[Bp_certs] About types of CERTs

Robin M. Ruefle rmr at cert.org
Thu Jul 31 11:28:59 EDT 2014 

Andrew,

I think this sounds like a great start.  You and I  and Cristine volunteered to pull some of the great words that were being exchanged in these threads into some type of summary - for use in developing guidance, clarification, white paper - or whatever we think.

Do you think that this matrix is part of that work or do you see that as a separate effort?  It would certainly be more work, but I would still be interested to work on it.

We (CERT/CC) have been talking for a while about updating the CSIRT Services list we maintain  http://www.cert.org/incident-management/services.cfm

It was certainly not geared to National CSIRTs - and there are some obvious gaps. 

Robin

-----Original Message-----
From: Bp_certs [mailto:bp_certs-bounces at intgovforum.org] On Behalf Of Andrew Cormack
Sent: Thursday, July 31, 2014 3:37 AM
To: Patrik Fältström; Gaus
Cc: Rohana Palliyaguru; bp_certs at intgovforum.org
Subject: Re: [Bp_certs] About types of CERTs

If we're looking to provide assistance to Governments on what to do, how about a matrix of the main constituencies and the services each of them is most likely to need? Combine that with Aaron's list of possible constituency groups for "national" CERTs, and Patrik's links off to guidance on how to provide each service well (I strongly agree that's critical) and then I think you'd have a pretty good toolkit:

Here are the constituencies that you ought to be checking have CERT services Here are the services that those constituencies are most likely to benefit from Here is guidance on providing those services Here are ideas on how you might group those constituencies

Andrew

--
Andrew Cormack
Chief Regulatory Adviser, Janet
t: +44 1235 822302
b: https://community.ja.net/blogs/regulatory-developments
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No.2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire, OX11 0SG. VAT No. 614944238


> -----Original Message-----
> From: Bp_certs [mailto:bp_certs-bounces at intgovforum.org] On Behalf Of 
> Patrik Fältström
> Sent: 31 July 2014 08:26
> To: Gaus
> Cc: Rohana Palliyaguru; bp_certs at intgovforum.org
> Subject: Re: [Bp_certs] About types of CERTs
> 
> On 31 jul 2014, at 08:43, Damir Rajnovic <gausix at gmail.com> wrote:
> 
> > I would say that government of a particular country designate who is 
> > the national CERT. The government would simply point to a team and 
> > say "you are national CERT" and give them their marching orders. The 
> > government would then define who would be constituency and what 
> > services the national team would provide.
> >
> > Simply as that - they are created by fiat.
> 
> I think the point is that regardless of whether this happens or not, 
> if the "local community" do not trust the CERT or otherwise do believe 
> they do a good job, various parties will not share information with 
> them. Simply because of lack of trust.
> 
> This is why I say simply that when the cert is defined, the 
> products/services the CERT produces, and the customers/constituency, 
> then it is up to the constituency to decide whether the CERT is to 
> continue to operate. Only if the customers/constituency do believe 
> they save time and energy by sharing information with the CERT (by 
> getting things back) information will be shared.
> 
> A CERT will never longer term survive by forcing or mandating people 
> to give information to the CERT.
> 
> And because of that, in many cases each country do not need a CERT for 
> pure operational reasons for ISPs. Specifically in the cases where the 
> ISPs cover more than one country (like in areas of the planet like 
> Europe that have many countries).
> 
> Because of that, CERTs might not have as a goal to be a CERT for ISPs?
> Maybe they should be a help for for example public services and 
> governmental agencies?
> 
> I.e. it all have to do with matching "the needs within the 
> constituencies" with "products/services produced by the CERT".
> 
> If that matches, then the CERT is successful!
> 
> And exactly what and how the match is done varies -- a lot -- between 
> the well functioning CERTS that exists in the world.
> 
> Some of the more questionable CERTS I have met (I have never really 
> worked for one, but interact with many) could not even answer the
> question: "What services do you provide for whom?".
> 
> That is for me a start. That each CERT define what they do. Then in 
> 2nd step they demonstrate they do it well.
> 
> 
> Now, where in this does the "national CERT" fit in? In some cases it 
> has to do with the CERT be the agency that have special protection by 
> legislation (so that IF you give information to the CERT it does not 
> end up being "open data"). In others that the providers of public e- 
> services must report issues and incidents to them, in others that they 
> directly get peers in other countries (regardless of what products 
> they provide), in others...well, "it all depends".
> 
> 
> One help for CERTs to be created I think is to create a list of 
> _possible_ services a CERT can provide, and then for each one of these 
> services a list of information and otherwise needs that exists to be 
> able to provide that service. Then new CERTs can pick from that list 
> of services, and they should be recommended to start by picking very 
> very few, but become darn good at them. Because, once again, the 
> importance is that no one else provide those services for the local community.
> 
>    Patrik


_______________________________________________
Bp_certs mailing list
Bp_certs at intgovforum.org
http://mail.intgovforum.org/mailman/listinfo/bp_certs_intgovforum.org

More information about the Bp_certs mailing list