Cyber Maturity Overview - Based on C2M2 Framework

Section 1: Functionality & Capability

Question Title

* 1. Cyber Asset Inventory: A cybersecurity program needs to understand and control the IT, OT, and information assets that are necessary to sustain operations. Assets might be systems devices, including traditional IT computers, routers, and servers, but might also include OT equipment such as programmable logic controllers (PLCs) and other control system elements. Also, inventories need to be kept up to date throughout the lifecycle of such assets.

We have an inventory of the IT and OT assets needed for operations, including computers and other system devices.

We have an inventory of important data, customer information, and financial data.

We log changes that are made to inventoried assets.

We evaluate or test changes to inventoried assets before the changes are made.

None of the above.

Comments:

Question Title

* 2. Configuration Baseline: To help keep track of changes to IT and OT assets, many organizations establish configuration baselines that define the software, hardware, and settings for these devices. Baselines can be used to identify unauthorized or unapproved changes to an asset, set up new assets consistently, and reset or restore an asset when needed.

We establish configuration baseline(s) where assets need to be configured in the same way.

We use the configuration baseline(s) to configure assets at deployment.

We do not establish configuration baselines for any inventoried IT or OT assets.

Comments:

Question Title

* 3. Access Control: Controlling physical and electronic access to IT and OT assets and systems is an important step in securing the operating environment. This includes the process of creating user accounts and passwords and determining the requirements for access.

We create accounts for people and application services that require access to our IT and OT systems. These may include accounts that are shared by multiple entities.

We require the use of credentials for access, such as badges or physical keys for physical access and passwords, smart cards, or security tokens for electronic access.

We have developed physical and electronic access requirements.

We use access requirements to determine who is granted access and any limitations on their access.

We revoke physical and electronic access when no longer needed, which may include collecting the individual's badge or security token and disabling individual user accounts.

We remove individual and shared accounts when they are no longer needed.

None of the above.

Comments:

Question Title

* 4. Vulnerability Management: Cybersecurity vulnerabilities are weaknesses or flaws in IT or OT systems (or in the procedures or controls used to protect those systems) that can be leveraged by adversaries. Managing these vulnerabilities is an important security protection. The most common vulnerability management techniques include regular patching cycles and network isolation.

We have identified source(s) for vulnerability information associated with our IT and OT systems and assets.

We gather information on vulnerabilities and review it for applicability to our assets and systems.

We address important vulnerabilities (e.g., by implementing patches or other changes).

None of the above.

Comments:

Question Title

* 5. Threat Management: Wholly distinct from vulnerabilities, cybersecurity threats are adversaries with some capability and motive to affect an organization through cyber means. Cybersecurity threats can also be events that would cause harm to the organization.

A common way to describe the relationship is that threats (such as hackers) use vulnerabilities (such as system weaknesses) to attack organizations. Threat management activities include being aware of threats that are focusing on your sector, your region, or specific types of assets that you have. They might also include monitoring of recent events and analysis of how an event could be applicable.

We have identified source(s) for threat information.

We gather threat information and review it for applicability to our organization.

We address important threats (including strengthening our security protections, increasing monitoring activities, and /or raising awareness throughout the organization).

None of the above.

Comments:

Question Title

* 6. Cyber Risk Management: Cybersecurity risk is the potential harm to operations that could arise from unauthorized disclosure of the organization's information, misuse of its information, IT, or OT systems, and other cyber perils. Dependence on technology has resulted in an increase in cybersecurity risk.

Risk is often viewed as the product of vulnerabilities, threats, and impacts. Vulnerability assessments are informative for analyzing weaknesses, but if there is no threat that can exploit the weakness, or if there is no way to have negative impacts due to that weakness, it may not be a notable risk. Identification of risks is a high-level governance discussion that combines technical knowledge with operational impacts knowledge.

We identify cybersecurity risks as they apply to our organization.

We mitigate, accept, or transfer those identified risks.

We do not currently identify or address cybersecurity risks.

Comments:

Question Title

* 7. Cyber Event Detection: A cybersecurity event is any occurrence that has a potential impact to the cybersecurity of the organization's IT or OT systems. Such events are often relatively minor (e.g., forgotten passwords), but can be escalating (e.g., an increasing number of users are unable to log in), or major (e.g., a network outage is preventing communications to remote assets). Detecting cybersecurity events requires knowledge of IT and OT assets and systems, as well as defined roles and capabilities to track events.

Events that have the potential to significantly impact the organization are declared to be incidents and require a response to minimize the impact to operations or restore functionality.

We have a point of contact to whom cybersecurity events can be reported. (This may be an IT help desk or any designated person or role.)

We report detected cybersecurity events.

We log and track detected cybersecurity events.

We have criteria to determine whether cybersecurity events should be declared to be incidents.

We analyze cybersecurity events to determine whether they should be declared to be incidents.

We do not have cybersecurity event detection in place.

Comments:

Question Title

* 8. Cyber Incident Response: As previously mentioned, cybersecurity events can escalate to cybersecurity incidents. Recall that incidents have the potential to significantly impact the organization and require a response to minimize the impact to operations or restore functionality. Incident response capabilities require preplanning and knowledge of both security and engineering/operations.

We log cybersecurity incidents and track any progress.

We have a cybersecurity incident response team (or teams, or a designated person/role).

We can respond to cybersecurity incidents to limit the impact and restore normal operations.

We report (or would report) cybersecurity incidents internally and/or to appropriate external trusted parties such as a relevant ISAC.

We do not have cybersecurity incident response capabilities in place.

Comments:

Question Title

* 9. Operational Resiliency: Part of responding to a cybersecurity incident or other disruptive events is sustaining at least minimal operations while returning to normal operations. Doing so requires knowledge of business impacts and the systems needed to sustain minimal operations.

We know what we need to do to sustain minimal operations.

We know the sequence of implementing the IT and OT activities needed to return to normal operations.

We have developed continuity plans for how to sustain and restore operations.

We do not perform activities for continuity planning.

Comments:

Question Title

* 10. Monitoring Cyber System Activity: Logging and monitoring of IT and OT systems is a vital capability for detecting cyber events or incidents and for capturing information that can be used to analyze an event or incident. These capabilities, however, may not be possible for certain pieces of equipment based on your IT and OT environment.

We have enabled logging on assets that are needed for critical operations where possible.

We review our logs periodically, at least manually, or have a third party monitor that will notify us.

We monitor our operations for irregular or anomalous activity as indicators of a cybersecurity incident.

We do not perform logging or monitoring on our assets or equipment.

Comments:

Question Title

* 11. Cyber Threat & Event Information Sharing: Information sharing is a two-way flow of information between organizations, either directly or through a trusted third party. During a cyber event, you may use information-sharing practices to inform other organizations so that they can be on alert for similar events. Your organization may benefit from information sharing by being alerted of escalating cybersecurity events or threat conditions in your sector.

We collect and provide cybersecurity information from/to selected organizations, trade associations, ISAC's, or trusted individuals.

We have assigned the responsibility for sharing cybersecurity information to designated personnel within our organization.

We do not share or collect cybersecurity information.

Comments:

Question Title

* 12. Supply Chain Risk: Supply chain risk is an increasing concern for most organizations. Supply chain refers to how assets, systems, software, services, and materials are procured. This includes the purchase of new laptops, industrial control system equipment, consulting or maintenance services, raw materials, and even power. Each organization is also part of the supply chain and should identify its role as a supplier to others, especially in any case where customer data or digital connectivity to a customer can pose risk to the organization or to the customer.

We know who our customers are (e.g., hospitals, major industrial or commercial customers, customers with digital connectivity).

We know who our important suppliers are including service providers and integrators, hardware manufacturers, software developers, and other roles important to our operations.

We identify and address significant cybersecurity risks from our supply chain and customer dependencies, including an analysis of how a cyber event at one of them could impact our operations, or an analysis of the "weakest links" in our supply chain.

We establish cybersecurity requirements when entering into relationships with new suppliers or other parties.

We do not track supply chain or customer dependency risk.

Comments:

Question Title

* 13. Workforce Management and Cybersecurity Training: Despite all the technical discussions surrounding cybersecurity, employees and contractors represent some of the biggest risks to a security program. How workforce and cybersecurity training are managed will have a large impact on organizational security.

We have identified cybersecurity responsibilities needed for our organization.

We have assigned cybersecurity responsibilities to specific people.

We provide cybersecurity training to the employees and contractors with cybersecurity responsibilities.

We have cybersecurity awareness activities for all employees and contractors.

We perform personnel vetting, such as background checks and drug tests, when we hire employees and contractors who will have access to assets that support critical operations.

We address cybersecurity concerns during our employee terminations, such as removing physical and electronic access.

None of the above.

Comments:

Question Title

* 14. Cybersecurity Program Management: A cybersecurity program is a managed set of activities designed to provide governance for the organization. Such a program typically includes objectives for improving cybersecurity over time and a foundational strategy for managing cybersecurity and would provide leadership and resources for cybersecurity activities.

We have a strategy for our cybersecurity program.

We have resources (people, funding, and tools) for our cybersecurity program.

We have senior management sponsorship for our cybersecurity program.

We have a strategy to keep our IT systems isolated from our OT control systems.

None of the above.

Comments: