Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ccullen cert patch 2 #512

Merged
merged 10 commits into from
Feb 28, 2024
Merged

Ccullen cert patch 2 #512

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
452dcde
Update index.md
ccullen-cert Feb 27, 2024
59a556d
Update items_with_same_priority.md
ccullen-cert Feb 27, 2024
9202da4
Update items_with_same_priority.md
ccullen-cert Feb 27, 2024
2a2d55b
Merge branch 'CERTCC:main' into ccullen-cert-patch-1
ccullen-cert Feb 27, 2024
b8803f9
Update prepare.md
ccullen-cert Feb 27, 2024
8039eae
Update index.md
ccullen-cert Feb 27, 2024
152cbf9
Update index.md
ccullen-cert Feb 27, 2024
741d2ea
Update index.md
ccullen-cert Feb 27, 2024
56556cd
Update prepare.md
ccullen-cert Feb 28, 2024
d980306
add call-out box, copy edit
ahouseholder Feb 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions docs/howto/bootstrap/prepare.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,22 @@
Preparing to use SSVC involves defining a decision you want to make,
the information you need to make that decision, and the policy you want to use to make that decision.

!!! tip "Stakeholder Involvement"

Multiple organizational stakeholders should be involved in the SSVC adoption process.

- _Risk Owners_ must be involved in the development of the risk management policy represented by SSVC.
- _Vulnerability Management_ stakeholders, including IT Security and IT Service Management (ITSM), should
be involved in the decision modeling and data mapping processes as well.
- _Other Roles_ depend on the organization and specific decision models being developed. For example, a Supplier
organization could include development and possibly service operations roles in the decision modeling process.
A Deployer organization might include safety and incident response roles.

Stakeholder roles and responsibilities can vary across organizations, however the contextual knowledge they can
bring to the decision making process is essential. SSVC adoption is not just a process for the security team or
technical staff.


Here is a diagram of the preparation process:

```mermaid
Expand Down
2 changes: 1 addition & 1 deletion docs/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,4 +58,4 @@ We have organized the SSVC documentation into four main sections:
</div>


{% include-markdown "_includes/helping_out.md" heading-offset=1 %}
{% include-markdown "_includes/helping_out.md" heading-offset=1 %}
4 changes: 2 additions & 2 deletions docs/topics/items_with_same_priority.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,9 @@ The priority is equivalent.
!!! tip "This is not CVSS"

This approach may feel uncomfortable since CVSS gives the appearance of a finer grained priority.
CVSS appears to say,
CVSS appears to say,
> Not just 4.0 to 6.9 is ‘medium’ severity, but 4.6 is more severe than 4.5.
However, as discussed {== previously (see page 4) ==}, CVSS is designed to be accurate only within +/- 0.5,
However, CVSS is designed to be accurate only within +/- 0.5,
and, in practice, is scored with errors of around +/- 1.5 to 2.5 [@allodi2018effect, see Figure 1].

An error of this magnitude is enough to make all of the “normal” range from 4.0 to 6.9 equivalent, because
Expand Down