[Bp_certs] About types of CERTs

Thu Jul 31 03:54:42 EDT 2014

Hi Gaus,

Your intervention is quite inspiring!
Thanks very much for the clarification. We understand that the CERT is not in the name but in the content and that the legitimacy of it depends on the output.

Thanks again and "bonjour" from Cameroon

Kind regards

_______________________________
ASAMA  A. EXCEL
Netsquared/Techsoup Ambassador-Africa
Founding President, I-Vission International. 
Box 13040, DOUALA-CAMEROON
Tel: (+237) 76 14 26 23
My blog: www.excelasama.wordpress.com
Website:  www.ivission.net

Photos Album: www.flickr.com/ivission
Twitter: www.twitter.com/ivission

Le Jeudi 31 juillet 2014 9h37, Andrew Cormack <Andrew.Cormack at ja.net> a écrit :

If we're looking to provide assistance to Governments on what to do, how about a matrix of the main constituencies and the services each of them is most likely to need? Combine that with Aaron's list of possible constituency groups for "national" CERTs, and Patrik's links off to guidance on how to provide each service well (I strongly agree that's critical) and then I think you'd have a pretty good toolkit:

Here are the constituencies that you ought to be checking have CERT services
Here are the services that those constituencies are most likely to benefit from
Here is guidance on providing those services
Here are ideas on how you might group those constituencies

Andrew

--
Andrew Cormack
Chief Regulatory Adviser, Janet
t: +44 1235 822302
b: https://community.ja.net/blogs/regulatory-developments
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is
registered in England under No.2881024 and whose Registered Office is at Lumen House, Library
Avenue, Harwell Oxford, Didcot, Oxfordshire, OX11 0SG. VAT No. 614944238

> -----Original Message-----
> From: Bp_certs [mailto:bp_certs-bounces at intgovforum.org] On Behalf Of
> Patrik Fältström
> Sent: 31 July 2014 08:26
> To: Gaus
> Cc: Rohana Palliyaguru; bp_certs at intgovforum.org
> Subject: Re: [Bp_certs] About types of CERTs
> 
> On 31 jul 2014, at 08:43, Damir Rajnovic <gausix at gmail.com> wrote:
> 
> > I would say that government of a particular country designate
> > who is the national CERT. The government would simply point
> > to a team and say "you are national CERT" and give them their
> > marching orders. The government would then define who would be
> > constituency and what services the national team would provide.
> >
> > Simply as that - they are created by fiat.
> 
> I think the point is that regardless of whether this happens or not, if
> the "local community" do not trust the CERT or otherwise do believe
> they do a good job, various parties will not share information with
> them. Simply because of lack of trust.
> 
> This is why I say simply that when the cert is defined, the
> products/services the CERT produces, and the customers/constituency,
> then it is up to the constituency to decide whether the CERT is to
> continue to operate. Only if the customers/constituency do believe they
> save time and energy by sharing information with the CERT (by getting
> things back) information will be shared.
> 
> A CERT will never longer term survive by forcing or mandating people to
> give information to the CERT.
> 
> And because of that, in many cases each country do not need a CERT for
> pure operational reasons for ISPs. Specifically in the cases where the
> ISPs cover more than one country (like in areas of the planet like
> Europe that have many countries).
> 
> Because of that, CERTs might not have as a goal to be a CERT for ISPs?
> Maybe they should be a help for for example public services and
> governmental agencies?
> 
> I.e. it all have to do with matching "the needs within the
> constituencies" with "products/services produced by the CERT".
> 
> If that matches, then the CERT is successful!
> 
> And exactly what and how the match is done varies -- a lot -- between
> the well functioning CERTS that exists in the world.
> 
> Some of the more questionable CERTS I have met (I have never really
> worked for one, but interact with many) could not even answer the
> question: "What services do you provide for whom?".
> 
> That is for me a start. That each CERT define what they do. Then in 2nd
> step they demonstrate they do it well.
> 
> 
> Now, where in this does the "national CERT" fit in? In some cases it
> has to do with the CERT be the agency that have special protection by
> legislation (so that IF you give information to the CERT it does not
> end up being "open data"). In others that the providers of public e-
> services must report issues and incidents to them, in others that they
> directly get peers in other countries (regardless of what products they
> provide), in others...well, "it all depends".
> 
> 
> One help for CERTs to be created I think is to create a list of
> _possible_ services a CERT can provide, and then for each one of these
> services a list of information and otherwise needs that exists to be
> able to provide that service. Then new CERTs can pick from that list of
> services, and they should be recommended to start by picking very very
> few, but become darn good at them. Because, once again, the importance
> is that no one else provide those services for the local community.
> 
>    Patrik

_______________________________________________
Bp_certs mailing list
Bp_certs at intgovforum.org
http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://intgovforum.org/pipermail/bp_certs_intgovforum.org/attachments/20140731/f7e2fe8d/attachment.htm>