Merge pull request #5 from ossf/u269c-Section3-initial-cleanup

Update the plan for Section 3.0 - initial cleanup.
ossf · Sep 23, 2022 · be046ea · be046ea
2 parents 27003d0 + b202160
commit be046ea
Showing 1 changed file with 29 additions and 37 deletions.
diff --git a/plan/3.0 Execution.md b/plan/3.0 Execution.md
@@ -2,59 +2,51 @@
 focused on things assembling the team and tools
 - Section Lead - Francis Perron (@u269c)
 - Section Team - Art, CRob
-- Section Meeting Time/Details - Every other Friday 11-11:30am EST
+- Section Meeting Time/Details - Every other Friday 11-11:30am EST :clock11:
 - Section Meeting [Zoom](https://zoom.us/j/91969722711)
 
+**Tracking**: TBD - _need placeholder to show progress_
 
+## 3.1 - Tech Stack section, deployment and maintenance
 
-## 3.1 - Select the IT and communications infrastructure necessary to deliver the above-determined these services, and make a plan for its deployment, operational availability, and security assurance.
-(was 4.0 <-- remove after agreed placement)
-### Explanation:  
+The selection of the IT and communications infrastructure is necessary to deliver our services, and make a plan for its deployment, operational availability, and security assurance is included here. That work is dependent on :x: [2.1](https://github.com/ossf/SIRT/blob/main/plan/2.0%20Identify%20Core%20Services%20and%20Processes.md#21---identify-a-core-set-of-services) as it will determine the scope of this work. We can proceed a bit, but will have to wait at some point.
 
-### Key Steps/Milestones
--
--
+- **M1**: _Tech stack selection_
+  - [ ] Discovery and documentation --> issue#
+  - [ ] Election of tech --# issue#
+- **M2**: _Deployment_
+  - [ ] ...
+- **M3**: _Operational needs fullfilled_
+  - [ ] ...
 
-### Time & resource estimate 
 
-## 3.2 - Create playbooks and guidance documents directed at open-source maintainers and their security teams suggesting that give generically useful guidance about what to do in the event of a cybersecurity emergency (e.g.: critical vulnerability is reported) to offer clear instructions on how & when to get our support. As content is ready and available, work with the Education SIG for training and communication of these materials.
-(was 5.0 <-- remove after agreed placement)
-### Explanation:  
+## 3.2 Recruitment
 
-### Key Steps/Milestones
--
--
+Depending on the operational model defineb by :x: [2.3](https://github.com/ossf/SIRT/blob/main/plan/2.0%20Identify%20Core%20Services%20and%20Processes.md#23-define-expectations-including-vetting-process-and-ethics-agreement-and-determine-the-necessary-skills-and-experience-that-will-be-required-of-each-incident-responder-as-part-of-the-sirts-processes-onboarding-and-shadowing-programs), we will have to hire folks, or recruit volunteers. The actual content of the job requirement will then be defined by :x: [2.1](https://github.com/ossf/SIRT/blob/main/plan/2.0%20Identify%20Core%20Services%20and%20Processes.md#22-define-conditions-and-triage-criteria-for-the-services-offered-by-the-sirt-this-list-will-be-maintained-and-actively-updated-in-a-centralized-public-location-on-the-internet) and :x: [2.4](https://github.com/ossf/SIRT/blob/main/plan/2.0%20Identify%20Core%20Services%20and%20Processes.md#24-design-an-engagement-model-for-incident-responders-which-addresses-things-such-as), so we have lots of blockers here.
 
-### Time & resource estimate 
+- **M1**: _tbd_
+  - [ ] issue1
 
+## 3.3 Documentation and Training for the SIRT
 
-## 3.3 Recruitment.
-(was 8.0 <-- remove after agreed placement)
-### Explanation:  
+In order to perform the duties of the SIRT properly, we will need both playbooks and onboarding and training materials. This should be addressed early, before we are fully operational so we can iteratively improve on it. The **onboarding** documentation will depend on :x: [2.1](https://github.com/ossf/SIRT/blob/main/plan/2.0%20Identify%20Core%20Services%20and%20Processes.md#22-define-conditions-and-triage-criteria-for-the-services-offered-by-the-sirt-this-list-will-be-maintained-and-actively-updated-in-a-centralized-public-location-on-the-internet) and the **playbooks** will be greatly influenced by :x: [2.4](https://github.com/ossf/SIRT/blob/main/plan/2.0%20Identify%20Core%20Services%20and%20Processes.md#24-design-an-engagement-model-for-incident-responders-which-addresses-things-such-as).
 
-### Key Steps/Milestones
--
--
+- **M1**: Onboarding documentation v1.0
+  - [ ] Skeleton-draft available to join the SIRT team
+- **M2**: Operational playbooks v1.0
 
-### Time & resource estimate 
-
-## 3.4 Define and report on key metrics and stories to understand our successes and impact in year one1.
-(was 11.0 <-- remove after agreed placement)
-### Explanation:  
 
-### Key Steps/Milestones
--
--
+## 3.4 Define and report on key metrics
 
-### Time & resource estimate 
+In order to better understand our successes and impact in year one1, we need metrics and reports about the work done. This objective aims to identify (Service Level Indicators), and then measure (Service Level Objectives) ourselves against these. Reports should be presented to the the [TAC](https://github.com/ossf/tac) on a regular basis.
 
-## 3.5 Documenting lessons learned in order to mature the Coordinated Vulnerability Disclosure processes (CVD) with feedback provided to other working groups such as the Best Practices WG, Vuln Disc WG and other existing organizations operating in the incident response world
-(was 12.0 <-- remove after agreed placement)
-### Explanation:  
+- **M1**: _tbd_
+  - [ ] issue1
 
-### Key Steps/Milestones
--
--
 
-### Time & resource estimate 
+## 3.5 Establish a post mortem culture
 
+Documenting lessons learned from handled incidents in order to mature the Coordinated Vulnerability Disclosure processes (CVD) with feedback provided to other working groups such as the Best Practices WG, Vuln Disc WG and other existing organizations operating in the incident response world.
+
+- **M1**: _tbd_
+  - [ ] issue1