De-Facto Standards for CSIRTs, PSIRTs and other security teams
Traffic Light Protocol (TLP)
Started in the community of governmental and national CERTs, this highly pragmatical set of rules for information sharing has been adopted as de facto standard by the European security and incident response community in 2009 [ISTLP v1.1].
Many years later in 2016 FIRST made slight changes and published it's own version 1.0. To have a globally accepted TLP and to avoid irritations for all teams involved, the TI Accredited teams adopted this as a standard for all information sharing [FIRST TLP v1.0].
In 2022 a Special Interest Group (SIG) adopted a new version [TLP v2.0]. The TI Accredited teams adopted this update as standard for all information sharing in September 2022 during the Villnius (LT) meeting.
RFC-2350
Internationally established fill-out form for CSIRTs and other security or cyber defense teams to basically state who they are and who they serve, when and how they can be reached, what their services are and how they handle and disclose information with due care.
Filling out and publishing RFC-2350 is a MUST for TI Accredited teams since May 2009.
CSIRT Services Framework
The CSIRT Services Framework maintained by FIRST provides a comprehensive list of services that CSIRTs may provide. It’s not necessary for a CSIRT to provide all services, but all teams will provide at least some of the services.In this regard it replaces the CSIRT Services List published by CERT/CC and TI many years ago. (This document does not cover activities of product security teams as this is described in the PSIRT Services Framework.)
Selecting appropriate services and refer to them by a common name is helping with not only providing useful information in a published RFC 2350. It also helps to understand the offerings of a team and helps to discuss these offerings.
Security Incident Management Maturity Model (SIM3)
This Model was developed in support of measuring the maturity of a incident response or security team in terms of four areas: organisation, human issues, tools and processes. It is used in support of the TI Certification framework but also for self-assessment of teams.
TI CSIRT Code of Practice (CCoP v2.4)
The first Code of Practice for CERTs and security teams was adopted by the TI Accredited teams as recommendation in 2005. This was a first step towards making professional ethics explicit in the TI community, and as such a step in increasing a team's maturity [CCoP v2.1].
In 2017 an updated version 2.4 was presented by a working group and adopted by the TI Accredited teams. The consideration by TI Accredited teams is recommended, but optional [CCoP v2.4].
Incident Taxonomy used as reference
Based on earlier work by Jimmy Arvidsson the eCSIRT.net project defined a minimum incident taxonomy covering the technical type of any security incident. The taxonomy has gained much interest and some teams adopted it for their own, mostly internal, use.
Since 2017 there is a good discussion also supported by ENISA to make use of this taxonomy to improve team-to-team sharing , as well as unification with law enforcement used taxonomies. This work resulted in the so called "Reference Security Incident Taxonomy (RSIT) [https://github.com/enisaeu/Reference-Security-Incident-Taxonomy-Task-Force/blob/master/working_copy/humanv1.md], which is being used by many teams now especially for automation tools (MISP RSIT taxonomy, RTIR, and others) and statistics.
Definitions
Capacity
[...] capacity is generally used to express the quantity of output(s) that can be delivered by a particular capability over a period of time, and in some cases with indication of the number of clients/requests that can be serviced concurrently, where relevant.
Source: https://www.first.org/education/csirt_services_framework#Capacity
Capability
A measurable activity that may be performed as part of an organization’s roles and responsibilities. [...] the capabilities can either be defined as the broader Services or as the requisite Functions.
Source: https://www.first.org/education/csirt_services_framework#Capability
Maturity
It is a level of proficiency attained either in executing specific functions or in an aggregate of functions or services. The maturity of an organization will be determined by the extent, quality of established policies and documentation, and the ability to execute a set process. The level of advancement in knowledge, skill and proficiency is measured against a defined reference model.
Source: https://www.first.org/education/csirt_services_framework#Maturity