An organization’s incident response process must aim for continual improvement. It cannot achieve perfectness in its incident response right from the day it gets implemented. Acquiring knowledge, gaining expertise, and reaching maturity require efforts, time, training, and a substantial amount of practice. Incident response is not a single achievement for your security operations. As attackers continue to evolve their tactics, techniques, and procedures (TTPs), a static incident response plan may become inefficient in a few months. Considering the risks posed by modern-day threats, many organizations establish a dedicated incident response team called CERT or CSIRT. Such teams adopt a particular maturity model/framework to improve their incident response capabilities. We have discussed various international forums and frameworks in detail here. In this article, we are answering the question of what is the Security Incident Management Maturity Model (SIM3).
Have your own Computer Security Incident Response Team on call and ready for deployment as your private 911 cyber-emergency with LIFARS on IR Retainer.
What is the Security Incident Management Maturity Model (SIM3)?
The Open CSIRT Foundation (OCF) published the first version of SIM3 in 2009. OCF has continued to maintain and govern the maturity model; it also organizes training and certification programs for SIM3 auditors. SIM3 is one of the most popular maturity models across the globe. Adoption by national CSIRTs/CERTs, ENISA, and FIRST, among other organizations, is clear evidence of its quality and popularity. European Network and Information Security Agency (ENISA) recommends a three-tier maturity model based on SIM3. Similarly, Nippon CSIRT Association (NCA) prescribes using SIM3 for improving the incident response capabilities of its members. NCA is a Japanese cooperative society with over 300 CSIRT members.
SIM3 consists of a total of 44 parameters in four categories. These categories are:
- Organizational (O)
- Human (H)
- Tools (T)
- Processes (P)
This model defines a parameter as an attribute important for a CSIRT to function and operate. For every parameter, there is a measurement scale of 0 to 4. This maturity model provides clear indicators for reviewing the existing incident response model of any organization.
An ideal maturity model must support the development and improvement of a CSIRT’s capability. Maturity models like SIM3 can be used by new CSIRTs as well as well-established CSIRTs across the globe. Using this maturity model, they can ensure that they have a clearly defined framework to achieve their goals. Considering that SIM3 is designed by incorporating extensive experience from incident response professionals, organizations must consider it as a baseline and focus on continual improvements.