CSIRT Services
Introduction to CSIRT services
This section describes the typical types of services a CSIRT can offer to their constituents. It describes the way of determine what kind of services your customers want and what you can deliver. Mind you, customers really want a steady and high quality service and aspect that you will deliver it from the start. Trust comes by feet and goes by horse!
Results of the GOVCERT.NL project
What kind of services can we deliver?
It was essential to think things through. We worked out our CSIRT as a paper exercise. We started with an implementation assessment incorporating the following subjects:
- Environment analysis
- Risk assessment
- Mission, vision, products and services
- Products and services to deliver to target group
- Organisation
- Financial aspects
As explained in the 'Setting up a CSIRT' section, there are different kinds of CSIRTs with different responsibilities, funding structure, type of constituents, etc. First investigate what kind of CSIRT you are and what your environment consists of. Then focus on the services that you and your CSIRT can deliver to your constituents and plan how to expand them.
Illustration: Comparison of CSIRT types
In the beginning we talked to our pilot customers to find out what services they needed most and which we could deliver right away. Our constituents all had a 'security officer' function that was the central person dealing with ICT security and most had a direct link into the ICT management organisation. It was already a sort of distribution function. They also wanted to gain management support for their important role so that they could explain to them why changes were needed. Furthermore, they needed support to implement information management and some like-minded people to fight for them within the government.
After listening to their story and making a product catalogue and a contract we could deliver our services. At the end, we as GOVCERT.NL focused on setting up the following services:
- Advisories
- Incident Handling
- Security scan
- Knowledge base
- Website
- Forums, technical, policy and national
- Cyber crime manual
- Yearly symposium
Illustration: Services from Govcert.nl and de Waarschuwingsdienst
We understood from the beginning that it was impossible to define the exact goals beforehand. It was essential to start a pilot with three constituents and define products " on the fly" and get direct feedback from future constituents. Afterwards, we could look back and re-engineer the content of the goals of GOVCERT.NL.
Tips for CSIRT services
- Environment analysis
- Know the needs of your constituents, share information, be quick and accurate and deliver services with a high quality.
- Be and remain a trustworthy partner in ICT-security business
- Start an awareness campaign
- Make contact with the international CSIRT community
- Risk assessment
- 1.24 Products do not fulfil the needs of the constituents
- 1.25 In the start-up period (before becoming operational) there could be a high impact incident (virus, worm, attack) with a lot of attention, questions could arise as to what GOVCERT.NL did to prevent it.
- 1.26 There are a lot of different ways and definitions on how to work with ICT-security.
- 1.27 Protect the information collected at all times.
- Mission, vision, products and services
Have a clear mission at the beginning of the project: " We do what we promise" and a more business focused vision: " prevention of ICT-incidents for the government while supporting and offering solutions" . We now work with a slightly different one: " Offer support to Dutch government, population and SME's on the prevention and response to ICT-related Security Incidents"
- Products and services to deliver to target group
It is highly advisable to have a clear focus on what you can and want to deliver to your constituents. It is also very important to know your constituents. Know their needs and start with pilots to ease into working together.
Helpful information