Establishing CSMS Flashcards
3 Categories of CSMS
1 - Risk Analysis
2 - Addressing the risk with
CSMS.
3 - Monitoring and
improving the CSMS.
Elements of Risk Analysis
1 - Business Rational.
2 - Identification,
Classification and
Assignment of risks
Element groups of Addressing the risks with CSMS
1 - Security Policy,
Organization &
Awareness.
2 - Selected Security
Countermeasures.
3 - Implementation.
Elements of Monitoring and Improving CSMS
1 - Compliances.
2 - Review, Improve &
Maintain the CSMS.
CSMS Process Flow
Initiate CSMS ==> Initial/High-level risk assessment ==> Detailed risk assessment ==> Select and Implement countermeasures ==> Maintain CSMS
What is included in CSMS Initiation?
Establish
1- Purpose - A business rationale/justification for the program that the senior management will find compelling.
2- Scope - CSMS development.
3- Resource identification based on business rationale and scope.
4- Organizational Support - Leadership commitment, support & funding.
Initial/High-level risk assessment
1- Define the methodology for risk identification.
2- Identify risks.
3- Define a methodology for assessing the priority of risk.
4- Assess the priority of risk.
5- Document the result and rationale.
- Involve the identified stakeholders in the above activities.
- A common pitfall is to immediately jump into a detailed risk assessment, as it feels easy, especially with technical stakeholders.
- Documenting the results and rationale is very important. It establishes the baseline and will be invaluable when the risk assessment needs to be confirmed or updated.
- The threshold for tolerable risks is established by executive management and is often communicated via the Risk Matrix.
Detailed risk assessment
1- Take the high-level risk assessment as input for the detailed risk assessment.
2- Create an Inventory of IACS assets (networks, systems, devices).
3- Use the inventory and high-level risk assessment report to screen and prioritize threats, consequences, and vulnerabilities.
4- Identify the detailed vulnerabilities
5- Identify and prioritize the associated risks.
- A Common pitfall is failure to communicate before, during, or after the risk assessment is done.
- A detailed vulnerability assessment may uncover new threats, likelihoods, consequences, and risks.
- A detailed risk assessment of relationships with physical and environmental security measures.
Establish Policy, Organization & Awareness
1- Use the established risk tolerance and assessed risk prioritization as input to develop policies and procedures.
2- Audit the Policies for compliance with CSMS.
3- Implement the Policies and Procedures.
Implementation is done by communicating the policies, Developing the training activities, and assigning the organizational responsibilities.
4- Refine the CSMS.
Select and Implement Countermeasures
- The selection of countermeasures is the technical process of risk management.
- Driven by the organization’s risk tolerance, preselected common countermeasures, initial/high-level risk assessment results, and detailed risk assessment.
- Implementing a new system or modifying an existing system. Requires updating the risk reports, business continuity plans, and incident response plans.
- A common pitfall is that the required stakeholders are not invited due to immature collaborative processes within an organization.
Maintain CSMS
- Monitoring—legal and regulatory constraints, Industry best practices, available countermeasures, effectiveness of the CSMS, and audit compliance are all driving factors for CSMS review and refinement. This triggers the continuous cycle of CSMS.
- An unscheduled activity, exposure to a new security incident, organizational restructuring, new or changed laws/ regulations, new countermeasures, etc., can trigger the CSMS review.
- A common pitfall is a lack of management support and resource alignment, which results in cyber fatigue and an overwhelming number of issues.
