GFCE Cybersecurity Knowledge Modules

KM3 - Cyber diplomacy and international cooperation
Module objectives
1. Risks for international peace and cyber-stability
3 Topics
1.1 Cyber-attacks and geopolitics
1.2 Cyber as part of hybrid warfare
1.3 Cyber-armament
2. Towards an international agreement
4 Topics
2.1. Framework for responsible state behaviour in cyberspace
2.2. Applicability of international law
2.3. Norms, confidence building measures, and capacity building
2.4 Broader context
3. International cooperation
4 Topics
3.1. The United Nations
3.2. Other multilateral forums
3.3. Regional efforts
3.4. Multistakeholder efforts
4. Cyber diplomacy
5. Main takeaways
6. Assignment
1 Quiz
KM3 Quiz
KM4 - Cyber Incident Management
Module objectives
1. Introduction
2. Types of Cyber Incident Response Teams
5 Topics
2.1. National Computer Security Incident Response Team
2.2. Product Security Incident Response Team
2.3. Sector CSIRTs
2.4. Security Operation Centre
2.5. Commercial CSIRT
3. What needs to be considered when establishing a National CSIRT?
2 Topics
3.1. CIRT framework
3.2. How to set up CSIRT and SOC
4. How to assess cyber incident readiness
3 Topics
4.1. Security Incident Management Maturity Model (SIM3)
4.2. Security Operation Centre Capability and Maturity Model (SOC-CMM)
4.3. CSIRT Maturity – Self-assessment Tool
5. Which services do the CSIRTs offer?
2 Topics
5.1. FIRST CSIRT services framework
5.2. ITU-T Recommendation X.1060 service categories
6. Who does the CSIRT serve?
7. Which Tools does a CSIRT need?
8. Policies, frameworks, and guidelines
9. Resourcing and funding a CSIRT
1 Topic
9.1. What does a CSIRT Budget look like?
10. CSIRT capabilities
3 Topics
10.1. Training and certification
10.2. Auditing
10.3. Cyber drills
13. Main takeaways
14. Assignment
1 Quiz
KM4 Quiz
2 of 5
Previous Lesson
Next Lesson

6. Who does the CSIRT serve?

GFCE Cybersecurity Knowledge Modules 6. Who does the CSIRT serve?

A multistakeholder approach within a country and organisation is critical for the effective management of incidents.  The GFCE identifies the building of communities as a good practice that facilitates trusted information sharing and exchange of experience and knowledge.

Good practice: Build communities

A national CSIRT should invest time and continuous effort to build and maintain trust with its constituency and other stakeholders, both nationally and internationally. This can be achieved through constituency relationship management, targeted workshops, and joint exercises.

With cooperation and (relative) transparency, the CSIRT should strive to be a trustworthy, politically neutral, unbiased, and professional/technical partner in the national and international communities.

Reflection point

Using the ENISA Interactive Cybersecurity Institutional Map find out how actors in Europe are involved in functions within a community.

The constituent(s) of a CSIRT is the recipient or customer base of the CSIRT services. The team must, in its charters, mission statements, the concept of operations documents, or similar documents, clearly define its constituency. The team should understand its constituency so as to determine their needs, the assets they need to be protected, and what the interactions with the CSIRT would be.

Good practice: Establish the national CSIRT’s constituency, authority, and responsibility

The constituencies are the entities and communities for whom the CSIRT provides service and support.  The extent of the authority and responsibility of the CSIRT should be predetermined in its role and mandate.

There are different types of CSIRTs depending on the constituency served as indicated in Table 1 below:

SectorFocusTypical Constituents
Academic Sector CSIRTAcademic and educational institutions,such as universities or research facilities, and the campus Internet environments.University staff and students.
Commercial CSIRTCommercial services. This can be an independent organisation, an ISP, or managed services provider.Paying customers
CIP/CIIP Sector CSIRT
Critical Information Protection and/or Critical Information and Infrastructure Protection. This covers the IT of all critical sectors in a country.Government, critical sectors andcitizens.
Governmental Sector CSIRTThe government itself. Government agencies.
Internal CSIRT/Security Operation Centre (SOC)The hosting organisation itself. Internal staff and IT department.
Military Sector CSIRTMilitary organizations with responsibilitiesin IT infrastructure.Staff of military institutions and closelyrelated entities such as the Ministry
National CSIRT

National focus, considered as the centralsecurity point of contact.No direct constituents, although aNational CERT is sometimes combinedwith a Governmental CERT
Small & Medium Enterprises (SME) Sector CSIRTThis is a self-organised CSIRT to provideservices to its own business branch orsimilar user group.The SMEs and their staff
Vendor CSIRT/PSIRTVendor-specific products, usually to address vulnerabilities or advise onspecific attack mitigations.A common acronym is PSIRT, or Product Security Incident Response Team Product owners
Table 1: Types of CSIRTs and Constituents Source: ENISA A step-by-step approach on how to set up a CSIRT
Previous Lesson
Back to Course
Next Lesson

New post

Your email address will not be published. Required fields are marked *

Post a comment
Skip to content