OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: FYI random: NCCIC Cyber Incident Scoring System (NCISS)

Uncertain whether this is old news, new news, or not news ... of interest to CTI TC members...


- Robin Cover

NCCIC Cyber Incident Scoring System

NCISS is designed to provide a repeatable and consistent mechanism for objectively evaluating the risk of a cybersecurity incident in the national context. A pilot of the system has been in regular use by the NCCIC’s Industrial Control System Cyber Emergency Response Team (ICS-CERT) since 2014. NCCIC’s United States Computer Emergency Readiness Team is in the process of adopting the NCISS for its day-to-day incident reporting processes. Having this system in place has already allowed NCCIC to provide objective assessments of national-level risk for routine and high risk cybersecurity events via a repeatable process, facilitating better prioritization and more timely responses to the needs of NCCIC’s constituents and mission partners.

Evaluating National Level Cyber Risk, the DHS Approach
Mark Bristow (DHS/ICS-CERT, US

Currently there is no system that is designed to assess the severity of cyber incidents at a national level. Many systems and schemas, including NIST 800-61 r2, provide excellent guidance within the scope of a single entity’s Security Operations Center (SOC) however these system do not address this risk within the national paradigm. Large scale and national cyber operations centers like the Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center (NCCIC) need to assess risk to accommodate external parties across a diverse set of private critical infrastructure asset owners/operators and USG Departments/Agencies. The NCCIC Cyber Incident Scoring System (NCISS) is designed to provide a repeatable and consistent rating mechanism for evaluating the risk of an incident in this context.  The NCISS was based on NIST 800-61 r2 and tailored to include entity specific potential impact categories that allow NCCIC to evaluate the severity and prioritize on a national scale. This allows for a similar incident at two different stakeholders to have a significantly different score based on the national level potential impact of the entity.

The functional methodology uses a weighted average that ultimately produces a score from 0 100. The severity/risk score drives NCCIC processes and determines the necessary incident response prioritization and service level for each individual case. The system is not designed to support cases where multiple correlated incidents may increase severity (i.e., raise the priority).

The inputs to the scoring system are a hybrid of discrete and analytical assessments that will generate a score approximating the relative risk of the incident. While every attempt to minimize this effect via training and exercise, different individual scorers will have slightly different perspectives on analytical responses to the scoring questions. The use of discrete, verifiable inputs lessens the impact or sway from any individual analytical factor, increasing the overall precision of the system. Ultimately the system is designed to provide a repeatable risk estimation that provides guidance for evaluation by incident response managers rather than set a hard line.

Robin Cover
OASIS, Director of Information Services
Editor, Cover Pages and XML Daily Newslink
Email: robin@oasis-open.org
Staff bio: http://www.oasis-open.org/people/staff/robin-cover
Cover Pages: http://xml.coverpages.org/
Newsletter: http://xml.coverpages.org/newsletterArchive.html
Tel: +1 972-296-1783

Attachment: NCCIC-Cyber-Incident-Scoring-System.pdf
Description: Adobe PDF document

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]