elaborated on the importance of maturity development in order to continuously advance and strengthen the global community of CSIRTs to protect our societies from cyber harm. Mr. Stikvoort explained there is no uniform way of shaping a National CSIRT, since specific focus, constituency, mandate or institutional embedding varies across contexts.

Following this, the GCMF was introduced by Ms. Hanneke Duijnhoven, senior scientist at TNO. The GCMF was meant to offer a common language and a guideline for national CSIRT capacity building, and facilitates collaboration and assessment of maturity of national CSIRTs. The GCMF was developed to work towards a globally applicable, common framework for CSIRT Maturity based on existing and acknowledged frameworks: the Security Incident Management Maturity Model (SIM3), and the maturity profiles that ENISA developed for national CSIRTs. SIM3 consists of 44 parameters in four categories: Organisation, Human, Process, Tools. Starting from SIM3, the GCMF also adopts 3 maturity profiles (basic, intermediate, advanced) that can be used as baselines for growth/evolution scenarios. Ms. Duijnhoven stressed that the three profiles are meant as important guiding principles – instead of being prescriptive – applicable to national teams worldwide since they depend on local context and priorities. Mr. Don Stikvoort further elaborated on the considerable flexibility of the GCMF when explaining how it can be applied. He touched upon the CSIRT Maturity assessments, collaboration opportunities and the different growth scenarios for strengthening and enhancing existing teams. The GCMF for example triggers national teams to think about the choices to be made and can help to define a sensible roadmap for improving maturity.

In order to provide examples of how CSIRT maturity is addressed in real life by different organizations, Mr. Maarten Van Horenbeeck, FIRST Board member and Lead of the Task Force CIM of GFCE’s Working Group B, explained how FIRST uses SIM3 for their membership process and how FIRST often works with other parties doing cyber capacity building projects around the world. Mr. Van Horenbeeck highlighted the importance of aligning language and making sure we have similar understanding when talking about CSIRTs.

Next, Dr Evgenios Bardis, Head of the National CSIRT of Cyprus, shared his experiences when using the SIM3/GCMF to establish CSIRT-CY in 2017. Next to its value with the establishment, the model continues to be very useful to maintain and improve their maturity, since it also gives the opportunity to measure and value the quality of work your CSIRT is doing at a later stage. Dr. Bardis advises each new teams to start working right away with SIM3/GCMF and the FIRST CSIRT Services Framework.

To highlight the importance of cooperation among CSIRTS, Mr. Omo Oaiya, Chief Strategy Officer of WACREN, the West and Central African Research and Education Network, was given the floor. WACREN is using SIM3 to support the development of CSIRTs in research and education and sees the SIM3/GCMF as a blue print for newest CSIRTS on what they need to do. Mr. Oaiya also spoke about including the SIM3/GCMG model the AfricaConnect3. Finally, Mr. Oaiya emphasized the essence of a multistakeholder approach and collaborative maturity development for the national and regional CSIRT communities to become effective.

Additionally, Mr. Don Stikvoort, briefly spoke about the EU Cyber4Dev projects that support countries from the “Global South” to develop or improve, amongst other things, their national CSIRTs. Here the SIM3 and GCMF are important building blocks, while aiming for a national multi-stakeholder approach.

The last speaker of this session, Ms. Nynke Stegink from NCSC-NL stressed that The Netherlands/TNO will continue to work on further enhancement of the GCMF. It will do so through finalizing a Phase 0 guideline that focuses on the first steps of establishing a national CSIRT capacity, so before the GCMF comes into play. Second, it will elaborate and refine the maturity profiles within the GCMF for national CSIRTS together with ENISA and the Open CSIRT Foundation. The Netherlands is also active in proof-of-concept implementation support and therefore willing to refine GFCE members’ need for help. Ms. Stegink encouraged anyone with questions to contact her (nynkestegink@ncsc.nl) and the GFCE Secretariat at (contact@thegfce.org).

At the end of the session, an interactive and fruitful discussion was started when participants were given the opportunity to raise questions to the speakers. In the coming weeks, follow-up on those questions will be done in separate communication threads.