From 860c04a34579282f192d61a591634cb7ea5dd4b1 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 16 Jan 2017 11:42:12 +0100 Subject: [PATCH] First draft of the Information Sharing Maturity Model --- ...1-16-Information-Sharing-Maturity-Model.md | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 _posts/2017-01-16-Information-Sharing-Maturity-Model.md diff --git a/_posts/2017-01-16-Information-Sharing-Maturity-Model.md b/_posts/2017-01-16-Information-Sharing-Maturity-Model.md new file mode 100644 index 0000000..6fa2129 --- /dev/null +++ b/_posts/2017-01-16-Information-Sharing-Maturity-Model.md @@ -0,0 +1,47 @@ +--- +title: Information Sharing Maturity Model +layout: post +featured: /assets/images/misp-small.png +--- + +At MISP project, we are practical. We do software (from MISP core to MISP workbench, data models (from taxonomy, warning-lists, galaxies and practical standards) to solve our problems with information sharing and improve the state of the information shared. If we lack something, we build it. + +Various information sharing communities are relying on MISP core to support the sharing of cybersecurity indicators, fraud information, incidents or even threat-actor details. We received interesting feedback of organisations wanting to know the maturity of a specific sharing partner while they are on their sharing community. + +So we were wondering whether we could build something that solves the above issue using the information shared within a sharing community relying on MISP. We therefore took our favourite tools and designed a simple maturity model based on real information available in a sharing community. + +The sharing model is based on 3 different scoring types, L which stands for minimal access requirement to have an operative access to your MISP sharing community, C which are the different contributions that an organisation can do in the community and EC which are external contributors to the MISP project community providing an independent score. + +Community maturity level (if(L)(SUM(C))) which is the score of an organisation based on the contribution within a specific community. This score can be calculated on a each instance/community. + +The community maturity level of an organisation can remain private to a community or shared with the community at large depending of the instance configuration. + +Global MISP project contribution score (SUM(EC)) which is the score calculated from the MISP project contributions of an organisation. This score is calculated globally by the MISP project. + +# Information sharing maturity level (ISML) + +The Information Sharing Maturity Level (ISML) is calculated from the sum of values which can be extracted automatically from the MISP instance holding the access to a sharing community. Each value is independent from each others meaning that depending of the information sharing practices of an organisation, a maturity level can be calculated. The maturity level can be represented by a simple vector to show the gap or the current practices and capabilities of an organisation (e.g. an organisation only consuming information via the API has a specific capability which can be rated). As previously stated, this information can be kept privately in a specific sharing community or shared globaly. + +- L1 Have access to a MISP instance accessing a community, have at least one user with an encryption key and receive encrypted notification. (M) +- C1 (L1) Contributing via proposals or discussions at least once a year. (M) +- C2 (L1) Actively contributing proposals to recent events. (M) +- C3 (L1) Adding events at least once a year. (M) +- C4 (L1) Adding events at least once a month. (M) +- C5 (L1) Regularly (at least one per week) posting events with adequate classification. (M) +- C6 (L1) Using the API. (M) +- C7 (L1) Complex API usage. (M) +- C8 (L1) Having their own MISP instance. (M) +- C9 (L1) Having own and connected MISP instance. (M) +- C10 (L1) Running their own connected sharing communities. +- C11 (L1) Ensuring best security practices when sharing information. + +The aim behind this scores is to help organisations contributing **to know where they are, what they can still do to improve their practices and to fully benefit from information sharing**. + +## Global MISP project contribution score + + +- EC1 Contributing to taxonomies. (M) +- EC2 Contributing to warning-lists. (M) +- EC3 Contributing to galaxy. (M) +- EC4 Contributing to modules. (M) +- EC5 Contributing to MISP core. (M)