De-Facto Standards for CSIRTs, PSIRTs and other security teams

Information Sharing Traffic Light Protocol (TLP)

Started in the community of governmental and national CERTs, this highly pragmatical set of rules for information sharing has been adopted as de facto standard by the European security and incident response community in 2009 [ISTLP v1.1].

Many years later in 2016 FIRST made slight changes and published it's own version 1.0. To have a globally accepted TLP and to avoid irritations for all teams involved, the TI Accredited teams adopted this as a standard for all information sharing.

RFC-2350

Internationally established fill-out form for CSIRTs and other security or cyber defense teams to basically state who they are and who they serve, when and how they can be reached, what their services are and how they handle and disclose information with due care.

Filling out and publishing RFC-2350 is a MUST for TI Accredited teams since May 2009.

Security Incident Management Maturity Model (SIM3)

This Model was developed in support of measuring the maturity of a incident response or security team in terms of four areas: organisation, human issues, tools and processes. It is used in support of the TI Certification framework but also for self-assessment of teams.

TI CSIRT Code of Practice (CCoP)

The first Code of Practice for CERTs and security teams was adopted by the TI Accredited teams as recommendation in 2005. This was a first step towards making professional ethics explicit in the TI community, and as such a step in increasing a team's maturity [CCoP v2.1].

In 2017 an updated version 2.4 was presented by a working group and adopted by the TI Accredited teams. The consideration by TI Accredited teams is recommended, but optional.