Cyber attacks that have occurred in recent years have fully confirmed that Cybersecurity is an increasingly complex challenge that represents a priority for all companies both in terms of development and investments.
In this context, CERTs play a central role in the security perimeter of their own company but even more in National Scenarios. Computer and Emergency Response Teams are one of the main protagonists and the first defense line of cybersecurity, identifying, preventing, responding, resolving and struggling any type of IT incident to protect national and corporate interests.
For these reasons, GCSEC has decided to develop a Tool that can contribute, as a self-assessment tool, to assess the Maturity Level of CERTs and services provided to the Constituency to better face these complex tasks.
The tool was developed according to the Capability Maturity Model defined by the Open CSIRT Foundation SIM3 and implemented by ENISA (SIM3), which is based on a classification of CERT maturity through a Self-Assessment composed of 44 questions oriented on 4 fundamental guidelines: Organization, Human, Tool and Processes. Once the self-assessment is completed, the overall maturity level of the CERT is defined according to four main levels: non-basic, basic, intermediate or advanced.
CERTrating provides a questionnaire, faithful to the SIM3 Model of the Open CSIRT Foundation, for the entire CERT and another customized 14 questionnaires for its services.
The 14 CERT Services, defined by ENISA, have their own dedicated questionnaire based on the model and metrics of the SIM3 Capability Maturity Model of the Open CSIRT Foundation and implemented by ENISA customized for each service. After answering the CERT and service self assessment surveys, CERTrating also returns the maturity of the CERT c.d. “Custom”. The “applied maturity” is different from SIM3 Model and for ENISA maturity because it considers both the maturity of each individual service and the role played by each of them for the achievement of Constituency’s goals.
The platform is completely customizable. In fact, CERTrating offers the possibility of typing the name of your CERT and Company, its logo, selecting services provided by your CERT assigning the relative weight and creating user accounts specific for each service. You could also modify at any time the completed surveys to constantly update your Maturity level.
The Tool includes a dashboard and specific reports for Top Management that provide a view of the CERT and its services maturity level once you have completing the dedicated surveys. The reporting section offers a graphical view of the maturity level of CERT and its services, the maturity trend over time, the history of all the assessments made for CERT and its services, the average obtained by your CERT compared to others Italian CERTs.
In addition, CERTrating offers advices and actions that have to be taken for your CERT and services to reach the level of maturity immediately following yours and the level of Optimal maturity.
From the follow two links you can directly reach the CERTrating tool: