SOC-CMM forum

Full Version: SOC-CMM for CERT
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
I'm happy to announce the release of the SOC-CMM for CERT, a version of the SOC-CMM specific for incident response teams. Earlier this year, I did a presentation at FIRST.ORG TC on the SOC-CMM. FIRST has expressed interest in the SOC-CMM, especially if it could be made more specific for CERT teams. I have been working on a version of the SOC-CMM that aims at measuring capability maturity in CERT teams. I've used the original SOC-CMM (version 2.1) as a starting point, and combined it with information from various other sources such as NIST SP800-61r2, the CREST incident response handbook, the SIM3 model and the GMU CSIRT social maturity handbook. The result is an assessment tool that allows for in-depth analysis of your CERT team. Some of the improvements made will eventually be integrated into the SOC-CMM.

Some of the major differences between the regular SOC-CMM and this version are:

- General: All questions rephrased to focus on CERT
- Business: 'privacy' updated to more generic 'laws and regulations'
- Process: use cases changed to scenarios
- People: different set of roles, added team and multi-team management
- Technology: added incident tracking system, removed SIEM, IDPS and big data analytics
- Service: removed all services, execpt for security incident management. Added many capabilities to the list and grouped these capabilities in logical groups

Suggestions for improvement can be made as replies to this post or via any other way. I will make it an official release towards the end of the year after I've processed your comments and suggestions. I'm looking forward hearing your opinion.
Rob,

Looking forward to the official release later in the year and think this is a solid first release! Here's some comments I jotted down by section/tab after a few passes through:

Process - MGT
- Suggest to add Remarks to ensure CERT management process includes criteria (e.g. event escalation, incident declaration, incident escalation) and that criteria is continuously re-evaluated by lessons learned from incidents and exercises. This could also be referenced in Services - SIM section 1.3.4/Decision Tree and Preparation but believe is worthy of calling out within the CERT Management section.

Process - SCE
- Suggest to assess % coverage or completeness of testing and exercise of scenarios to ensure they are realistic and tactical familiarity during an incident.

Services - SIM
- Consider adding a Major security incident definition to section 1.3 as many organizations are required to have a major distinction with different reporting requirements
- Related to 1.15.27 and 1.15.28, it is important to test both the backup communication technology and secure communication channel capabilities regularly to make sure folks are familiar with the technology (including logging into their accounts) when the time crunch of an incident strikes. This could be considered for Remarks in those.
- In Post-Incident 1.15.58 consider adding remarks to include a process to communicate lessons learned that apply outside the CERT (e.g. web application coding practices) to Risk Management documents/tracking (e.g. POA&M or Risk Register) as part of extraction

I'll continue to research and let you know if I have other comments.

Additionally, I ran a gap analysis using the CMU SEI Incident Management Capability Assessment document (https://resources.sei.cmu.edu/asset_file...538866.pdf) earlier this year. It includes mapping to NIST and could be useful down the road to cross-reference.

Thanks,
Kyle
Hi Kyle,

Thanks for your comments and valuable feedback. I will take these notes into account for the final release of the SOC-CMM for CERT.

Regards,
Rob.