Transcript Diapositiva 1

NIST framework vs TENACE
Protect Function
(Sestriere, 21-23 Gennaio 2015)
Protect Function
•
•
•
•
«Develop and implement the appropriate
safeguards to ensure delivery of critical
infrastructure services»
part of the Framework Core
one of the 5 Functions (Identify, Detect,
Respond, Recover)
set of activities to limit/contain the impact of
a potential cybersecurity event
how to map these activities in TENACE?
Categories
• Protect Function is composed by categories:
– Access Control (PR.AC)
– Awareness and Training (PR.AT)
– Data Security (PR.DS)
– Information Protection Processes and Procedures
(PR.IP)
– Maintenance (PR.MA)
– Protective Technology (PR.PT)
NIST vs TENACE at a glance
DATA ANALYSIS
ATTACK
MODELING
INVARIANTBASED
MINING
CONFORMANCE
CHEKING
FUZZY
LOGIC
…
Where is the
Protect function?
DATA PROCESSING
MONITORING
ADAPTER
COLLECTION AND
MONITORING
ENVIRONMENTAL DATA
…
NODE RESOURCE DATA
NETWORK AUDIT
BAYESIAN
INFERENCE
KNOWLEDGE
BASE
APPLICATION/
SYSTEM LOGS
PROTECTION
ACTIONS
IDS ALERTS
CRITICAL INFRASTRUCTURE
FROM/TO DATA
ANALYSIS MODULE
RAW DATA
SOURCE
MONITORING
ADAPTATION
DETECTION
RECONFIGURATION
Review of the TENACE framework
• the current TENACE framework mostly
highlights the Detect and Respond functions
• other functions are certainly present but
don’t appear (e.g., Protect)
• actions
– make the other functions to emerge
– look through deliverables to determine coverage
• identify
– gaps
– future actions / directions
Access Control
«Access to assets and associated facilities is limited to
authorized users, processes, or devices, and to authorized
activities and transactions»
Sub-category
Identities and credentials are managed for authorized
devices and users
Physical access to assets is managed and protected
TENACE
Yes (as a requirement)
Yes (uniparthenope)
Remote access is managed
Yes (as a requirement)
Access permissions are managed, incorporating the
principles of least privilege and separation of duties
Yes (as a requirement)
Network integrity is protected, incorporating network
segregation where appropriate
? (as a requirement)
Awareness & Training
«The organization’s personnel and partners are provided
cybersecurity awareness education and are adequately trained
to perform their information security-related duties and
responsibilities consistent with related policies, procedures, and
agreements»
Sub-category
TENACE
All users are informed and trained
Not addressed
Privileged users understand roles & responsibilities
Not addressed
Third-party stakeholders (e.g., suppliers, customers,
partners) understand roles & responsibilities
Not addressed
Senior executives understand roles & responsibilities
Not addressed
Physical and information security personnel understand
roles & responsibilities
Not addressed
Data Security
«Information and records (data) are managed consistent with
the organization’s risk strategy to protect the confidentiality,
integrity, and availability of information»
Sub-category
TENACE
Data-at-rest is protected
Yes
Data-in-transit is protected
Yes
Assets are formally managed throughout removal,
transfers, and disposition
Adequate capacity to ensure availability is maintained
Not addressed
Yes (D2a, ?)
Protections against data leaks are implemented
yes (partially)
Integrity checking mechanisms are used to verify
software, firmware, and information integrity
Yes (D2a, ?)
The development and testing environment(s) are
separate from the production environment
Yes (as a requirement)
Information Protection Processes
and Procedures
«Security policies (that address purpose, scope, roles,
responsibilities, management commitment, and coordination
among organizational entities), processes, and procedures are
maintained and used to manage protection of information
systems and assets»
Sub-category
TENACE
A baseline configuration of information technology/industrial
control systems is created and maintained
?
A System Development Life Cycle to manage systems is
implemented
?
Configuration change control processes are in place
Yes
Backups of information are conducted, maintained, and tested
periodically
Not addressed
Policy and regulations regarding the physical operating
environment for organizational assets are met
Not addressed
Information Protection Processes
and Procedures (2)
Sub-category
TENACE
Data is destroyed according to policy
No
Protection processes are continuously improved
Yes
Effectiveness of protection technologies is shared with
appropriate parties
No (check)
Response plans (Incident Response and Business Continuity)
and recovery plans (Incident Recovery and Disaster
Recovery) are in place and managed
?
Response and recovery plans are tested
?
Cybersecurity is included in human resources practices (e.g.,
deprovisioning, personnel screening)
?
A vulnerability management plan is developed and
implemented
Yes (check)
Protective Technology
«Technical security solutions are managed to ensure the
security and resilience of systems and assets, consistent with
related policies, procedures, and agreements»
Sub-category
TENACE
Audit/log records are determined, documented,
implemented, and reviewed in accordance with policy
Yes
Removable media is protected and its use restricted
according to policy
No
Access to systems and assets is controlled,
incorporating the principle of least functionality
Yes (as a requirement)
Communications and control networks are protected
Yes (as a requirement)
Maintenance
«Maintenance and repairs of industrial control and information
system components is performed consistent with policies and
procedures»
Sub-category
TENACE
Maintenance and repair of organizational assets is
performed and logged in a timely manner, with
approved and controlled tools
?
Remote maintenance of organizational assets is
approved, logged, and performed in a manner that
prevents unauthorized access
?