SIM3: Security Incident Management Maturity Model

The topic here is the Maturity of SecurityIncident Management(SIM) rather than just “CSIRT” which by virtue of the name is about “response” primarily. SIM has four major pillars:

  • Prevention
  • Detection
  • Resolutiono
  • Quality control & feedback

The primary scope here is IT & information security incidents: incidents thatare limited to computers, network appliances, networks and the information therein and conveyed thereon. One can however extend this scope, or narrow it down, often with no significant consequences for the model.

For reasons of word economy, the term “CSIRT” is used here to describe any SIM capability to which SIM3 is applied, whether team, service or function. “ISIMC” –Information Security Incident Management Capability –is really a better word than “CSIRT” but the latter is widely known and therefore already rings all the right bells.The term “CSIRT” isidentical tothe older name“CERT”, which is also commonly used. However, those who actually want to adopt “CERT” in their name are advised to seek consent2of the CERT Coordination Center (CERT/CC), as CERT is a trademark owned by Carnegie Mellon University, Pittsburgh, in the USA.