Environmental Engineering Reference
In-Depth Information
8. Formulation of guidelines for application of
security assurance methods.
9. Documenting of results.
provided, including: determination of business re-
quirements to security; risk analysis performance;
introduction of security policy; implementation of
measures of cyber security assurance (including
personnel, processes and technologies devoted
to decrease identified security risks); continuous
security monitoring and management.
In the part devoted to risk management, a
methodology of risk analysis is described. It is
noted that risk assessment is a key aspect of cyber
security. Risk assessment can be considered as
a complex of sequentially implemented stages.
The first stage is the identification of facility's
assets that should be protected and also possible
effects of their loss.
At the next stage identification and determi-
nation of characteristics of threats for facilities
are performed. During determination of threats
criticality, main criteria are intentions and pos-
sibilities of an attacker.
The third stage includes identification and
determination of characteristics of vulnerabilities,
due to which threats can be made.
At the fourth stage risk assessment and de-
termination of priorities for assets protection are
performed. During risk assessment, a potential
effect of asset loss or damage is considered. Levels
of risks are determined according to the assessment
of impact of asset loss or damage, asset threats
and vulnerabilities.
Final stage consists in the identification of
countermeasures for decreasing or elimination
of risks and also in the performance of a com-
parative analysis of advantages and efficiency of
such countermeasures with their disadvantages
and cost.
NIST 800-53 document (NIST 800-53, 2009)
has a recommendatory nature and is devoted to
issues of selection and implementation of relevant
methods of safety assurance of information sys-
tems. The detail description of implementation
of each of the methods is provided.
The ISO/IEC 15408 standard (ISO/IEC 15408,
2009) introduces general principles and concepts
It is noted that during implementation of
recommended risk reduction measures technical,
management and operational methods of security
assurance methods and also their combination
should be used to maximize their efficiency.
It is also noted that the success of risk man-
agement program implementation is caused by:
• Management policy.
•
Participation of technical specialists.
•
Competence of team, performing risk as-
sessment (including interpretation of
methodology of risk assessment for spe-
ciic systems, risk identiication, provision
of proitable protective measures).
•
Information awareness and collaboration
of all participants involved into program.
•
Constant assessment of risks of cyber se-
curity violation at the facility.
Cyber security requirements for critical infra-
structures, including peculiarities and dynamics
of threats, vulnerabilities, incidents and effects
of potential attacks, are provided in GAO-04-
321 document (GAO-04-321, 2004), and also a
close relation of these concepts with information
technologies is noted.
It is noted that the problem of cyber security
assurance during power generation can be reduced
to the problem of assurance of integrity, availability
and privacy of relevant facility's assets.
Moreover, a list and description of general
controls of security assurance for systems and
networks (including access control, system in-
tegrity management, cryptography, audit and
monitoring, as well as configuration management)
are provided, and also main standards for all these
controls are listed.
Some approaches for planning and implemen-
tation of cyber security assurance process are
Search WWH ::
Custom Search