CSIRT Metrics (Metrics SIG)

CSIRT Metrics News

Objectives

As FIRST moves towards its 20^th anniversary (in 2008), it is an indication that the discipline of computer security incident response has moved into a more mature phase of development. Although there are still many new teams starting, existing teams are now focused on increasing responsiveness and improving effectiveness.

Just as other areas and communities (such as business, finance, and government) look for quantitative methods for benchmarking their operations and measuring success, there is an emerging need for similar mechanisms in the incident management community. Such mechanisms will need to identify specific baselines for effective performance and provide methods for measuring operational capabilitiesagainst such baselines or models.

The baselines will help identify requirements, components, services, and processes for successful incident management. The measurements will help identify a capability's and product and service gaps, along with its strengths and weaknesses compared to the baseline or model.

Mechanisms will also be needed to help plan a path a path of improvement, so that teams are not only able to identify and understand their current state, but can define their desired state ans improvement plan to reach that state.

Knowing that information can help to identify risks to the team's mission success, determine a strategy for change and improvement, and ultimately improve the overall security posture of the organization.

The scope of this Metrics SIG will be to bring together interested members of the FIRST community to discuss and identify approaches for evaluating CSIRT and incident management practices within an organization. The work of this SIG will focus on determining further refinements for best practices for CSIRTs (e.g., building off existing metrics work, FIRST materials, ISO 17799, ITIL, NIST, etc.), defining measures for effectiveness, identifying appropriate performance metrics, and determining appropriate approaches for evaluating systems.

During the initial metting of this SIG, the scope of this work will be discussed, a more detailed Charter will be defined, and a set of specific goals and actions will be identified. One ultimate goal of this work is to build products that any organization with a CSIRT or incident management capability can use to evaluate and assess that capability.

Expected/Targeted members

FIRST members who are seeking approaches for benchmarking and/or improving their CSIRT processes to provide effective incident management practices.
FIRST members who are interested and wiling to help refine, align, and test metrics, as well as to suggest additional improvements for standardizing CSIRT practices within the community.
Any CSIRT seeking to improve its incident management capabilities.

Chair

Georgia Killcrece (CERT/CC, CSIRT Development Team)