Management of Assets.

All elements that help the organization achieve its business objectives, such as data, personnel, equipment, systems and facilities, are identified and managed. This is done based on their relative importance to the organization's business objectives and risk strategy.

• Physical devices and systems within the organization are inventoried.
• Software platforms and applications within the organization are inventoried.
• Communication and data flows within the organization are mapped.
• External information systems are catalogued.
• Resources such as hardware, devices, data and software are prioritized based on their classification and business value.
• Cybersecurity roles and responsibilities for all personnel and external stakeholders, such as suppliers, customers and partners, are established.

Risk Assessment

The organization understands the cybersecurity risks that may affect its operations (including mission, functions, image or reputation), assets and people.

• Vulnerabilities to assets are identified and documented.
• Information on threats and vulnerabilities is obtained from information-sharing forums and sources.
• Threats, both internal and external, are identified and documented.
• Potential business impact and likelihood are identified.
• Threats, vulnerabilities, probabilities and impacts are used to assess risk.
• Risk measures are identified and prioritized.

Risk Management Strategy.

The organization establishes its priorities, constraints, risk tolerances and assumptions to support operational risk decisions.

• Risk management processes are established, managed and approved by stakeholders within the organization.
• The organization's risk tolerance is determined and clearly articulated.
• The organization determines its risk tolerance based on its role within the critical infrastructure and sector-specific risk analysis.

Information Security Process and Procedures.

Security policies, processes and procedures are maintained and applied to effectively manage the protection of information systems and assets. This includes guidelines on purpose, scope, roles, responsibilities, management involvement and coordination among organizational units.

• A basic configuration for information technology and industrial control systems is established and maintained.
• A system development cycle for managing systems is implemented.
• Configuration changes are controlled through processes.
• Backups of information are created, maintained and periodically tested.
• Policies and regulations for the organization's physical operating environment are met.
• Data is destroyed according to policy.
• Security processes are continually improved.
• The effectiveness of protection technologies is shared with appropriate parties.
• Response plans (Incident Response and Business Continuity) and recovery plans (Incident
• Recovery and Disaster Recovery) are in place and managed.
• Response and recovery plans are tested.
• Cybersecurity is incorporated into personnel policies, such as personnel screening.
• A vulnerability management plan is developed and implemented.

Maintenance

Maintenance and repairs of industrial control and information system components are performed according to established policies and procedures.

• Maintenance and repair of organizational assets are performed and documented in a timely manner, using approved and controlled tools.
• Remote maintenance of organizational assets is approved, recorded and performed in a manner that prevents unauthorized access.

Anomalies and Events.

Anomalies are detected in a timely manner and the potential impact of events is understood.

• A baseline of network activity and expected data flows for users and systems is established and managed.
• Detected events are analyzed to understand attack targets and methods.
• Event data is collected and correlated from multiple sources and sensors.
• The impact of events is assessed and thresholds for incident alerts are established.

Ongoing Security Monitoring.

The information system and assets are monitored periodically to identify cyber security events and verify the effectiveness of protective measures.

• The network is monitored to detect possible cyber security events.
• The physical environment is monitored to detect possible cyber security events.
• Personnel activities are monitored to detect possible cyber security events.
• Malicious code is detected.
• Unauthorized mobile code is detected.
• Activities of external service providers are monitored to detect possible cyber security events.
• Unauthorized personnel, unauthorized connections, unauthorized devices and unauthorized software are monitored.
• Vulnerability scans are performed.

Detection processes

Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.

Response Planning

Response processes and procedures are implemented and maintained to ensure rapid response to detected cybersecurity events.

• The response plan is activated during or after an event.

Communications

Response activities are coordinated with internal and external stakeholders, including external law enforcement support, as needed.

• Personnel know their roles and the sequence of operations during a response.
• Events are reported according to established criteria.
• Information is shared according to response plans.
• Coordination with stakeholders is done according to response plans.
• Voluntary information sharing with external stakeholders promotes broader situational awareness of cybersecurity.

Analysis

A thorough analysis is conducted to ensure appropriate response and to support remedial activities.

• Investigation of reports from detection systems: All reports from security detection systems are carefully investigated to determine the nature and severity of the incident.
• Understanding the impact of the incident: The consequences and scope of the incident are fully understood to evaluate the impact on the organization.
• Forensic investigation: A thorough forensic investigation is conducted to determine the cause, methods and extent of the incident.
• Categorization of incidents according to response plans:
• Incidents are classified according to pre-established response plans to ensure a structured and efficient response.

Mitigation

Measures are taken to prevent the further spread of an event, minimize its impact and eliminate the incident completely.

• Incident containment: Actions are taken to immediately stop the spread of the incident and prevent further damage.
• Incident mitigation: Actions are taken to reduce the impact and damage caused by the incident.
• Managing new vulnerabilities: Newly identified vulnerabilities are addressed by mitigating or, if necessary, documenting them as an accepted risk.

Improvements

Optimize organizational response activities by learning from current and previous detection and response experiences.

• Integration of lessons learned into response plans:
• Response plans are modified and improved based on insights and lessons learned from previous incidents and responses.
• Updating response strategies: Incident response strategies are updated to respond more effectively and efficiently to future incidents based on lessons learned.

Planning for Recovery.

Recovery processes and procedures are implemented and maintained to ensure timely recovery of systems or assets affected by cyber security incidents.

• Recovery Plan Implementation: The recovery plan is deployed during or immediately after an incident to resume normal operations as quickly as possible.

Improvements

Optimize recovery planning and processes by incorporating lessons learned into future activities.

• Incorporate lessons learned into recovery plans:
• Recovery plans are adapted and improved based on insights and experiences from past recovery activities.
• Updating recovery strategies: Recovery strategies are updated to ensure more effective and efficient recovery in future incidents.

Communications

Recovery activities are coordinated with internal and external parties, including coordination centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs and vendors.

• Public Relations Management: Communication with the outside world is carefully managed to protect the organization's reputation.
• Restoring reputation after an incident: Active measures are taken to restore the organization's trust and reputation after a security incident.
• Communication of recovery activities: Information about recovery activities is shared with internal stakeholders, including executive and management teams, to keep them informed of progress and results.