Industrial Internet Security Framework v 1.0 | Page 136

Security Framework Annex B: Cyber security Capability Maturity Model (C2M2) of these practices could have different associated maturity levels, from being not implemented to fully implemented. The domains are: • • • • • • • • • • • Risk Management addresses establishment, operation and maintenance of a risk management program to identify, analyze and address security risks as they relate to the organization, business units, subsidiaries, related infrastructure and stakeholders. Asset, Change and Configuration Management targets management of the IT and OT assets, including hardware, software and integrated subsystems. Identity and Access Management targets creation and management of identities for entities that may be granted access to an organization’s assets. Credentials may include access by individuals, shared roles (e.g., operator), devices or distributed services within or across network zones. Threat and Vulnerability Management targets establishment and maintenance of plans, procedures and technologies to detect, identify, analyze, manage and respond to security threats and vulnerabilities. Situational Awareness is an understanding of the relevant environment. The establishment and maintenance of activities and technologies to collect, analyze, alert, present and use operational and security information contribute to a holistic operating picture. This includes status summaries from other C2M2 domains. Information Sharing and Communication establishes and maintains relationships with internal and external entities to collect and provide security information, including threats and vulnerabilities, to reduce risks and increase operational resilience. Event and Incident Response, Continuity of Operations establishes and maintains plans, procedures and technologies to detect, analyze and respond to security events and to sustain operations throughout a security event. Supply Chain and External Dependencies Management establishes and maintains controls to manage security risks associated with services and assets that are dependent on external entities, including third-party component and service providers and open source component inclusion. Workforce Management creates a culture of security and ensures the ongoing suitability and competence of all personnel. Security Program Management targets establishment and maintenance of a security program that provides governance, strategic planning and sponsorship to align security objectives with organizational strategic objectives and risk to its critical infrastructure. The recommended approach for using the framework is to evaluate, identify and analyze gaps in capability, prioritize those gaps to be addressed, develop plans to address the gaps and implement plans for addressing them. This process should be repeated as the business objectives and risk environment changes over time. IIC:PUB:G4:V1.0:PB:20160926 - 136 -