Closed ahouseholder closed 6 months ago
It might be convenient to pick up
if they're not already resolved when this one gets a PR.
This issue seems independent of #480 though.
See Figure 3 of https://insights.sei.cmu.edu/documents/737/2004_005_001_14405.pdf for a possibly relevant diagram
The PR I submitted
takes a fairly minimalist approach to this. I just added a section to the prepare step, which I think is sufficient to bring attention to the fact that maintaining an SSVC Decision Model is something you need to prepare for too.
Instead of connecting it back to CMU/SEI-2004-TR-015 Defining Incident Management Processes for CSIRTs: A Work in Progress though, I tied it into the Vulnerability Analysis and Resolution process area of CERT RMM, which seemed a bit more formalized. The diagram in the 2004 report was helpful in thinking about how the Governance
bit tied into the big diagram though, given the limitations of Mermaid diagrams.
The bootstrapping process as described right now does not include any feedback from the operational use of SSVC to refine any of
Yet we already know that model and policy tuning are part of the operational conversation once you're using SSVC:
<something else>
in this case"So we should reflect this somewhere. Maybe it goes into the bootstrapping docs directly, or maybe it's a separate page about "maintaining SSVC's operational fit" in the
howto
section, but regardless it seems like this kind of process monitoring and improvement ought to be explicitly described, however briefly.