Industrial Internet Security Framework v 1.0 | Page 136
Security Framework
Annex B: Cyber security Capability Maturity Model (C2M2)
of these practices could have different associated maturity levels, from being not implemented
to fully implemented.
The domains are:
•
•
•
•
•
•
•
•
•
•
•
Risk Management addresses establishment, operation and maintenance of a risk
management program to identify, analyze and address security risks as they relate to the
organization, business units, subsidiaries, related infrastructure and stakeholders.
Asset, Change and Configuration Management targets management of the IT and OT
assets, including hardware, software and integrated subsystems.
Identity and Access Management targets creation and management of identities for
entities that may be granted access to an organization’s assets. Credentials may include
access by individuals, shared roles (e.g., operator), devices or distributed services within
or across network zones.
Threat and Vulnerability Management targets establishment and maintenance of plans,
procedures and technologies to detect, identify, analyze, manage and respond to security
threats and vulnerabilities.
Situational Awareness is an understanding of the relevant environment. The
establishment and maintenance of activities and technologies to collect, analyze, alert,
present and use operational and security information contribute to a holistic operating
picture. This includes status summaries from other C2M2 domains.
Information Sharing and Communication establishes and maintains relationships with
internal and external entities to collect and provide security information, including threats
and vulnerabilities, to reduce risks and increase operational resilience.
Event and Incident Response, Continuity of Operations establishes and maintains plans,
procedures and technologies to detect, analyze and respond to security events and to
sustain operations throughout a security event.
Supply Chain and External Dependencies Management establishes and maintains controls
to manage security risks associated with services and assets that are dependent on
external entities, including third-party component and service providers and open source
component inclusion.
Workforce Management creates a culture of security and ensures the ongoing suitability
and competence of all personnel.
Security Program Management targets establishment and maintenance of a security
program that provides governance, strategic planning and sponsorship to align security
objectives with organizational strategic objectives and risk to its critical infrastructure.
The recommended approach for using the framework is to evaluate, identify and analyze
gaps in capability, prioritize those gaps to be addressed, develop plans to address the gaps
and implement plans for addressing them. This process should be repeated as the
business objectives and risk environment changes over time.
IIC:PUB:G4:V1.0:PB:20160926
- 136 -