March 4, 2020

WG: Security Communications Challenge Coordination (SCCC-JWG)

Chair: David Groep – Nikhef

Vice Chair: Hannah Short – CERN

Maintaining trust between different infrastructures and domains depends largely on predictable responses by all parties involved. Many frameworks, such as SCI and Sirtfi, as well as groups such as the e-Infrastructures, the IGTF, and REFEDS, all promote mechanisms to publish security contact information, and have either explicit or implicit expectations on their remit, responsiveness, and level of confidentiality maintained. However, it is a well-recognised fact that data that is not verified becomes stale: security contact information that is appropriate at time of enrolment in an infrastructure may later bounce, or have different ‘characteristics’.

One of the ways to ensure contact details are maintained is to ‘exercise’ these contacts regularly and compare their performance against the expectations or requirements, in what is usually called ‘communications challenges’. However, with many distinct stakeholders interested in ensuring correctness of these contact details, it is likely that uncoordinated challenges have a detrimental effect on responsiveness: tests are duplicated, follow each other too closely in time, or measure the same aspect of contact responsiveness in different (and thus potentially confusing) ways. This is likely to ‘overload’ the targets of these challenges, resulting in disengagement and understandable ill-will to participate in the future even in case of real incidents.

To ensure information is up-to-date, and the participants are prepared to respond to information security events when the time comes, running security communications challenges is an important element of preparedness. Yet each stakeholder independently challenging all other participants quickly results in an information and communications overload for everyone involved.

The Security Communications Challenge Coordination working group aims to foster trust by sharing knowledge about such challenges, informing peers about the groups and participants for which they maintain up-to-date and verified contact information, and to align challenges in time to prevent overload.

The working group is joint with the Special Interest Group (SIG) on Information Security Management, with REFEDS, and with TF-CSIRT.

For additional information and the current challenge agenda, see the SCCC-JWG Wiki.