Home

Awesome

The SoD Matrix is now stored in the ENISA Github Repository

<hr />

SoD-Matrix : Segregation (or separation) of Duties (SoD) Matrix for CSIRTs, LEA and Judiciary

This is the Segregation (or separation) of Duties (SoD) Matrix for CSIRTs, LEA and Judiciary. See An overview on enhancing technical cooperation between CSIRTs and LE.

The SoD matrix is made available in

Format

The SoD is build from the machinetag.json file. There are three phases (prior-to-incident-crime, during-the-incident-crime and post-incident-crime) and four actors (CSIRT, LEA, Judiciary and Prosecutors). Each phase consists of multiple duties.

RSCI - COBIT5

The RSCI method used to fill in the SoD matrix is inspired by COBIT5 methodology in particular the RACI Charts and is used to assign the four following roles (R-Responsible, C-Consulted, S-Supporting, I-informed) to CSIRT, LE and judiciary communities when they perform their duties during the cybercrime investigation lifecycle phases. It should be noted that when CSIRTs/LE/Prosecutors/Judges are responsible (R) for a specific duty, this means that they are also accountable when performing this duty. More than one role can be assigned to each community for describing the performance of their duties.

Because each country or constituency can have their own interpretation of the roles and duties per actors, the JSON file assigns a generic role with 'x', without determing the exact role (R,C,S,I). During the conversion from machinetag to the MISP galaxy, entries for all the roles (meaning R, C, S and I) are included.

Indicative examples

The tasks and ticks in the SoD matrix are for now indicative examples.

Summary

Updating the table

  1. Change machinetag.json
  2. Run the conversion script, create the MD version for human readable or the Galaxy version for MISP galaxy (or both)
  3. If MISP, remove the last comma in the cluster file
  4. Copy the file into MISP
  5. Update Galaxies in MISP

Conversion

Create the table

Run the script machinetag2human.py with input machinetag.json python3 machinetag2human.py machinetag.json md

Create the MISP Galaxy and Clusters

Run the script machinetag2human.py with input machinetag.json python3 machinetag2human.py machinetag.json galaxy

!! After the conversion, you need to remove the last comman in the cluster file.

Copy the files into your MISP installation and then update the Galaxies in MISP.

cp clusters_sod-matrix.json /var/www/MISP/app/files/misp-galaxy/clusters/sod-matrix-reverse.json
cp galaxies_sod-matrix.json /var/www/MISP/app/files/misp-galaxy/galaxies/sod-matrix-reverse.json

MISP example

Prior to crime

SoD Matrix

IMPORTANT

The below tasks and ticks in the SoD matrix are indicative examples.

Segregation (or separation) of Duties (SoD) Matrix for CSIRTs, LEA and Judiciary (human readable version)

This is the Segregation (or separation) of Duties (SoD) Matrix for CSIRTs, LEA and Judiciary. This SoD is also available as a MISP taxonomy. See An overview on enhancing technical cooperation between CSIRTs and LE Version: 1 Generated from machine readable version. Please DO NOT edit this file directly in github, rather use the machinetag.json file.

PhaseCybercrime Fighting ActivitiesCSIRTLEAJudgeProsecTraining topics
Prior to incident/crimeDelivering trainingxxxxProblem-solving and critical thinking skills
Prior to incident/crimeParticipating in trainingxxxxProblem-solving and critical thinking skills
Prior to incident/crimeCollecting cyber threat intelligencexxxKnowledge of cyber threat intelligence landscape
Prior to incident/crimeAnalysis of vulnerabilities and threatsxxxDevelopment and distribution of tools for preventive and reactive mitigation
Prior to incident/crimeIssuing recommendations for new vulnerabilities and threatsxDealing with specific types of threats and vulnerabilities
Prior to incident/crimeAdvising potential victims on preventive measures against cybercrimexxRaising awareness on preventive measures against cybercrime
During the incident/crimeDiscovery of the cyber security incident/crimexxDigital investigations; forensics tools; penetration testing; vulnerability scanning; flow analysis
During the incident/crimeIdentification and classification of the cyber security incident/crimexxxIncident and crime classification and identification
During the incident/crimeIdentify the type and severity of the compromisexxxKnowledge of cyber threats and incident response procedures
During the incident/crimeEvidence collectionxxxKnowledge of what kind of data to collect; organisation skills
During the incident/crimeProviding technical expertisexTechnical skills
During the incident/crimePreserving the evidence that may be crucial for the detection of a crime in a criminal trialxxxDigital investigations; forensics tools;
During the incident/crimeAdvising the victim to report / obligation to report a cybercrime to law enforcement (LE)xxObligations and restriction on information sharing; communication channels
During the incident/crimeDuty to inform the victim of a cybercrimexxxObligations and restrictions to the information sharing
During the incident/crimeDuty to inform other stakeholders/authorities (operators of vulnerable systems, data protection authorities, telecommunications authorities, etc.)xObligations and rules for information sharing among communities
During the incident/crimeActing as a single point of contact (PoC) for any communication with other EU Member States for the incident handlingxCommunication skills; communication channel
During the incident/crimeMitigation of an incidentxWell-prepared & well-organised to react promptly in an incident
During the incident/crimeConducting the criminal investigationxxKnowledge of the legal framework; decision- making skills
During the incident/crimeLeading the criminal investigationxxKnowledge of the incident response plan; leadership skills
During the incident/crimeIn the case of disagreement, the final say for an investigationxxKnowledge of the legal framework; decision- making skills
During the incident/crimeAuthorizing the investigation carried out by the LExxxDecision-making in the criminal procedure
During the incident/crimeEnsuring that fundamental rights are respected during the investigation and prosecutionxxxxFundamental rights in criminal investigations and prosecutions
Post incident/crimeSystems recoveryxTechnical skills
Post incident/crimeProtecting the constituencyxDrafting and establishing procedures; technical knowledge
Post incident/crimePreventing and containing IT incidents from a technical point of viewxTechnical skills pertaining to system administration, network administration, technical support or intrusion detection
Post incident/crimeAnalysis and interpretation of collected evidencexxxCriminalistics, digital forensics, admissible evidence
Post incident/crimeRequesting testimonies from CSIRTs and LExxTestimonies in a criminal trial
Post incident/crimeAdmitting and assessing the evidencexxEvidence in a criminal trial
Post incident/crimeJudging who committed a crimexTechnical knowledge and knowledge of the legal framework
Post incident/crimeAssessing incident damage and costxxxxEvaluation skills
Post incident/crimeReviewing the response and update policies and proceduresxKnowledge how to draft an incident response and procedures