On 12 June 2017, the European Union Agency for Network and Information Security (“ENISA“) published a new report which includes a comprehensive overview of parameters for Computer Security Incident Response Teams to assess their respective maturity. The EU Network and Information Security Directive (the “Cyber Security Directive“) creates a CSIRTs network “to contribute to developing confidence and trust between the Member States and to promote swift and effective operational cooperation”. Each Member State is required to designate one or more CSIRTs to comply with certain requirements in the directive (covering at least the sectors referred to in Annex II and the services referred to in Annex III) and responsible for risk and incident handling in accordance with a well-defined process.
The Cyber Security Directive gives high-level requirements that designated CSIRTs must observe, and tasks that they must perform. ENISA has carried out a considerable amount of work in respect of CSIRTs, particularly in clarifying its own role in helping CSIRTs to develop. ENISA states that this new practical guide will help CSIRTs to prepare better to protect their constituencies and improve team’s maturity.
The CSIRT maturity improvement process includes a survey with questions and answers for all the parameters of the commonly used SIM3 (Security Incident Management Maturity Model) model, which makes it considerably easier for any CSIRT team to self-assess their maturity in the terms of SIM3. The survey maps the proposed CSIRT maturity scale (with the steps basic, intermediate and certifiable), so that a team member that uses the survey can self-assess their maturity on that scale.
ENISA was established to support and facilitate cooperation between Member States in respect of information security and the Cyber Security Directive refers to ENISA facilitating the exchange of best practices, including by producing guidance in certain areas. The Guidelines were developed by taking into account input from Member States and companies directly affected by the directive. The Guidelines are expected to feed into the European Commission’s implementing act later this year which will further specify details regarding the incident notification process envisaged.
Click here for the full report “Study on CSIRT Maturity – Evaluation Process”.