From 378b78d6b9663821c8310b03bc8edc365e76dde1 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 22 Feb 2024 14:43:26 -0500 Subject: [PATCH] add CERT RMM sidebar --- docs/howto/bootstrap/prepare.md | 42 +++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/docs/howto/bootstrap/prepare.md b/docs/howto/bootstrap/prepare.md index d6657cd8..f093d7a8 100644 --- a/docs/howto/bootstrap/prepare.md +++ b/docs/howto/bootstrap/prepare.md @@ -6,9 +6,13 @@ the information you need to make that decision, and the policy you want to use t Here is a diagram of the preparation process: ```mermaid +--- +title: Prepare to Use SSVC Overview +--- flowchart subgraph prep [Prepare to use SSVC] dcd{{Choose Decision to Model}} + governance[Establish Governance] outcomes[Define Outcomes] decisionpoints[Define Inputs] dataeng[Data Mapping] @@ -17,6 +21,8 @@ flowchart p[/Policy/] end dcd --> outcomes + dcd --> governance + governance --> governance outcomes --> decisionpoints dcd --> decisionpoints decisionpoints --> dataeng @@ -48,6 +54,9 @@ You can use one of these decisions, or you can define your own decision.
```mermaid +--- +title: Choose a Decision Process +--- flowchart LR subgraph dd[Choose Decision] dcd{{Choose Decision to Model}} @@ -73,6 +82,9 @@ We call the set of possible outcomes for a decision an outcome set. We have provided a number of example outcome sets in the SSVC documentation, but you can define your own outcome set to meet your needs. ```mermaid +--- +title: Outcomes Definition Process +--- flowchart LR subgraph dd[Choose Decision] d[/Decision/] @@ -116,6 +128,9 @@ Whether you choose from the existing decision points or define your own, the set decision is called a Decision Point Set. ```mermaid +--- +title: Inputs Definition Process +--- flowchart LR subgraph dd[Choose Decision] d[/Decision/] @@ -162,6 +177,9 @@ In fact, we find that it is often useful to represent policies in tabular form, We have provided a number of example policies in the [SSVC documentation](../index.md), but you can define your own policy to meet your needs. ```mermaid +--- +title: Policy Definition Process +--- flowchart LR subgraph do[Define Outcomes] oc[/Outcome Set/] @@ -197,6 +215,9 @@ The resulting data map indicates which data sources are relevant to each decisio from each data source to assign a value to the decision point. ```mermaid +--- +title: Data Mapping Process +--- flowchart LR subgraph di[Define Inputs] dps[/Decision Point Set/] @@ -233,6 +254,24 @@ flowchart LR containing the SLA data, and document that the script they wrote will assign a value to the _Service Level_ decision point based on the SLA data. + +!!! tip inline end "CERT RMM on Vulnerability Analysis and Resolution" + + The process of maintaining SSVC decision models is a governance process. + Ideally, it should be part of a larger governance process for vulnerability analysis and response. + The _CERT Resilience Management Model, Version 1.2_ + [Vulnerability Analysis and Resolution](https://insights.sei.cmu.edu/library/vulnerability-analysis-and-resolution-var-cert-rmm-process-area/) + ([VAR](https://insights.sei.cmu.edu/library/vulnerability-analysis-and-resolution-var-cert-rmm-process-area/)) chapter + covers a number of SSVC-related ideas: + + - _VAR:SG2 Identify and Analyze Vulnerabilities_ covers data mapping, vulnerability prioritization, + and identifying vulnerable assets + - _VAR:SG3 Manage Exposure to Vulnerabilities_ addresses strategies for vulnerability management + - _VAR:GG2 Institutionalize a Managed Process_ provides considerable detail on establishing a governance process for + vulnerability analysis and resolution. + + The entire CERT RMM collection can be found in the [SEI Digital Library](https://insights.sei.cmu.edu/library/cert-resilience-management-model-cert-rmm-collection/) + ## Establish Governance The final step in preparing to use SSVC is to establish a governance process for the decision model. @@ -253,6 +292,9 @@ Depending on the review, any necessary adjustments can be made to the outcomes, or operational processes. ```mermaid +--- +title: Governance Process for SSVC Use +--- flowchart LR subgraph Governance