| D1.1.1 Detail the Benefits of the SGCI for the Business |
Cybersecurity assessment, Risk and Vulnerability Management, Communications plan |
|
|
| D1.1.2 Establishment of potential consequences and assumable risk |
Risk and Vulnerability Management |
|
|
| D1.1.3 Understand the vision, mission, goals, values and strategies of the organization |
Cybersecurity assessment |
|
|
| D1.1.4 Analysis of the external environment |
Risk and Vulnerability Management |
|
|
| D1.1.5 Analysis of the internal environment |
Risk and Vulnerability Management |
|
|
| D1.1.6 Identify key processes and resources |
Risk and Vulnerability Management |
|
|
| D1.1.7 Identification and analysis of interested parties |
Risk and Vulnerability Management |
|
|
| D1.1.8 Identification and analysis of business requirements |
Risk and Vulnerability Management |
|
|
| D1.1.9 Determination of risk assessment and acceptance criteria |
Risk and Vulnerability Management |
|
|
| D1.2.1 Definition of scope |
Cybersecurity assessment, Risk and Vulnerability Management |
|
|
| D1.2.2 Planning of resources for the implementation of the SGCI |
Risk and Vulnerability Management, Communications plan, Incident response support |
|
|
| D1.2.3 Identification of internal and external resources |
Risk and Vulnerability Management, Communications plan, Incident response support |
|
|
| D1.3.1 Establishment of responsibilities of the Directorate |
Compliance, Risk and Vulnerability Management |
|
|
| D1.3.2 Establishment of responsibilities of the SGCI Committee |
Compliance, Communications plan |
|
|
| D1.3.3 Establishment of responsibilities of the SGCI Program Director |
Compliance |
|
|
| D1.3.4 Establishment of user responsibilities |
Awareness and Training, Compliance, Risk and Vulnerability Management, Communications plan |
|
|
| D1.4.1 Establishment of Industrial Cybersecurity Policy |
Compliance, Risk and Vulnerability Management |
|
|
| D2.1.1 Establishment of the risk analysis approach and methodology |
Risk and Vulnerability Management |
|
|
| D2.2.1 Identification and characterization of assets |
Hardware and software inventory |
|
|
| D2.2.2 Identification of threats, controls and vulnerabilities |
Risk and Vulnerability Management |
|
|
| D2.2.3 Calculation and treatment of risk |
Risk and Vulnerability Management |
|
|
| D3.1.1 Establishment of security regulations linked to human resources |
Awareness and Training, Compliance, Communications plan, Access control policy, Use control policy |
|
|
| D3.1.2 ComprobaciĆ³n de antecedentes |
Compliance |
|
|
| D3.1.3 Description of jobs |
Compliance |
|
|
| D3.1.4 Establishment of security responsibilities |
Compliance, Communications plan |
|
|
| D3.1.5 Periodic review of permits |
Account management |
|
|
| D3.1.6 Segregation of duties |
Role-based access |
|
|
| D3.1.7 Supervision of the use of the systems |
Equipment use control |
|
|
| D3.1.8 Establishing the Acceptable Use of Resources |
Software usage control |
|
|
| D3.2.1 Awareness actions |
Awareness and Training, Communications plan, Access control policy |
|
|
| D3.2.2 Training actions |
Awareness and Training, Communications plan, Access control policy |
|
|
| D4.1.1 Classification guidelines, impact and sensitivity categories |
Use control policy, Data Protection |
|
|
| D4.1.2 Identification of owners and custodians |
Compliance, Communications plan |
|
|
| D4.2.1 Account management |
Account management, Access control policy, Use control policy |
|
|
| D4.2.2 Authentication |
Basic user access control, User access control with hidden display, Multi-factor user access control |
|
|
| D4.2.3 Authorization |
Role-based access, Use control policy |
|
|
| D4.3.1 Organization of Physical Security |
Physical security in the installation of devices, Redundancy system |
|
|
| D4.3.2 Protection of physical areas and access control |
Hardware Security Keys, Basic user access control, Equipment use control, Physical security in the installation of devices, Redundancy system, Backup system |
|
|
| D4.3.3 Physical intrusion detection |
Activity log policy, Security log |
|
|
| D4.4.1 Protection of communications networks in an industrial context |
Network event correlation analysis, Network communications control, Network integrity control, Detect attacks on industrial networks (signature-based) , SIEM integration, Network communication visualization |
|
|
| D4.4.2 Network segmentation |
Secure network design, Separation of environments |
|
|
| D4.4.3 Addressing plan |
Network event correlation analysis, Detect attacks on industrial networks (signature-based) , Secure network design, Network communication visualization |
|
|
| D4.4.4 Protection of wireless networks |
WI-FI control, Network communications control, Network integrity control, Detect attacks on industrial networks (signature-based) , Network communication visualization |
|
|
| D4.5.1 Identify applications and software providers |
Reliable updates, Certification of the main ICS providers, Software usage control, Use control policy |
|
|
| D4.5.2 Establishment of strategy and update plan to protect software |
Reliable updates, Advanced antimalware, Software usage control, Host-based firewall |
|
|
| D4.5.3 Establishment of security tests and code analysis |
Upgrade testing support |
|
|
| D4.5.4 Establishment of non-upgradeable software compensatory measures |
White list in discovery mode, Whitelist in prevention mode |
|
|
| D4.5.5 Establishment of Software Change Management |
Reliable updates, Configuration control, Software usage control, Upgrade testing support |
|
|
| D4.5.6 Establishment of SLAs on software evolution |
Certification of the main ICS providers, Equipment use control, Software usage control |
|
|
| D4.6.1 Establishment of third party responsibilities |
Certification of the main ICS providers, Compliance |
|
|
| D4.6.2 Definition of cybersecurity requirements in outsourcing tasks |
Certification of the main ICS providers, Compliance |
|
|
| D5.1.1 Establishment of scope and policy of resilience and continuity |
Cybersecurity assessment, Risk and Vulnerability Management, Communications plan |
|
|
| D5.1.2 Defining resilience goals and metrics |
Cybersecurity assessment, Risk and Vulnerability Management |
|
|
| D.5.1.3 Establishment of resilience responsibilities |
Compliance |
|
|
| D5.1.4 Definition of the expert committee on resilience |
Compliance |
|
|
| D5.2.1 Establishment of risk scenarios |
Cybersecurity assessment, Risk and Vulnerability Management |
|
|
| D5.2.2 Impact analysis |
Cybersecurity assessment, Risk and Vulnerability Management |
|
|
| D5.2.3 Definition of the resilience and continuity strategy |
Awareness and Training, Communications plan, Backup Policy |
|
|
| D5.3.1 Incident response process |
Incident response support |
|
|
| D5.3.2 Definition of the communication plan |
Communications plan |
|
|
| D5.3.3 Definition of the training and awareness plan |
Awareness and Training |
|
|
| D5.3.4 Definition of the recovery plan |
Backup Policy, Backup system |
|
|
| D5.3.5 Definition of the continuity plan |
Redundancy system, Backup system |
|
|
| D5.3.6 Definition of the test plan |
Incident response support |
|
|
| D6.1.1 Establishment of competency requirements for human resources |
Compliance |
|
|
| D6.1.2 Establishment of documentary requirements |
Compliance |
|
|
| D6.1.3 Establish communication requirements |
Communications plan |
|
|
| D6.2.1 Existence of adequate and controlled system documentation |
Compliance, Data Protection |
|
|
| D6.2.2 Existence of protection mechanisms for system documentation |
Data Protection |
|
|
| D6.3.1 Performance evaluation in risk management |
Risk and Vulnerability Management |
|
|
| D6.3.2 Establishment of indicators |
Compliance |
|
|
| D6.3.3 Review of entry and exit records |
Activity log policy |
|
|
| D6.4.1 Establishing the scope of the audit |
Activity log policy |
|
|
| D6.4.2 Audit planning and implementation |
Activity log policy |
|
|
| D6.4.3 Existence of documentation of responsibilities and requirements |
Compliance |
|
|
| D6.4.4 Communication of results |
Communications plan |
|
|
| D6.5.1 Analysis of monitored events |
Network event correlation analysis, Industrial DPI for anomaly detection, SIEM integration, Security log |
|
|
| D6.5.2 Establishment of corrective or preventive actions |
Risk and Vulnerability Management |
|
|
| D6.5.3 Management of the review by the Directorate |
Risk and Vulnerability Management |
|
|
| D6.6.1 Definition of content to be communicated |
Communications plan |
|
|
| D6.6.2 Communication planning |
Communications plan |
|
|
| D6.6.3 Establishment of communication processes |
Communications plan |
|
|
| D6.7.1 Definition of integration of responsibilities and functions |
Compliance |
|
|
| D6.7.2 Integration of policies, documentation and activities |
Activity log policy |
|
|
