[Bp_certs] About types of CERTs

Andrew Cormack Andrew.Cormack at ja.net
Wed Jul 23 09:35:13 EDT 2014 

Just to emphasise the importance of Patrik's steps 5 and 6. Don't start out as a brand new CERT expecting people to send you sensitive information, they won't.

First you have to demonstrate (a) that you can be trusted with information and (b) that you can do something useful with it. Then people may start to share with you, but it's likely to be a slow process. I tend to describe the trust-building process as:
I share a little bit of information with you
If that didn't make my world worse, I might share another little bit of information with you
If that made my world better, I'll probably share more information with you 

So as a new CERT your first products to get steps 1-4 going should be based on information you already have (e.g. if you can monitor your own network and provide reports of what is happening there) plus what is available from public sources (e.g. translating advisories into local language, as JPCERT did). 

Then you'll be welcomed as a useful and reliable member of the community
Andrew

--
Andrew Cormack
Chief Regulatory Adviser, Janet
t: +44 1235 822302
b: https://community.ja.net/blogs/regulatory-developments
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is
registered in England under No.2881024 and whose Registered Office is at Lumen House, Library
Avenue, Harwell Oxford, Didcot, Oxfordshire, OX11 0SG. VAT No. 614944238


> -----Original Message-----
> From: Bp_certs [mailto:bp_certs-bounces at intgovforum.org] On Behalf Of
> Patrik Fältström
> Sent: 16 July 2014 21:25
> To: Carlos M. Martinez
> Cc: bp_certs at intgovforum.org
> Subject: Re: [Bp_certs] About types of CERTs
> 
> My personal view, after looking at a few "failed" CERT initiatives is
> that whether a cert is successful or not depends completely (like any
> business) on whether external parties from the cert do believe the cert
> deliver whatever the cert is supposed to deliver.
> 
> I.e. number one recommendation from me is always that the cert is
> defining what "products" the cert is producing. What is the cert doing?
> What is it delivering to what customers?
> 
> Given that certain products are to be delivered, the cert need
> information. Only if the cert manage to gain trust (that they will
> deliver whatever they are to deliver) external parties (peers) will
> start to give them information.
> 
> So, to conclude:
> 
> 1. Define what the cert role in the community is
> 
> 2. Define what services / products the cert produce
> 
> 3. Convince peers (2) is doable
> 
> 4. Deliver (1) and (2)
> 
> 5. Get data that make delivery easier
> 
> 6. By doing (4) gain more trust, and get more data (5), and continue a
> positive continuation
> 
> Forcing people to work with a (national) cert will not work. If people
> have problems, they will, my view, primarily talk with their vendor and
> the vendor support mechanism, which often is part of the cert
> structure.
> 
> I.e. people talk with "national cert" if it helps them. Not if they are
> forced to.
> 
>   Patrik
> 
> 
> _______________________________________________
> Bp_certs mailing list
> Bp_certs at intgovforum.org
> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org

More information about the Bp_certs mailing list