Skip to content

Commit

Permalink
Add _Establish Governance_ to _Prepare_ step of bootstrap process des…
Browse files Browse the repository at this point in the history 
…cription (#488)

* draft of governance step in prepare.md

* add governance bit to prepare row of _steps_table.md

* fix #487

* add headings, example blocks

* add governance process to diagram

* revise data mapping heading

* refine diagram

* fix heading levels

* add CERT RMM sidebar
  • Loading branch information
@ahouseholder
ahouseholder authored Feb 23, 2024
1 parent 8b83b63 commit 5c1c1ee
Show file tree
Hide file tree
Showing 4 changed files with 209 additions and 88 deletions.
12 changes: 6 additions & 6 deletions docs/howto/bootstrap/_steps_table.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
| Step | Description |
| ---- |-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [**Prepare**](prepare.md) | Define the decision you want to make, the outcomes you care about, the decision points you will use to make the decision, the decision policy, and the data you need to inform the decision points. |
| [**Collect**](collect.md) | Collect the data you need to make informed decisions. |
| [**Use SSVC**](use.md) | Use SSVC to make decisions about how to respond to vulnerabilities. |
| [**Respond**](use.md) | Respond to vulnerabilities according to the prioritization. |
| Step | Description |
| ---- |------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [**Prepare**](prepare.md) | Define the decision you want to make, the outcomes you care about, the decision points you will use to make the decision, the decision policy, the data you need to inform the decision points, and the process for maintaining your decision model. |
| [**Collect**](collect.md) | Collect the data you need to make informed decisions. |
| [**Use SSVC**](use.md) | Use SSVC to make decisions about how to respond to vulnerabilities. |
| [**Respond**](use.md) | Respond to vulnerabilities according to the prioritization. |
125 changes: 124 additions & 1 deletion docs/howto/bootstrap/prepare.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,13 @@ the information you need to make that decision, and the policy you want to use t
Here is a diagram of the preparation process:

```mermaid
---
title: Prepare to Use SSVC Overview
---
flowchart
subgraph prep [Prepare to use SSVC]
dcd{{Choose Decision to Model}}
governance[Establish Governance]
outcomes[Define Outcomes]
decisionpoints[Define Inputs]
dataeng[Data Mapping]
Expand All @@ -17,6 +21,8 @@ flowchart
p[/Policy/]
end
dcd --> outcomes
dcd --> governance
governance --> governance
outcomes --> decisionpoints
dcd --> decisionpoints
decisionpoints --> dataeng
Expand Down Expand Up @@ -48,6 +54,9 @@ You can use one of these decisions, or you can define your own decision.
<br/>

```mermaid
---
title: Choose a Decision Process
---
flowchart LR
subgraph dd[Choose Decision]
dcd{{Choose Decision to Model}}
Expand All @@ -73,6 +82,9 @@ We call the set of possible outcomes for a decision an outcome set.
We have provided a number of example outcome sets in the SSVC documentation, but you can define your own outcome set to meet your needs.

```mermaid
---
title: Outcomes Definition Process
---
flowchart LR
subgraph dd[Choose Decision]
d[/Decision/]
Expand Down Expand Up @@ -116,6 +128,9 @@ Whether you choose from the existing decision points or define your own, the set
decision is called a Decision Point Set.

```mermaid
---
title: Inputs Definition Process
---
flowchart LR
subgraph dd[Choose Decision]
d[/Decision/]
Expand Down Expand Up @@ -162,6 +177,9 @@ In fact, we find that it is often useful to represent policies in tabular form,
We have provided a number of example policies in the [SSVC documentation](../index.md), but you can define your own policy to meet your needs.

```mermaid
---
title: Policy Definition Process
---
flowchart LR
subgraph do[Define Outcomes]
oc[/Outcome Set/]
Expand Down Expand Up @@ -190,13 +208,16 @@ flowchart LR
because it has too few _Immediate_ outcomes to suit their policy.
Therefore, the bank decides to reuse the same decision point set and outcome set but define their own policy.
## Data Mapping
## Map Data to Model Inputs

In SSVC, data mapping is the process of defining what data can be used to assign a value to each decision point.
The resulting data map indicates which data sources are relevant to each decision point, and how to interpret the data
from each data source to assign a value to the decision point.

```mermaid
---
title: Data Mapping Process
---
flowchart LR
subgraph di[Define Inputs]
dps[/Decision Point Set/]
Expand Down Expand Up @@ -232,3 +253,105 @@ flowchart LR
They define a data map that indicates that the data source for the _Service Level_ decision point is the file
containing the SLA data, and document that the script they wrote will assign a value to the _Service Level_ decision
point based on the SLA data.


!!! tip inline end "CERT RMM on Vulnerability Analysis and Resolution"

The process of maintaining SSVC decision models is a governance process.
Ideally, it should be part of a larger governance process for vulnerability analysis and response.
The _CERT Resilience Management Model, Version 1.2_
[Vulnerability Analysis and Resolution](https://insights.sei.cmu.edu/library/vulnerability-analysis-and-resolution-var-cert-rmm-process-area/)
([VAR](https://insights.sei.cmu.edu/library/vulnerability-analysis-and-resolution-var-cert-rmm-process-area/)) chapter
covers a number of SSVC-related ideas:

- _VAR:SG2 Identify and Analyze Vulnerabilities_ covers data mapping, vulnerability prioritization,
and identifying vulnerable assets
- _VAR:SG3 Manage Exposure to Vulnerabilities_ addresses strategies for vulnerability management
- _VAR:GG2 Institutionalize a Managed Process_ provides considerable detail on establishing a governance process for
vulnerability analysis and resolution.

The entire CERT RMM collection can be found in the [SEI Digital Library](https://insights.sei.cmu.edu/library/cert-resilience-management-model-cert-rmm-collection/)

## Establish Governance

The final step in preparing to use SSVC is to establish a governance process for the decision model.
This process should ensure that the decision model remains relevant to the organization's needs and that the data
used to make decisions is accurate and up-to-date.
It need not be complex or burdensome.

A lightweight governance process might resemble a review of this _Prepare_ step for each decision modeled using
SSVC. Each of the items we discussed above could be reviewed in turn, ensuring that:

- The decision itself remains relevant to the organization
- The outcomes remain relevant to the decision
- The decision points remain relevant to the decision
- The policy remains relevant to the organization's needs
- The data sources remain relevant to informing the decision points

Depending on the review, any necessary adjustments can be made to the outcomes, decision points, policy, data map,
or operational processes.

```mermaid
---
title: Governance Process for SSVC Use
---
flowchart LR
subgraph Governance
direction LR
ro[/Modify Outcomes?\]
mdp[/Modify Decision Points?\]
rp[/Modify Policy?\]
rds[/Modify Data Mapping?\]
oc[/Outcomes/]
dp[/Decision Points/]
dm[/Data Map/]
um{{Update Policy}}
po[/Policy/]
end
ro -->|yes| oc
oc --> um
ro -->|no| mdp
mdp -->|yes| dp
dp --> um
mdp -->|no| rp
rp -->|yes| um
rp -->|no| rds
rds -->|yes| dm
um --> po
```

!!! example "A Simple Governance Process asks Questions"

A simple governance process might include regular reviews of the decision model intended to answer the following
questions, starting with the decision itself:

- Did we model the right decision(s)?

- Are there new decisions we need to model?
- Do we need to maintain the existing decision models?

If a new decision is to be modeled, the process would start over with the entire *Prepare* step.

Then, for each decision model already in use:

- Are the outcomes still relevant?
- Are the decision points in the model still relevant?

- Are there decision points that are not as useful as we thought they would be?
- Are there new decision points we should add?

- Does the policy still reflect our understanding and expectations of how we want to make this decision?

- Have there been instances where the policy has led to a decision that we later regretted?
- Are there new constraints or requirements that the policy mapping does not capture?

- Do we have the right data to inform the decision points in the decision model?
- Are there new data sources we should consider?
- Are there data sources we are using that are no longer relevant?
- Is our data mapping still appropriate?



25 changes: 22 additions & 3 deletions docs/howto/bootstrap/summary.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,36 +10,46 @@ The diagram below shows the complete process of using SSVC.


```mermaid
flowchart
flowchart TD
start([Start])
subgraph prep [Prepare to use SSVC]
dcd{{Choose Decision to Model}}
d[/Decision/]
l4((1))
subgraph outcomes [Define Outcomes]
oc1[/Use available<br/>outcome sets?\]
dos{{Define Outcome Sets}}
oss[\Outcome Sets/]
cos{{Choose Outcome Set}}
os[/Outcome Set/]
end
l5((1))
subgraph decisionpoints [Define Inputs]
dp1[/Use available<br/>decision points?\]
ddp{{Define Decision Points}}
dpt[\Decision Points/]
cdp{{Choose Decision Points}}
dps[/Decision Point Set/]
end
l6((1))
subgraph dataeng [Data Mapping]
dd1[/Use existing data?\]
dpm[/Data Map/]
dp2d{{Map Decision Points to Data}}
dd{{Define Data}}
ddf[/Data Definition/]
end
l7((1))
subgraph policy [Policy Development]
dfp{{Define Policy}}
p[/Policy/]
end
subgraph gov [Governance]
eg{{Establish Governance Process}}
gp[[Governance Process]]
end
l3((1))
end
subgraph dataops [Data Operations]
cd[Collect Data]
Expand All @@ -56,7 +66,13 @@ subgraph runtime [Use SSVC]
end
r[Vulnerability Response]
start --> dcd
start --> eg
eg --> gp
gp -->|ongoing| gp
gp --> l3
dcd --> d
l4 --> oc1
d --> oc1
dps --> dd1
oc1 -->|y| oss
Expand All @@ -71,8 +87,10 @@ dpt --> cdp
cdp --> dps
cos --> os
oss --> cos
l7 --> dfp
os --> dfp
os --> dp1
l5 --> dp1
d --> dp1
dps --> dp2d
dp2d --> dpm
Expand All @@ -93,7 +111,8 @@ p --> ap
dp --> ap
ap --> oc
oc --> r
r --> l1((1))
l2((1)) --> cd
r --> l1((2))
l2((2)) --> cd
l6 --> dd1
```

Loading

0 comments on commit 5c1c1ee

Please sign in to comment.