terena logo
7 September 2010
Trusted Introducer service expands to include certification
Don Stikvoort (S-CURE) and Karel Vietsch (TERENA) sign the contract for the new Trusted Introducer certification service

In response to the needs expressed by its community, TERENA has expanded its Trusted Introducer service from a simple ‘accreditation’ process to include a more comprehensive and in-depth ‘certification’ of Computer Security Incident Response Teams (CSIRTs). By implementing this more stringent process, it is envisioned that stronger trust will develop between CSIRTs across different organisations, leading to more collaboration between them.

Many research and education networking organisations, commercial Internet service providers, telecommunications operators and governments have established CSIRTs to deal with network security incidents. TERENA’s Trusted Introducer service started 10 years ago with the goal of building a ‘web of trust’ between CSIRTs. Collaboration between trusted teams is very important because incidents often originate from outside the network that is affected.

Background

Over the years, additional service components were added to the Trusted Introducer portfolio, including closed meetings for accredited CSIRTs to exchange sensitive and confidential information about incidents and threats, a re-encrypting secure mail gateway and out-of-band alerting. Being ‘accredited’ means that a CSIRT has submitted documentation showing that it meets certain criteria set by the Trusted Introducer. This process gives accredited CSIRTs enough credibility to make them trustworthy to other CSIRTs.

However, accredited CSIRTs differ significantly in many ways, such as their size, services offered, professionalism of their organisation and processes, tools used and level of experience. Therefore, the fact that a CSIRT is accredited does not give other CSIRTs enough information about the support and expertise that can be expected when collaborating.

Certification overview

The need to measure accredited CSIRTs in this regard led to the recent creation of the Trusted Introducer ‘certification’ scheme. Accredited CSIRTs that have been assessed and have passed a strict qualification process are assigned the higher distinction “certified”.

From 1 September 2010, the Trusted Introducer certifies accredited CSIRTs using a ‘maturity model’, assigning a score from 0-4 on each of 45 parameters that are grouped in four categories: organisation, human, tools and processes. CSIRTs must obtain a pre-defined minimum score in order to become certified. They must also provide documentation and participate in an on-site workshop that investigates the CSIRT, offers coaching, consultancy and a final assessment. After successfully completing the process, a CSIRT can remain certified by maintaining the relevant information with the Trusted Introducer and by undergoing re-certification every three years.

The design of the new certification is mainly due to the work of Don Stikvoort (S-CURE), Klaus-Peter Kossakowski (PRESECURE) and members of a working group established by accredited CSIRTs: Serge Droz (SWITCH-CERT), Gorazd Božič (SI-CERT), Mirek Maj (CERT POLSKA) and Urpo Kaila (CERT-FI). The Trusted Introducer service is provided by S-CURE, an independent company specialising in advanced Internet community services like the Trusted Introducer, under contract to TERENA.

Further information

More about the Trusted Introducer service.

More about TERENA's Task Force on Computer Security Incident Response Teams, TF-CSIRT.