Industrial Internet Security Framework v 1.0 | Page 109

Security Framework 11: Security Configuration and Management be applied to a security model that can be implemented within the organization and periodic reviews should be scheduled to update it if necessary. 11.4.1 SECURITY POLICY MANAGEMENT Security policy is an overarching term; there are actually three types of policy. Machine policy comprises a digital document that contains the settings for the technical security controls on an endpoint. Organizational policy documents the expected behaviors, both technical and nontechnical, for an environment (for example, firewalls do not allow incoming event communications, or every room must have a fire extinguisher). Regulatory policy compels behavior at a high level (state, country, or global) by distinguishing good behavior from bad. 1 Figure 11-4: Policy Relationship Security policy describes the expected behavior of the security elements of a system; security monitoring describes what is actually happening in the environment. Security management is the iterative process that configures and updates the system to maintain the same level of security. A security management platform provides the ability to define policy for each of the endpoints’ security controls, communications streams and software and firmware updates. The platform provides an infrastructure for event monitoring and raising alarms at appropriate times. Analytics provides situational and contextual awareness and the results update machine policy settings. Automation pushes policies to endpoints and collects and analyzes events coming from them. Security management adjusts security capabilities to address changes in conditions. The user interface and workflow should be simple enough for a person to define, update and monitor security status accordingly. If security management is difficult to use, people will have difficulty applying security effectively, and security incidents will be more likely. 1 For example, see [NERC-CIP] and [EU-2016/679] IIC:PUB:G4:V1.0:PB:20160926 - 109 -