This is the next step in the TI Team Maturity model, as the certification is meant for those TI Accredited teams who have internal and/or external reasons to have their maturity level gauged in an independent way.
A candidate for TI Certification is already a TI Accredited team in good standing - i.e. fulfilling their accreditation obligations for at least eight months, has two team representatives and updated their team data at least within the last four month. As the certification process is a lengthly process involving a on-site full-day workshop, the overall time period allowed is 12 month.
As there might be major changes within a team, every three years - if the team would like to retain it's status - a re-certification including a half-day workshop is necessary. It follows basically the same workflow, although it is expected to take only up to nine month.
Fees
The first certification fee is higher than the annual fee charged for the second and third year. The costs are the same for teams outside Europe, Middle East and Mediterranean Africa, but those teams are expected to cover the travel costs for the workshops which are a mandatory part of the process. Please take note, that a certification / re-certification - although it is charged annual - is valid for three years. While a team might choose to give up it's certification status, it is still liable to pay for a three year certication period:
- first year certification: EUR 1800 (VAT might apply)
- first year re-certification: EUR 800 (VAT might apply)
- second and third year re-/certification: EUR 800 (VAT might apply)
The SIM3 Model
To structure the assessment the SIM3 Model, which stands for Security Incident Management Maturity Model, is used. SIM3 describes 44 important and relevant parameters, divided in four categories:
- Organisation
- Human
- Tools
- Processes
Scoring for each category is on five levels, ranging from "0", which means it is not available, to "4", which means that the parameter is not only described - as on level "2" - and rubber-stamped - as on level "3" - but also part of an internal or external audit process. The actual certification gauging involves required specific and distinct minimum levels for each of the parameters.
When the certification succeeds, the team can show this to their constituents, to their funding bodies, to other parties or teams they want to cooperate with. The certified teams are and stay part of the community of TI Accredited teams - the certification is in fact extra branding, useful for all sorts of purposes in the team's future.
Related Materials
Useful material for this process is certainly the original document describing the certification framework which is nowadays maintained by the Open CSIRT Foundation:
- SIM3 - Security Incident Management Maturity Model: This Model was developed in support of measuring the maturity of a security or incident response team in terms of four areas: organisation, human issues, tools and processes. It is used in support of the TI Certification framework.
- SIM3 - TI Standard: For each parameter of the SIM3 Model (see above) the level that must be met to become "TI certified" is defined.
ENISA has tasked various studies to focus on maturity as critical success factor especially for national and government teams. Much of the conclusions and recommendations are applicable for other teams as well and therefore listed here for further reference:
- CSIRT Capabilities. How to assess maturity? Guidelines for national and governmental CSIRTs (published 11 January 2016): The SIM3 certification approach is described from two different perspectives: of the team that is preparing for the certification process on the one hand and of teams that have already undergone certification or recertification on the other.
- Challenges for National CSIRTs in Europe in 2016: Study on CSIRT Maturity (published 12 June 2017): The study takes all relevant information sources into account and based on the NIS Directive, other reports on CSIRT capabilities, maturity and metrics, recommends the use of the SIM3 maturity model for CSIRTs. The three-tier approach towards maturity levels that ENISA adopted can be used to define three levels (basic, intermediate and advanced) when adopting the model over time.
- CSIRT Maturity – Evaluation Process (published 12 June 2017): The primary target audience for the report is the EU CSIRTs network teams. But as the report describes a readily implementable and useable self-assessment survey and proposes a community based peer review methodology, it might be of interest for additional teams.
Since the interest in this certification framework has significantly increased, some tools have been developed:
- The "Open CSIRT Foundation" (OCF) offers a publicly available tool for a "SIM3 SelfAssessment"
- ENISA is supporting those teams especially, that build the backbone of the CSIRTs Network which has been established by the NIS Directive. Based on the SIM3 model a structured process to increase the team's maturity has been developed, consisting of three steps or phases: Basic, Intermediate and Advanced. Please note, that the minimum demand for "Advanced" is higher than the demand for the TI Certification. This is mostly related to the increased intrinsic requirements placed on the Mandate (O-1) or Authority (O-4). As those teams are mandated by law, higher maturity must be considered. A "CSIRT Maturity - Self-Assessment Survey" is available from the ENISA web site.
