Recommendation ITU-T X.1060 (06/2021) Framework for the creation and operation of a cyber defence centre
Summary
History
FOREWORD
Table of Contents
Introduction
1 Scope
2 References
3 Definitions
3.1 Terms defined elsewhere
3.2 Terms defined in this Recommendation
4 Abbreviations and acronyms
5 Conventions
6 Structure of this Recommendation
7 Overview of a cyber defence centre
8 Framework for the creation and operation of a CDC
9 Build process
9.1 Overview
9.2 CDC service recommendation level
9.3 CDC service assignment
9.4 CDC service assessment
10 Management process
11 Evaluation process
11.1 Overview
11.2 CDC service catalogue evaluation
11.3 CDC service profile evaluation
11.4 CDC service portfolio evaluation
12 CDC service categories and service list
Annex A CDC service list with descriptions
A.1 Category A: Strategic management of CDC
A.1.1 A-1. Risk management
A.1.2 A-2. Risk assessment
A.1.3 A-3. Policy planning
A.1.4 A-4. Policy management
A.1.5 A-5. Business continuity
A.1.6 A-6. Business impact analysis
A.1.7 A-7. Resource management
A.1.8 A-8. Security architecture design
A.1.9 A-9. Triage criteria management
A.1.10 A-10. Counter measures selection
A.1.11 A-11. Quality management
A.1.12 A-12. Security audit
A.1.13 A-13. Certification
A.2 Category B: Real-time analysis
A.2.1 B-1. Real time asset monitoring
A.2.2 B-2. Event data retention
A.2.3 B-3. Alerting and warning
A.2.4 B-4. Handling enquiry on report
A.3 Category C: Deep analysis
A.3.1 C-1. Forensic analysis
A.3.2 C-2. Malware sample analysis
A.3.3 C-3. Tracking and tracing
A.3.4 C-4. Forensic evidence collection
A.4 Category D: Incident response
A.4.1 D-1. Incident report acceptance
A.4.2 D-2. Incident handling
A.4.3 D-3. Incident classification
A.4.4 D-4. Incident response and containment
A.4.5 D-5. Incident recovery
A.4.6 D-6. Incident notification
A.4.7 D-7. Incident response report
A.5 Category E: Checking and evaluation
A.5.1 E-1. Network information collection
A.5.2 E-2. Asset inventory
A.5.3 E-3. Vulnerability assessment
A.5.4 E-4. Patch management
A.5.5 E-5. Penetration test
A.5.6 E-6. Defence capability against ATP attack evaluation
A.5.7 E-7. Handling capability on cyberattack evaluation
A.5.8 E-8. Policy compliance
A.5.9 E-9. Hardening
A.6 Category F: Collection, analysis and evaluation threat intelligence
A.6.1 F-1. Post-mortem analysis
A.6.2 F-2. Internal threat intelligence collection and analysis
A.6.3 F-3. External threat intelligence collection and evaluation
A.6.4 F-4. Threat intelligence report
A.6.5 F-5. Threat intelligence utilization
A.7 Category G: Development and maintenance of CDC platforms
A.7.1 G-1. Security architecture implementation
A.7.2 G-2. Basic operation for network security asset
A.7.3 G-3. Advanced operation for network security asset
A.7.4 G-4. Basic operation for endpoint security asset
A.7.5 G-5. Advanced operation for endpoint security asset
A.7.6 G-6. Basic operation for cloud security products
A.7.7 G-7. Advanced operation for cloud security products
A.7.8 G-8. Deep analysis tool operation
A.7.9 G-9. Basic operation for analysis platform
A.7.10 G-10. Advanced operation for analysis platform
A.7.11 G-11. Operates CDC systems
A.7.12 G-12. Existing security tools evaluation
A.7.13 G-13. New security tools evaluation
A.8 Category H: Support of internal fraud response
A.8.1 H-1. Internal fraud response and analysis support
A.8.2 H-2. Internal fraud detection and reoccurrence prevention support
A.9 Category I: Active relationship with external parties
A.9.1 I-1. Awareness
A.9.2 I-2. Education and training
A.9.3 I-3. Security consulting
A.9.4 I-4. Security vendor collaboration
A.9.5 I-5. Collaboration service with external security communities
A.9.6 I-6. Technical reporting
A.9.7 I-7. Executive security reporting
Bibliography
<\pre>