4.10. De facto standards

De facto standards are adopted, recognised, and widely used by the industry and its customers, and are not officially approved by the SDOs.  

There are de facto standards for security teams including Cybersecurity Security Incident Response Teams (CSIRTs) and Product Security Incident Response Teams (PSIRTs).  These include:

• Information Sharing Traffic Light Protocol (FIRST TLP v1.0)

This standard provides a highly pragmatic and globally accepted set of rules for information sharing. The standard is adopted by TI Accredited teams for all information sharing.

• RFC-2350

Using the template or form in this standard, a CSIRT can communicate to its constituents the services it offers, its policy and procedures,  and team’s expectations of the team of its constituents.  Since May 2009, filling out and publishing RFC-2350 is mandatory for TI Accredited teams.

• CSIRT Services Framework

FIRST, with support from the Task Force CSIRT (TF-CSIRT) Community, and the International Telecommunications Union (ITU), maintains the CSIRT Services Framework. The framework provides a comprehensive list of services that the CSIRTs could potentially provide to its constituents.

• Security Incident Management Maturity Model (SIM3)

SIM3 supports the measurement of maturity of an incident response or security team, based on four areas: organisation, human issues, tools, and processes. The model supports the TI Certification framework and is used in self-assessment of teams. 

• TI CSIRT Code of Practice (CCoP v2.4)

The code provides guidance on cooperation, legal, informational, and vulnerability handling requirements. The use of the TI CSIRT Code of Practice is recommended, but optional for TI Accredited teams 

• eCSIRT.net Incident Taxonomy

The taxonomy provides a classification of security incidents and examples, as well as a description/explanation. Further work is needed to maintain the taxonomy and assist implementers of trouble-ticket-systems or automatic sharing systems to make use of it.