Industrial Internet Security Framework v 1.0 | Page 138

Security Framework

Annex C: Security Capabilities and Techniques Tables

optimal. For this reason, the organization should have a target security profile with desired MIL
ratings for each domain to meet its business objectives and security strategy. Comparing the
target security profile with the assessment guides investment priorities for improving system
security posture.
To reach the desired maturity level as defined by the target security profile, perform a costbenefit analysis of the gaps and identify the activities to address them. In the process, objective
criteria should be used, such as how gaps affect organizational objectives, how important the
business objectives supported by the domain are, and what costs are associated with
implementing the required practices. Based on this analysis, plans to address the gaps should be
developed, implemented and tracked to ensure progress. It is required to cycle through
evaluation, gap analysis, prioritization, planning and implementation as the business, technology,
market, risks and threat environment change.
B.2.1 ASSESSMENT PROCESS REQUIREMENTS
An organization’s assessment procedures should be properly documented, with materials
available for the training of new members. The process should include a presentation to the
parties involved that outlines expectations, rationale and expected outcomes. The scoring
activity is solely as an attempt at quantification for the purposes of process improvement.
Participants must understand that an assessment is not a corporate audit, and that no penalties
apply for non-compliance. Full cooperation and truthful exchange of information is necessary for
accurate measurement, and anecdotal information about activities should be supported with
documented evidence of repeatable procedures.
B.2.2 ASSESSMENT ARTIFACT REQUIREMENTS
Artifacts used as evidence to support stated activities should be classified and handled
accordingly. The assessment generates observations and action plans that must also be managed
appropriately. The quantitative portions of an assessment should be recorded and tracked over
time to indicate and analyze trends. Assessments should be scheduled regularly, with slightly
greater frequency at the beginning of a program rollout.
This high-level process helps organizations ensure they methodically capture and prioritize
required security activities within the constraints set by business strategy, risks and availability
of resources.

IIC:PUB:G4:V1.0:PB:20160926

- 138 -