Management of Assets

All elements that help the organisation achieve its business objectives, such as data, personnel, equipment, systems and facilities, are identified and managed. This is done on the basis of their relative importance to the organisation's business objectives and risk strategy.

• Physical devices and systems within the organisation are inventoried.
• Software platforms and applications within the organisation are inventoried.
• Communication and data flows within the organisation are mapped.
• External information systems are catalogued.
• Resources such as hardware, devices, data and software are prioritised according to their classification and business value.
• Cybersecurity roles and responsibilities for all staff and external stakeholders, such as suppliers, customers and partners, are established.

Risk assessment

The organisation understands the cyber security risks that may affect its operations (including mission, functions, image or reputation), assets and people.

• Vulnerabilities of assets are identified and documented.
• Information on threats and vulnerabilities is obtained from information-sharing forums and sources.
• Threats, both internal and external, are identified and documented.
• Potential business impact and likelihood are identified.
• Threats, vulnerabilities, probabilities and impact are used to assess risk.
• Risk measures are identified and prioritised.

Risk management strategy

The organisation establishes its priorities, constraints, risk tolerances and assumptions to support operational risk decisions.

• Risk management processes are established, managed and approved by stakeholders within the organisation.
• The organisation's risk tolerance is determined and clearly articulated.
• The organisation determines its risk tolerance based on its role within the critical infrastructure and sector-specific risk analysis.

Information Security Process and Procedures.

Security policies, processes and procedures are maintained and applied to effectively manage the protection of information systems and assets. This includes guidelines on purpose, scope, roles, responsibilities, management involvement and coordination between organisational units.

• A basic configuration for information technology and industrial control systems is established and maintained.
• A system development cycle for managing systems is implemented.
• Configuration changes are controlled through processes.
• Backups of information are created, maintained and periodically tested.
• Policies and regulations for the organisation's physical operating environment are complied with.
• Data is destroyed according to policy.
• Security processes are continuously improved.
• The effectiveness of protection technologies is shared with appropriate parties.
• Response plans (Incident Response and Business Continuity) and recovery plans (Incident
• Recovery and Disaster Recovery) are in place and managed.
• Response and recovery plans are tested.
• Cyber security is included in human resources policies, such as staff screening.
• A vulnerability management plan is developed and implemented.

Maintenance

Maintenance and repairs of industrial control and information system components are carried out according to established policies and procedures.

• Maintenance and repair of organisational assets are performed and documented in a timely manner, using approved and controlled tools.
• Remote maintenance of operating assets is approved, recorded and performed in a manner that prevents unauthorised access.

Anomalies and Events

Anomalies are detected in a timely manner and the potential impact of events is understood.

• A baseline of network activity and expected data flows for users and systems is established and managed.
• Detected events are analysed to understand attack targets and methods.
• Event data is collected and correlated from multiple sources and sensors.
• The impact of events is assessed and thresholds for incident alerts are set.

Ongoing Security Monitoring

The information system and assets are monitored periodically to identify cyber security events and verify the effectiveness of protection measures.

• The network is monitored to detect possible cyber security events.
• The physical environment is monitored to detect possible cyber security events.
• Staff activities are monitored to detect possible cyber security events.
• Malicious code is detected.
• Unauthorised mobile code is detected.
• Activities of external service providers are monitored to detect possible cyber security events.
• Unauthorised personnel, unauthorised connections, unauthorised devices and unauthorised software are monitored.
• Vulnerability scans are performed.

Detection processes

Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.

Response planning

Response processes and procedures are implemented and maintained to ensure rapid response to detected cyber security events.

• The response plan is activated during or after an event.

Communication

Response activities are coordinated with internal and external stakeholders, including external support from law enforcement agencies, as needed.

• Staff know their roles and the sequence of operations during a response.
• Events are reported according to established criteria.
• Information is shared according to response plans.
• Coordination with stakeholders is done according to response plans.
• Voluntary information sharing with external stakeholders promotes broader situational awareness of cybersecurity.

Analysis

A thorough analysis is carried out to ensure that an appropriate response follows and to support recovery activities.

• Investigation of reports from detection systems: All reports from security detection systems are carefully investigated to determine the nature and severity of the incident.
• Understanding the impact of the incident: The consequences and scope of the incident are fully understood to evaluate the impact on the organisation.
• Forensic investigation: A thorough forensic investigation is conducted to ascertain the cause, methods and extent of the incident.
• Categorisation of incidents according to response plans:
• Incidents are categorised according to pre-established response plans to ensure a structured and efficient response.

Mitigation

Measures are taken to prevent the further spread of an event, minimise its impact and eliminate the incident completely.

• Incident containment: Actions are taken to immediately stop the spread of the incident and prevent further damage.
• Mitigation of incidents: Action is taken to reduce the impact and damage caused by the incident.
• Managing new vulnerabilities: Newly identified vulnerabilities are addressed by mitigating them or, if necessary, documenting them as an accepted risk.

Improvements

Organisational response activities are optimised by learning from current and previous detection and response experiences.

• Integration of lessons learned into response plans:
• Response plans are adapted and improved based on insights and lessons learned from previous incidents and responses.
• Updating response strategies: Incident response strategies are updated to respond more effectively and efficiently to future incidents based on lessons learned.

Recovery planning

Recovery processes and procedures are implemented and maintained to ensure timely recovery of systems or assets affected by cyber security incidents.

• Recovery plan implementation: The recovery plan is deployed during or immediately after an incident to resume normal operations as soon as possible.

Improvements

Recovery planning and processes are optimised by incorporating lessons learned into future activities.

• Incorporating lessons learned into recovery plans:
• Recovery plans are adapted and improved based on insights and experiences from previous recovery activities.
• Updating recovery strategies: Recovery strategies are updated to ensure more effective and efficient recovery in future incidents.

Communication

Recovery activities are coordinated with internal and external parties, including coordination centres, Internet Service Providers, owners of attacking systems, victims, other CSIRTs and vendors.

• Public relations management: communication with the outside world is carefully managed to protect the organisation's reputation.
• Restoring reputation after an incident: Active measures are taken to restore the organisation's trust and reputation after a security incident.
• Communication of recovery activities: Information on recovery activities is shared with internal stakeholders, including executive and management teams, to keep them informed of progress and results.