Industrial Internet Security Framework v 1.0 | Page 109
Security Framework
11: Security Configuration and Management
be applied to a security model that can be implemented within the organization and periodic
reviews should be scheduled to update it if necessary.
11.4.1 SECURITY POLICY MANAGEMENT
Security policy is an overarching term; there are actually three types of policy. Machine policy
comprises a digital document that contains the settings for the technical security controls on an
endpoint. Organizational policy documents the expected behaviors, both technical and nontechnical, for an environment (for example, firewalls do not allow incoming event
communications, or every room must have a fire extinguisher). Regulatory policy compels
behavior at a high level (state, country, or global) by distinguishing good behavior from bad. 1
Figure 11-4: Policy Relationship
Security policy describes the expected behavior of the security elements of a system; security
monitoring describes what is actually happening in the environment. Security management is the
iterative process that configures and updates the system to maintain the same level of security.
A security management platform provides the ability to define policy for each of the endpoints’
security controls, communications streams and software and firmware updates. The platform
provides an infrastructure for event monitoring and raising alarms at appropriate times. Analytics
provides situational and contextual awareness and the results update machine policy settings.
Automation pushes policies to endpoints and collects and analyzes events coming from them.
Security management adjusts security capabilities to address changes in conditions. The user
interface and workflow should be simple enough for a person to define, update and monitor
security status accordingly. If security management is difficult to use, people will have difficulty
applying security effectively, and security incidents will be more likely.
1
For example, see [NERC-CIP] and [EU-2016/679]
IIC:PUB:G4:V1.0:PB:20160926
- 109 -