[Bp_certs] About types of CERTs

Andrew Cormack Andrew.Cormack at ja.net
Thu Jul 31 03:29:30 EDT 2014 

The EU Parliament seems to be going for a variant of that in its proposed amendments to the draft Network and Information Security Directive. That now says, essentially:

*) Governments are responsible for nominating a point of contact
*) Governments are responsible for ensuring that designated critical infrastructures have access to CERT services

However the number of CERTs and how they interact with the PoC is explicitly left to each country to work out.

There is still political debate whether public sector networks (government, health, etc.) should be included as one of the infrastructures to be covered; the current draft seems to think that they already have better provision than the infrastructures run by the private sector.

And services to the public (from connectivity to blogs and social networks) have been removed from "critical" in the most recent proposal. The only thing still left in is Internet exchanges.

Andrew

--
Andrew Cormack
Chief Regulatory Adviser, Janet
t: +44 1235 822302
b: https://community.ja.net/blogs/regulatory-developments
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is
registered in England under No.2881024 and whose Registered Office is at Lumen House, Library
Avenue, Harwell Oxford, Didcot, Oxfordshire, OX11 0SG. VAT No. 614944238


> -----Original Message-----
> From: Bp_certs [mailto:bp_certs-bounces at intgovforum.org] On Behalf Of
> Damir Rajnovic
> Sent: 31 July 2014 07:43
> To: Rohana Palliyaguru
> Cc: bp_certs at intgovforum.org
> Subject: Re: [Bp_certs] About types of CERTs
> 
> Hi Rohana,
> 
> I would say that government of a particular country designate
> who is the national CERT. The government would simply point
> to a team and say "you are national CERT" and give them their
> marching orders. The government would then define who would be
> constituency and what services the national team would provide.
> 
> Simply as that - they are created by fiat.
> 
> Gaus
> 
> 
> 
> On Thu, Jul 31, 2014 at 10:44:48AM +0530, Rohana Palliyaguru wrote:
> > Dear all,
> >
> > In this discussion we have considered several key factors when
> defining
> > ¨National CERT¨. I tried to summarize them as follows...
> >
> > 1. By means of constituency
> >
> > The constituency of the National CERT will be Public sector, Private
> > sector and the general Public. But it does not mean that the
> ¨National
> > CERT¨ can resolve all their problems. There can be CERTs targeting
> > specific constituency (eg: ISPs, Banks etc)
> >
> > OR
> >
> > Whose constituency are Networks/organizations/assets of National
> > importance. which also does not mean that it can resolve all of their
> > problems.
> >
> > In this case there may be several National CERTs which will
> contradict
> > with 3 below (By means of POC).
> >
> > 2. By means of Product
> >
> > What CERT is producing? what are their services? who is the
> constituency
> > for those services? Whether they are being trusted by their
> constituency
> > for their services etc. matters this definition.
> >
> > In this case also there may be several National CERTs which will
> > contradict with 3 below (By means of POC).
> >
> > 3. By means of POC
> >
> > National CERT would be the national POC of that particular country.
> As
> > Cristine said
> >
> > /There is no right or wrong about who hosts a National CSIRT, or
> which //services it should provide.  Each country will need // to
> identify what works best in its case, as well as consider other
> > //issues like services, funding, local internet governance structure
> and //cultural issues, among other factors that might impact the
> decision./
> >
> > The national POC will coordinate with all other CERTs/CSIRTs in that
> > country to resolve the issues
> > related to their country whenever required. The very first contact
> point
> > for that country may be their National CERT. But it does not mean
> that
> > anybody can not contact any other CERT/organization in that country
> if
> > they required their help.
> >
> > The problem here is who define the National CERT (POC) of a
> particular
> > country? Is it by then government OR by any other body?
> >
> > If we can have a combination of the above definitions to define
> > ¨National CERT¨ it would be ideal.
> >
> >
> > regards,
> >
> > --
> > Rohana Palliyaguru
> > Manager Operations & Principal Information Security Engineer
> > Sri Lanka CERT|CC
> > Room 4-112, BMICH, Bauddhaloka Mawatha, Colombo 07, Sri Lanka.
> > Tel : +94 112 691 692      Fax: +94 112 691 064
> > e-mail: rohana at cert.gov.lk   Website: www.cert.gov.lk
> >
> 
> > _______________________________________________
> > Bp_certs mailing list
> > Bp_certs at intgovforum.org
> > http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
> 
> 
> ==============
> Damir Rajnovic <gausix at gmail.com>
> Telephone: +44 7825 049 500
> ==============
> There are no insolvable problems.
> The question is can you accept the solution?
> 
> 
> Incident Response and Product Security
> http://www.ciscopress.com/bookstore/product.asp?isbn=1587052644
> 
> 
> _______________________________________________
> Bp_certs mailing list
> Bp_certs at intgovforum.org
> http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org

More information about the Bp_certs mailing list