Provider capabilities CCI
Name |
Description |
Compliance |
Centralized management of regulatory and legal requirements. Identification of the responsibilities and those responsible for monitoring and complying with the applicable regulations and laws in force. Definition of functions and competencies and documentary requirements. Definition of necessary committees. Identification and establishment of owners and custodians. Background check and definition of the required job position. |
Awareness and Training |
Awareness plan for employees, managers, suppliers and customers. Training plan for technical staff. Training plan for key personnel. Maturity level tests or assessments on employee awareness and training. Indicators of evolution and continuous improvement of knowledge and training (internal and of the supply chain). |
Secure network design |
Provide specifications for secure network design, segmentation, addressing, and communication protocols |
Cybersecurity assessment |
Provide minimally invasive industrial cybersecurity assessment. First step in establishing security requirements within the context of operational needs, this can also provide meaningful information on security levels, even less deployment of protection technologies |
Access control policy |
User and group policy that will define access for each type of information established and assignment of permissions by profiles and groups |
Risk and Vulnerability Management |
Management of technological and operational risk, analysis of the impact of business processes or operation. Analysis and management of vulnerabilities, historical monitoring of Vulnerabilities. Identification and planning of necessary resources, processes and responsibilities. Definition of risk approach and methodology. Management of the review by management. |
Network communication visualization |
Communication monitoring system of network devices, identifying industrial protocols used, bandwidth use and end points on a network map with the ability to categorize by levels in purdue |
Use control policy |
Control policy for the use of equipment (laptops, mobile devices ...) with procedures for restricting connections and access, as well as procedures for using software and services. Change management and updates. Procedures to permanently delete data from devices that are de-registered. Procedures for the use of encryption in data and communications. Change user password by default. |
Activity log policy |
Policy that will establish the type of information and events to be recorded, validity for storing the data, auditing mechanisms and storage capacity for recording events. Definition of health and safety alerts for devices, and thresholds for each case according to criticality. Definition of non-repudiation mechanisms (timestamp, electronic signature ...) against changes in configuration, permissions or user activity |
Backup Policy |
Policy that defines the type of copies and their periodicity, their labeling, as well as the media on which they must be made and the locations of the backup centers where the backup copies are stored. This policy will also define periodic restoration tests |
Communications plan |
Escalation process, media management process, internal communication process, communication process with third parties (customers, partners, suppliers, shareholders, investors, etc.) |
Incident response support |
Health support management for events during incident response. Additional fields to complete with information about the event |
Hardware and software inventory |
Obtain data from both Hardware and Software equipment in order to form a dynamic inventory. Manage an inventory of hardware and software either automated or manual. |