De-Facto Standards for CSIRTs, PSIRTs and other security teams

Information Sharing Traffic Light Protocol (FIRST TLP v1.0)

Started in the community of governmental and national CERTs, this highly pragmatical set of rules for information sharing has been adopted as de facto standard by the European security and incident response community in 2009 [ISTLP v1.1].

Many years later in 2016 FIRST made slight changes and published it's own version 1.0. To have a globally accepted TLP and to avoid irritations for all teams involved, the TI Accredited teams adopted this as a standard for all information sharing [FIRST TLP v1.0].


Internationally established fill-out form for CSIRTs and other security or cyber defense teams to basically state who they are and who they serve, when and how they can be reached, what their services are and how they handle and disclose information with due care.

Filling out and publishing RFC-2350 is a MUST for TI Accredited teams since May 2009.

Security Incident Management Maturity Model (SIM3)

This Model was developed in support of measuring the maturity of a incident response or security team in terms of four areas: organisation, human issues, tools and processes. It is used in support of the TI Certification framework but also for self-assessment of teams.

TI CSIRT Code of Practice (CCoP v2.4)

The first Code of Practice for CERTs and security teams was adopted by the TI Accredited teams as recommendation in 2005. This was a first step towards making professional ethics explicit in the TI community, and as such a step in increasing a team's maturity [CCoP v2.1].

In 2017 an updated version 2.4 was presented by a working group and adopted by the TI Accredited teams. The consideration by TI Accredited teams is recommended, but optional [CCoP v2.4]. Incident Taxonomy

Based on earlier work by Jimmy Arvidsson the project defined a minimum incident taxonomy covering the technical type of any security incident. The taxonomy has gained much interest and some teams adopted it for their own, mostly internal, use. Since 2017 there is a good discussion also supported by ENISA to make use of this taxonomy to improve team-to-team sharing and maybe even allow useful technical statistics. Further work is needed to prepare for a more robust maintenance of the taxonomy itself and help implementers of trouble-ticket-systems or automatic sharing systems to make use of it.


TI Self-Service
For Team Reps & Associates