This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
SOC-CMM for CERT (beta version)
#2
Rob,

Looking forward to the official release later in the year and think this is a solid first release! Here's some comments I jotted down by section/tab after a few passes through:

Process - MGT
- Suggest to add Remarks to ensure CERT management process includes criteria (e.g. event escalation, incident declaration, incident escalation) and that criteria is continuously re-evaluated by lessons learned from incidents and exercises. This could also be referenced in Services - SIM section 1.3.4/Decision Tree and Preparation but believe is worthy of calling out within the CERT Management section.

Process - SCE
- Suggest to assess % coverage or completeness of testing and exercise of scenarios to ensure they are realistic and tactical familiarity during an incident.

Services - SIM
- Consider adding a Major security incident definition to section 1.3 as many organizations are required to have a major distinction with different reporting requirements
- Related to 1.15.27 and 1.15.28, it is important to test both the backup communication technology and secure communication channel capabilities regularly to make sure folks are familiar with the technology (including logging into their accounts) when the time crunch of an incident strikes. This could be considered for Remarks in those.
- In Post-Incident 1.15.58 consider adding remarks to include a process to communicate lessons learned that apply outside the CERT (e.g. web application coding practices) to Risk Management documents/tracking (e.g. POA&M or Risk Register) as part of extraction

I'll continue to research and let you know if I have other comments.

Additionally, I ran a gap analysis using the CMU SEI Incident Management Capability Assessment document (https://resources.sei.cmu.edu/asset_files/TechnicalReport/2018_005_001_538866.pdf) earlier this year. It includes mapping to NIST and could be useful down the road to cross-reference.

Thanks,
Kyle


Messages In This Thread
SOC-CMM for CERT (beta version) - by robvanos - 09-06-2019, 08:06 AM
RE: SOC-CMM for CERT - by kvillano - 09-07-2019, 12:18 PM
RE: SOC-CMM for CERT - by robvanos - 09-11-2019, 11:50 AM
RE: SOC-CMM for CERT - by robvanos - 02-18-2020, 08:36 AM

Forum Jump:


Users browsing this thread: 2 Guest(s)