Bootstrapping section should mention stakeholder roles involved in each phase

[ahouseholder]

This came out of a conversation that was generally around the question "Who needs to be involved in each step of the bootstrapping process?" and an idea that came up was that Decision Point concepts and values should generally be a boundary object understandable to both technical management and analysts, whereas datamapping is more about the analyst-level perspective that says how data will be used as evidence for assigning decision point values.

So the idea for this issue is to revise the bootstrapping docs to reflect those role distinctions.

[ahouseholder]

Specifically, looking at these three pages:

• https://certcc.github.io/SSVC-staging/howto/bootstrap/prepare/
• https://certcc.github.io/SSVC-staging/howto/bootstrap/collect/
• https://certcc.github.io/SSVC-staging/howto/bootstrap/use/

We need to identify which stakeholders need to be involved at each step in the process (the answer might be different for different sections of those pages).

The stakeholders might include one or more of:

• Vulnerability analysts
• Developers
• Risk Owners
• System administrators
• Security operations
• Data analysts
• Or others --- please leave a comment if you have ideas on stakeholders, I just made that list up and I have no reason to suspect it's complete.

[j---]

There is perhaps a middle layer of management between these operational roles and the risk owners. I don't know that needs to be specifically captured. I don't have any other operational roles to add. Is PSIRT / CSIRT lead a different role? Those folks may have to explain their decisions to the public, and having decision points as boundary objects may help them do that.

[ccullen-cert]

So, reading the documentation, this seems like it would be rather difficult to define, especially given the variety of how each organization is set up. For example, system administrators and analysts would likely have access to vastly different data or be biased towards a different set of decision points. You could make more general stakeholder roles, but at that point I think the assistance it might bring about is kind of diminished, and probably would be fine to just not add at all.

This is also somewhat minor, but trying to define these roles might end up causing more confusion because different organizations have different tiles, and trying to set up a specific set of roles that people fit into might cause confusion for using SSVC for the first time.

I don't know if I have enough knowledge to comment on the PSIRT/CSIRT lead being considered as a different role. I will of course defer to others judgement, but I wanted to put my thoughts here before taking this.

[ahouseholder]

So I guess I was imagining is that the end target is something like a RACI matrix or a variant thereof (and there are a lot of variations). The rows would be the different steps of adoption, and the columns the various stakeholder roles, with each cell indicating the kind of responsibilities of each role at that step.

So there'd be some generic roles involved. I'm not sure that my list in this comment is the right set. Maybe it'd help to pop up to a higher level than that list, for example:

• Risk Management/Risk Owner
• ITSM (Information Technology Service Management)
• IT Security
• Development

But the end result might not be as detailed as a matrix, maybe that's just a handy way to think of it as we're developing content.

I agree that defining a bunch more roles is more than we should attempt for now.

I guess one small way to approach this would be to clarify that

• Risk Owners own the policy, and they must be involved in the development of it.
• It seems like ITSM owns the outcome set (at least in deployer orgs).
• But not all orgs are deployers, and ITSM isn't always the right answer for that.
• Suppliers might focus on more developer, QA, etc.
• Not sure where customer support, marketing, legal, fit in

I definitely get the idea that we might not understand enough about implementer orgs to say much about specifically who is involved. But we should at least be able to emphasize that adopting SSVC is not simply a decision made within the Security Ops or even entirely within the ITSM process.

[ccullen-cert]

Here is my stab at a few sentences to describe the bootstrapping process. I am not the most happy with it but I hope it opens up some discussion. I am attempting to straddle respecting different orgs setups but also have it concrete enough to be a starting point.

During the bootstrapping process, internal discussions regarding what segments of an organization are to handle the decision making process need to be defined prior to engagement. Risk owners should be involved in the development of the policy that affects said risk. Their involvement, no matter the degree, should be considered essential. ITSM (Information Technology Services Management) and IT security should have contributing members from either side be involved in the decision process as well. These stakeholder roles and awareness within them may be different depending on the organization, however the knowledge present within them is essential to accurate decision making. SSVC usage involves stakeholders in different areas, and adoption is not a decision made unilaterally by any single one in an organization.

I thought it would be better to just not comment on legal /customer support or suppliers, because those areas are going to be wildly different from org to org, and focus on the stakeholders that should firmly be involved.

[j---]

Thanks, this is good. some small suggestions.

Risk owners should be involved in the development of the policy that affects said risk. Their involvement, no matter the degree, should be considered essential.

Maybe easier to just say "Risk owners must be involved in the development of the risk management policy represented by SSVC"

ITSM (Information Technology Services Management)

Is there a link to a semi-standard definition of this term we could use?

[ahouseholder]

ITSM (Information Technology Services Management)

Is there a link to a semi-standard definition of this term we could use?

I came across it in the context of ITIL around 2007 or 2008. https://en.wikipedia.org/wiki/IT_service_management is what I usually point to, because it links back out to a bunch of related things (ITIL, TOGAF, COBIT, CMMI, etc.)

[ccullen-cert]

@j--- Added your suggestion below

During the bootstrapping process, internal discussions regarding what segments of an organization are to handle the decision making process need to be defined prior to engagement. Risk owners must be involved in the development of the risk management policy represented by SSVC. ITSM (Information Technology Services Management) and IT security should have contributing members from either side be involved in the decision process as well. These stakeholder roles and awareness within them may be different depending on the organization, however the knowledge present within them is essential to accurate decision making. SSVC usage involves stakeholders in different areas, and adoption is not a decision made unilaterally by any single one in an organization.`

Also, ITSM is still referenced in the newest versions of the frameworks, such as ITIL 4 (https://www.mizekhedmat.com/wp-content/uploads/2022/07/ITILFoundation-ITIL4Edition.pdf)

Welcome to more feedback, but I can start a proper pull request for this and get it started if it looks good.

[j---]

Loose preference for wikipedia as a neutral source to reference. Otherwise, looks OK to me.

[ccullen-cert]

Ok, ill use the wikipedia page instead

[ccullen-cert]

Made this https://github.com/CERTCC/SSVC/pull/512 to address this issue.