Security Incident Management Maturity Model (SIM3)

Reference and copyright: OpenCSIRT.org

Maturity Model

The maturity model is built on three basic elements:

• Maturity Parameters
• Maturity Categories
• Maturity Levels

The Maturity Parameters are the are measured in regard to maturity. Over 40 parameters exist and each parameter is described in detail in the assessment tool.

Each Parameter belongs to one of four Categories of Parameters:

• O - Organisation
• H - Human
• T - Tools
• P - Processes

What we really measure are the Levels for each Parameter. A desirable simplicity of the SIM3 has been achieved by specifying a unique set of Levels, valid for all of the Parameters in all of the Categories:

• 0 = not available / undefined / unaware
• 1 = implicit (known/considered but not written down, 'between the ears')
• 2 = explicit, internal (written down but not formalised in any way)
• 3 = explicit, formalised on authority of the CSIRT head or above (rubberstamped or published)
• 4 = explicit, audited on authority of governance levels above the CSIRT head (subject to control process/audit/enforcement)

Maturity Categories

Organisation

With Organisation we refer to the ensemble of humans, resources, tools and infrastructures that work together in a planned manner. The objectives or aims of an organisation are directed by a set of specific strategic goals. As SIM3 focuses on the maturity of the management of security incidents, we need to distinguish between on the one hand strategic goals of the whole organisation, and on the other hand the (service) specific strategic goals related to that part of the organisation, that manages security incidents - commonly referred to as 'CSIRT'. The following 'O' Parameters are about the mandate, setup and services of that CSIRT, and the framework connecting all organisational aspects.

Humans

With Humans we refer to the people working together to provide the services described in the Organisation area and satisfy the mandate. All people contributing to the goals of the (CSIRT) organisation that manages security incidents, require a technical and/or management oriented education with considerable on-the-job training plus additional training for more detailed expertise like malware analysis or forensics. The 'H' Parameters in this area are about the factors of importance in regard the most important factor in any CSIRT: the human 'capital' of the people working there.

Tools

With Tools we refer to the collection of programs, applications, services, instruments and even simple pieces of equipment, that is used by the personnel that we discussed in the Human area, to reach the objectives and offer the services defined in the Organisation area. We specifically mean those tools that enable or improve the management of security incidents, improve it time-wise, quality wise, and/or with higher granularity, i.e. 'seeing' incidents that may before have gone unnoticed.

Processes

With Processes we refer to logically sequenced sets of actions which are carried out by humans (Human area) or automated tools (Tools area) in order to achieve a specific result (defined in the Organisation area). All processes can be characterised by a number of attributes. By applying such attributes we can also determine how successful a particular process is (in getting the job done) or how successful a particular organisation is in providing a service (as in getting this process right all the time). In mature organisations processes are documented, measurable and repeatable. To be able to grow and improve the effectiveness of an organisation it is also important to build processes that are adaptable. Here, we specifically talk about those processes that support the management of incidents and any other services the CSIRT offers - and we adopt the term 'processes' in the broadest meaning of the word, so that in this Processes area you will also find processes that might sometimes be labeled 'policy' or otherwise.