The NIST has published a voluntary framework to reduce cyber risk to
critical infrastructure as a result of a directive inside the
President's execute order for improving critical infrastructure cybersecurity.
The core of this framework is composed of a function matrix and a
framework implementation level matrix. The function matrix contains the
five top-level cybersecurity functions, which are:
- Know: Gaining the institutional understanding to identify what systems need to be protected, assess priority in light of organizational mission, and manage processes to achieve cost effective risk management goals
- Prevent: Categories of management, technical, and operational activities that enable the organization to decide on the appropriate outcome-based actions to ensure adequate protection against threats to business systems that support critical infrastructure components.
- Detect: Activities that identify (through ongoing monitoring or other means of observation) the presence of undesirable cyber risk events, and the processes to assess the potential impact of those events.
- Respond: Specific risk management decisions and activities enacted based upon previously implemented planning (from the Prevent function) relative to estimated impact.
- Recover: Categories of management, technical, and operational activities that restore services that have previously been impaired through an undesirable cybersecurity risk event.
The function matrix becomes part of the critical operations manual, as
it contains detailed functions pertaining to each organization on how to
increase security levels, making all of them part of the business
day-to-day tasks.
The framework implementation level defines three implementation levels
from three perspectives: the senior executive role, the business process
manager and the operational managers. The goal of this matrix is to
reflect the cybersecurity state of the critical infrastructure from the
previous role perspectives.
While this framework is still in draft state, I consider it a
breakthrough in increasing the level of security of critical
infrastructure, as critical infrastructure officers of the companies
have always been reluctant to implement security measures as in the IT
normal world because it goes against the way their operating processes
work and because managers of these areas see no value added in these
tasks. This framework shows them information security as part of their
function and shows a way to integrate seamless to the normal business
operation, as they work same process to prevent operation risks to the
critical infrastructure, like power disruption, pipe explosion,
transformer damage an many others.
You can find the framework core at http://www.nist.gov/itl/upload/draft_framework_core.pdf
Manuel Humberto Santander Peláez SANS Internet Storm Center - Handler
Web:http://manuel.santander.name
No hay comentarios:
Publicar un comentario