本附录介绍了框架核心:描述所有关键基础设施部门常见的特定网络安全活动的功能、类别、子类别和参考资料清单。为框架核心选择的表示格式并不表明具体的实现顺序,也不暗示类别、子类别和信息参考的重要性程度。本附录中提出的框架核心代表了管理网络安全风险的一组常见活动。虽然该框架不是详尽的,但它是可扩展的,允许组织、部门和其他实体使用具有成本效益和效率的子类别和信息性参考,并使它们能够管理其网络安全风险。在概要文件创建过程中,可以从框架核心中选择活动,并可以向概要文件添加额外的类别、子类别和信息性引用。组织的风险管理过程、法律/法规需求、业务/任务目标和组织约束在概要文件创建期间指导这些活动的选择。在评估安全风险和保护时,个人信息被认为是类别中引用的数据或资产的组成部分。
虽然在功能、类别和子类别中确定的预期结果对于IT和ICS是相同的,但IT和ICS的操作环境和注意事项是不同的。ICS对物质世界有直接影响,包括对个人健康和安全的潜在风险,以及对环境的影响。此外,与IT相比,ICS有独特的性能和可靠性要求,在实施网络安全措施时必须考虑安全和效率的目标。
为了方便使用,框架核心的每个组件都有一个唯一的标识符。功能和类别都有一个唯一的字母标识符,如表1所示。每个类别中的子类别以数字形式引用;每个子类别的唯一标识符包含在表2
中。
表2:Framework Core
Function | Category | Subcategory | Informative References |
IDENTIFY (ID) 识别 | Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy. 资产管理(ID.AM):使组织能够实现业务目的的数据、人员、设备、系统和设施,是根据其对组织目标和组织风险策略的相对重要性进行识别和管理的。 | ID.AM-1: Physical devices and systems within the organization are inventoried 组织内的物理设备和系统被编入目录 | · CIS CSC 1 |
· COBIT 5 BAI09.01, BAI09.02 | |||
· ISA 62443-2-1:2009 4.2.3.4 | |||
· ISA 62443-3-3:2013 SR 7.8 | |||
· ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 | |||
· NIST SP 800-53 Rev. 4 CM-8, PM-5 | |||
ID.AM-2: Software platforms and applications within the organization are inventoried 对组织中的软件平台和应用程序进行了分类 | · CIS CSC 2 | ||
· COBIT 5 BAI09.01, BAI09.02, BAI09.05 | |||
· ISA 62443-2-1:2009 4.2.3.4 | |||
· ISA 62443-3-3:2013 SR 7.8 | |||
· ISO/IEC 27001:2013 A.8.1.1, A.8.1.2, A.12.5.1 | |||
· NIST SP 800-53 Rev. 4 CM-8, PM-5 | |||
ID.AM-3: Organizational communication and data flows are mapped 组织通信和数据流被映射 | · CIS CSC 12 | ||
· COBIT 5 DSS05.02 | |||
· ISA 62443-2-1:2009 4.2.3.4 | |||
· ISO/IEC 27001:2013 A.13.2.1, A.13.2.2 | |||
· NIST SP 800-53 Rev. 4 AC-4, CA-3, CA-9, PL-8 | |||
ID.AM-4: External information systems are catalogued外部信息系统被编入目录 | · CIS CSC 12 | ||
· COBIT 5 APO02.02, APO10.04, DSS01.02 | |||
· ISO/IEC 27001:2013 A.11.2.6 | |||
· NIST SP 800-53 Rev. 4 AC-20, SA-9 | |||
ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value 资源(例如,硬件、设备、数据、时间、人员和软件)根据它们的分类、关键性和业务价值进行优先级排序 | · CIS CSC 13, 14 | ||
· COBIT 5 APO03.03, APO03.04, APO12.01, BAI04.02, BAI09.02 | |||
· ISA 62443-2-1:2009 4.2.3.6 | |||
· ISO/IEC 27001:2013 A.8.2.1 | |||
· NIST SP 800-53 Rev. 4 CP-2, RA-2, SA-14, SC-6 | |||
ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established 为整个员工和第三方利益相关者(如供应商、客户、合作伙伴)确定网络安全角色和责任 | · CIS CSC 17, 19 | ||
· COBIT 5 APO01.02, APO07.06, APO13.01, DSS06.03 | |||
· ISA 62443-2-1:2009 4.3.2.3.3 | |||
· ISO/IEC 27001:2013 A.6.1.1 | |||
· NIST SP 800-53 Rev. 4 CP-2, PS-7, PM-11 | |||
Business Environment (ID.BE): The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. 商业环境(ID.BE):了解组织的使命、目标、利益相关者和活动并确定其优先级;此信息用于告知网络安全角色、职责和风险管理决策。 | ID.BE-1: The organization’s role in the supply chain is identified and communicated 确定和沟通组织在供应链中的角色 | · COBIT 5 APO08.01, APO08.04, APO08.05, APO10.03, APO10.04, APO10.05 | |
· ISO/IEC 27001:2013 A.15.1.1, A.15.1.2, A.15.1.3, A.15.2.1, A.15.2.2 | |||
· NIST SP 800-53 Rev. 4 CP-2, SA-12 | |||
ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated: 组织在关键基础设施及其行业部门的位置被确定和沟通 | · COBIT 5 APO02.06, APO03.01 | ||
· ISO/IEC 27001:2013 Clause 4.1 | |||
· NIST SP 800-53 Rev. 4 PM-8 | |||
ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated 组织任务、目标和活动的优先级被确定和沟通 | · COBIT 5 APO02.01, APO02.06, APO03.01 | ||
· ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6 | |||
· NIST SP 800-53 Rev. 4 PM-11, SA-14 | |||
ID.BE-4: Dependencies and critical functions for delivery of critical services are established 为关键服务的交付建立依赖关系和关键功能 | · COBIT 5 APO10.01, BAI04.02, BAI09.02 | ||
· ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, A.12.1.3 | |||
· NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14 | |||
ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations) 为所有运行状态(例如在胁迫/攻击下,恢复期间,正常运行)建立支持关键服务交付的弹性要求 | · COBIT 5 BAI03.02, DSS04.02 | ||
· ISO/IEC 27001:2013 A.11.1.4, A.17.1.1, A.17.1.2, A.17.2.1 | |||
· NIST SP 800-53 Rev. 4 CP-2, CP-11, SA-13, SA-14 | |||
Governance (ID.GV): The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk. 治理(ID.GV):了解管理和监视组织的法规、法律、风险、环境和操作需求的政策、程序和过程,并告知网络安全风险的管理。 | ID.GV-1: Organizational cybersecurity policy is established and communicated 组织网络安全政策的建立和沟通 | · CIS CSC 19 | |
· COBIT 5 APO01.03, APO13.01, EDM01.01, EDM01.02 | |||
· ISA 62443-2-1:2009 4.3.2.6 | |||
· ISO/IEC 27001:2013 A.5.1.1 | |||
· NIST SP 800-53 Rev. 4 -1 controls from all security control families | |||
ID.GV-2: Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners 网络安全角色和职责与内部角色和外部合作伙伴协调一致 | · CIS CSC 19 | ||
· COBIT 5 APO01.02, APO10.03, APO13.02, DSS05.04 | |||
· ISA 62443-2-1:2009 4.3.2.3.3 | |||
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.1, A.15.1.1 | |||
· NIST SP 800-53 Rev. 4 PS-7, PM-1, PM-2 | |||
ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed 了解并管理有关网络安全的法律和监管要求,包括隐私和公民自由义务 | · CIS CSC 19 | ||
· COBIT 5 BAI02.01, MEA03.01, MEA03.04 | |||
· ISA 62443-2-1:2009 4.4.3.7 | |||
· ISO/IEC 27001:2013 A.18.1.1, A.18.1.2, A.18.1.3, A.18.1.4, A.18.1.5 | |||
· NIST SP 800-53 Rev. 4 -1 controls from all security control families | |||
ID.GV-4: Governance and risk management processes address cybersecurity risks 治理和风险管理流程处理网络安全风险 | · COBIT 5 EDM03.02, APO12.02, APO12.05, DSS04.02 | ||
· ISA 62443-2-1:2009 4.2.3.1, 4.2.3.3, 4.2.3.8, 4.2.3.9, 4.2.3.11, 4.3.2.4.3, 4.3.2.6.3 | |||
· ISO/IEC 27001:2013 Clause 6 | |||
· NIST SP 800-53 Rev. 4 SA-2, PM-3, PM-7, PM-9, PM-10, PM-11 | |||
Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. 风险评估(ID.RA):组织了解组织运营(包括任务、职能、形象或声誉)、组织资产和个人面临的网络安全风险。 | ID.RA-1: Asset vulnerabilities are identified and documented 识别并记录资产漏洞 | · CIS CSC 4 | |
· COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04, DSS05.01, DSS05.02 | |||
· ISA 62443-2-1:2009 4.2.3, 4.2.3.7, 4.2.3.9, 4.2.3.12 | |||
· ISO/IEC 27001:2013 A.12.6.1, A.18.2.3 | |||
· NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8, RA-3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5 | |||
ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources 网络威胁情报来自信息共享论坛和来源 | · CIS CSC 4 | ||
· COBIT 5 BAI08.01 | |||
· ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 | |||
· ISO/IEC 27001:2013 A.6.1.4 | |||
· NIST SP 800-53 Rev. 4 SI-5, PM-15, PM-16 | |||
ID.RA-3: Threats, both internal and external, are identified and documented 识别和记录内部和外部威胁 | · CIS CSC 4 | ||
· COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04 | |||
· ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 | |||
· ISO/IEC 27001:2013 Clause 6.1.2 | |||
· NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-12, PM-16 | |||
ID.RA-4: Potential business impacts and likelihoods are identified 确定了潜在的业务影响和可能性 | · CIS CSC 4 | ||
· COBIT 5 DSS04.02 | |||
· ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 | |||
· ISO/IEC 27001:2013 A.16.1.6, Clause 6.1.2 | |||
· NIST SP 800-53 Rev. 4 RA-2, RA-3, SA-14, PM-9, PM-11 | |||
ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk 威胁、漏洞、可能性和影响被用来确定风险 | · CIS CSC 4 | ||
· COBIT 5 APO12.02 | |||
· ISO/IEC 27001:2013 A.12.6.1 | |||
· NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-16 | |||
ID.RA-6: Risk responses are identified and prioritized识别和确定风险应对措施的优先级 | · CIS CSC 4 | ||
· COBIT 5 APO12.05, APO13.02 | |||
· ISO/IEC 27001:2013 Clause 6.1.3 | |||
· NIST SP 800-53 Rev. 4 PM-4, PM-9 | |||
Risk Management Strategy (ID.RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. 风险管理策略(ID.RM):建立组织的优先级、约束、风险容限和假设,并用于支持操作风险决策。 | ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders风险管理过程由组织涉众建立、管理和同意 | · CIS CSC 4 | |
· COBIT 5 APO12.04, APO12.05, APO13.02, BAI02.03, BAI04.02 | |||
· ISA 62443-2-1:2009 4.3.4.2 | |||
· ISO/IEC 27001:2013 Clause 6.1.3, Clause 8.3, Clause 9.3 | |||
· NIST SP 800-53 Rev. 4 PM-9 | |||
ID.RM-2: Organizational risk tolerance is determined and clearly expressed 确定并明确表达组织的风险容忍度 | · COBIT 5 APO12.06 | ||
· ISA 62443-2-1:2009 4.3.2.6.5 | |||
· ISO/IEC 27001:2013 Clause 6.1.3, Clause 8.3 | |||
· NIST SP 800-53 Rev. 4 PM-9 | |||
ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis 组织的风险容忍度的确定是由其在关键基础设施和部门特定风险分析中的角色决定的 | · COBIT 5 APO12.02 | ||
· ISO/IEC 27001:2013 Clause 6.1.3, Clause 8.3 | |||
· NIST SP 800-53 Rev. 4 SA-14, PM-8, PM-9, PM-11 | |||
Supply Chain Risk Management (ID.SC): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks. 供应链风险管理(ID.SC):建立组织的优先级、约束、风险容忍度和假设,并用于支持与管理供应链风险相关的风险决策。组织已经建立并实施了识别、评估和管理供应链风险的过程。” | ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders网络供应链风险管理过程由组织利益相关者识别、建立、评估、管理和同意 | · CIS CSC 4 | |
· COBIT 5 APO10.01, APO10.04, APO12.04, APO12.05, APO13.02, BAI01.03, BAI02.03, BAI04.02 | |||
· ISA 62443-2-1:2009 4.3.4.2 | |||
· ISO/IEC 27001:2013 A.15.1.1, A.15.1.2, A.15.1.3, A.15.2.1, A.15.2.2 | |||
· NIST SP 800-53 Rev. 4 SA-9, SA-12, PM-9 | |||
ID.SC-2: Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process 利用网络供应链风险评估流程,对信息系统、组件和服务的供应商和第三方合作伙伴进行识别、确定优先级并进行评估 | · COBIT 5 APO10.01, APO10.02, APO10.04, APO10.05, APO12.01, APO12.02, APO12.03, APO12.04, APO12.05, APO12.06, APO13.02, BAI02.03 | ||
· ISA 62443-2-1:2009 4.2.3.1, 4.2.3.2, 4.2.3.3, 4.2.3.4, 4.2.3.6, 4.2.3.8, 4.2.3.9, 4.2.3.10, 4.2.3.12, 4.2.3.13, 4.2.3.14 | |||
· ISO/IEC 27001:2013 A.15.2.1, A.15.2.2 | |||
· NIST SP 800-53 Rev. 4 RA-2, RA-3, SA-12, SA-14, SA-15, PM-9 | |||
ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan. 与供应商和第三方合作伙伴的合同用于实施适当的措施,旨在满足组织的网络安全计划和网络供应链风险管理计划的目标。 | · COBIT 5 APO10.01, APO10.02, APO10.03, APO10.04, APO10.05 | ||
· ISA 62443-2-1:2009 4.3.2.6.4, 4.3.2.6.7 | |||
· ISO/IEC 27001:2013 A.15.1.1, A.15.1.2, A.15.1.3 | |||
· NIST SP 800-53 Rev. 4 SA-9, SA-11, SA-12, PM-9 | |||
ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations. 通过审计、测试结果或其他形式的评估,对供应商和第三方合作伙伴进行例行评估,以确认他们正在履行合同义务。 | · COBIT 5 APO10.01, APO10.03, APO10.04, APO10.05, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05 | ||
· ISA 62443-2-1:2009 4.3.2.6.7 | |||
· ISA 62443-3-3:2013 SR 6.1 | |||
· ISO/IEC 27001:2013 A.15.2.1, A.15.2.2 | |||
· NIST SP 800-53 Rev. 4 AU-2, AU-6, AU-12, AU-16, PS-7, SA-9, SA-12 | |||
ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers与供应商和第三方供应商进行响应和恢复计划和测试 | · CIS CSC 19, 20 | ||
· COBIT 5 DSS04.04 | |||
· ISA 62443-2-1:2009 4.3.2.5.7, 4.3.4.5.11 | |||
· ISA 62443-3-3:2013 SR 2.8, SR 3.3, SR.6.1, SR 7.3, SR 7.4 | |||
· ISO/IEC 27001:2013 A.17.1.3 | |||
· NIST SP 800-53 Rev. 4 CP-2, CP-4, IR-3, IR-4, IR-6, IR-8, IR-9 | |||
PROTECT (PR) 保护 | Identity Management, Authentication and Access Control (PR.AC): Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions. 身份管理、认证和访问控制(PR.AC):对物理和逻辑资产及相关设施的访问仅限于授权用户、流程和设备,并按照对授权活动和事务的未经授权访问的评估风险进行管理。 | PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes: 对授权的设备、用户和流程颁发、管理、验证、撤销和审计身份和凭证 | · CIS CSC 1, 5, 15, 16 |
· COBIT 5 DSS05.04, DSS06.03 | |||
· ISA 62443-2-1:2009 4.3.3.5.1 | |||
· ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9 | |||
· ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3 | |||
· NIST SP 800-53 Rev. 4 AC-1, AC-2, IA-1, IA-2, IA-3, IA-4, IA-5, IA-6, IA-7, IA-8, IA-9, IA-10, IA-11 | |||
PR.AC-2: Physical access to assets is managed and protected 对资产的物理访问进行管理和保护 | · COBIT 5 DSS01.04, DSS05.05 | ||
· ISA 62443-2-1:2009 4.3.3.3.2, 4.3.3.3.8 | |||
· ISO/IEC 27001:2013 A.11.1.1, A.11.1.2, A.11.1.3, A.11.1.4, A.11.1.5, A.11.1.6, A.11.2.1, A.11.2.3, A.11.2.5, A.11.2.6, A.11.2.7, A.11.2.8 | |||
· NIST SP 800-53 Rev. 4 PE-2, PE-3, PE-4, PE-5, PE-6, PE-8 | |||
PR.AC-3: Remote access is managed 远程访问管理 | · CIS CSC 12 | ||
· COBIT 5 APO13.01, DSS01.04, DSS05.03 | |||
· ISA 62443-2-1:2009 4.3.3.6.6 | |||
· ISA 62443-3-3:2013 SR 1.13, SR 2.6 | |||
· ISO/IEC 27001:2013 A.6.2.1, A.6.2.2, A.11.2.6, A.13.1.1, A.13.2.1 | |||
· NIST SP 800-53 Rev. 4 AC-1, AC-17, AC-19, AC-20, SC-15 | |||
PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties 管理访问权限和授权,结合了最小权限和职责分离的原则 | · CIS CSC 3, 5, 12, 14, 15, 16, 18 | ||
· COBIT 5 DSS05.04 | |||
· ISA 62443-2-1:2009 4.3.3.7.3 | |||
· ISA 62443-3-3:2013 SR 2.1 | |||
· ISO/IEC 27001:2013 A.6.1.2, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 | |||
· NIST SP 800-53 Rev. 4 AC-1, AC-2, AC-3, AC-5, AC-6, AC-14, AC-16, AC-24 | |||
PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation) 网络完整性受到保护(例如,网络隔离,网络分割) | · CIS CSC 9, 14, 15, 18 | ||
· COBIT 5 DSS01.05, DSS05.02 | |||
· ISA 62443-2-1:2009 4.3.3.4 | |||
· ISA 62443-3-3:2013 SR 3.1, SR 3.8 | |||
· ISO/IEC 27001:2013 A.13.1.1, A.13.1.3, A.13.2.1, A.14.1.2, A.14.1.3 | |||
· NIST SP 800-53 Rev. 4 AC-4, AC-10, SC-7 | |||
PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions 身份验证和绑定到凭据,并在交互中断言 | · CIS CSC, 16 | ||
· COBIT 5 DSS05.04, DSS05.05, DSS05.07, DSS06.03 | |||
· ISA 62443-2-1:2009 4.3.3.2.2, 4.3.3.5.2, 4.3.3.7.2, 4.3.3.7.4 | |||
· ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.4, SR 1.5, SR 1.9, SR 2.1 | |||
· ISO/IEC 27001:2013, A.7.1.1, A.9.2.1 | |||
· NIST SP 800-53 Rev. 4 AC-1, AC-2, AC-3, AC-16, AC-19, AC-24, IA-1, IA-2, IA-4, IA-5, IA-8, PE-2, PS-3 | |||
PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks) 对用户、设备和其他资产进行与交易风险(如个人安全和隐私风险和其他组织风险)相称的认证(如单因素、多因素) | · CIS CSC 1, 12, 15, 16 | ||
· COBIT 5 DSS05.04, DSS05.10, DSS06.10 | |||
· ISA 62443-2-1:2009 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9 | |||
· ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 1.10 | |||
· ISO/IEC 27001:2013 A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, A.18.1.4 | |||
· NIST SP 800-53 Rev. 4 AC-7, AC-8, AC-9, AC-11, AC-12, AC-14, IA-1, IA-2, IA-3, IA-4, IA-5, IA-8, IA-9, IA-10, IA-11 | |||
Awareness and Training (PR.AT): The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities consistent with related policies, procedures, and agreements. 意识和培训(PR.AT):组织人员和合作伙伴应接受网络安全意识教育,并接受培训,使其履行与其网络安全相关的职责,符合相关政策、程序和协议。 | PR.AT-1: All users are informed and trained 所有用户都得到通知和培训 | · CIS CSC 17, 18 | |
· COBIT 5 APO07.03, BAI05.07 | |||
· ISA 62443-2-1:2009 4.3.2.4.2 | |||
· ISO/IEC 27001:2013 A.7.2.2, A.12.2.1 | |||
· NIST SP 800-53 Rev. 4 AT-2, PM-13 | |||
PR.AT-2: Privileged users understand their roles and responsibilities 有特权的用户了解他们的角色和责任 | · CIS CSC 5, 17, 18 | ||
· COBIT 5 APO07.02, DSS05.04, DSS06.03 | |||
· ISA 62443-2-1:2009 4.3.2.4.2, 4.3.2.4.3 | |||
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2 | |||
· NIST SP 800-53 Rev. 4 AT-3, PM-13 | |||
PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities 第三方利益相关者(如供应商、客户、合作伙伴)了解他们的角色和责任 | · CIS CSC 17 | ||
· COBIT 5 APO07.03, APO07.06, APO10.04, APO10.05 | |||
· ISA 62443-2-1:2009 4.3.2.4.2 | |||
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.1, A.7.2.2 | |||
· NIST SP 800-53 Rev. 4 PS-7, SA-9, SA-16 | |||
PR.AT-4: Senior executives understand their roles and responsibilities 高管理解他们的角色和责任 | · CIS CSC 17, 19 | ||
· COBIT 5 EDM01.01, APO01.02, APO07.03 | |||
· ISA 62443-2-1:2009 4.3.2.4.2 | |||
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2 | |||
· NIST SP 800-53 Rev. 4 AT-3, PM-13 | |||
PR.AT-5: Physical and cybersecurity personnel understand their roles and responsibilities 物理和网络安全人员了解他们的角色和责任 | · CIS CSC 17 | ||
· COBIT 5 APO07.03 | |||
· ISA 62443-2-1:2009 4.3.2.4.2 | |||
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2 | |||
· NIST SP 800-53 Rev. 4 AT-3, IR-2, PM-13 | |||
Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. 数据安全(PR.DS):信息和记录(数据)的管理与组织的风险策略一致,以保护信息的机密性、完整性和可用性。 | PR.DS-1: Data-at-rest is protected 静态数据受保护 | · CIS CSC 13, 14 | |
· COBIT 5 APO01.06, BAI02.01, BAI06.01, DSS04.07, DSS05.03, DSS06.06 | |||
· ISA 62443-3-3:2013 SR 3.4, SR 4.1 | |||
· ISO/IEC 27001:2013 A.8.2.3 | |||
· NIST SP 800-53 Rev. 4 MP-8, SC-12, SC-28 | |||
PR.DS-2: Data-in-transit is protected 传输数据受到保护 | · CIS CSC 13, 14 | ||
· COBIT 5 APO01.06, DSS05.02, DSS06.06 | |||
· ISA 62443-3-3:2013 SR 3.1, SR 3.8, SR 4.1, SR 4.2 | |||
· ISO/IEC 27001:2013 A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3 | |||
· NIST SP 800-53 Rev. 4 SC-8, SC-11, SC-12 | |||
PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition: 资产在转移、转移和处置过程中进行正式管理 | · CIS CSC 1 | ||
· COBIT 5 BAI09.03 | |||
· ISA 62443-2-1:2009 4.3.3.3.9, 4.3.4.4.1 | |||
· ISA 62443-3-3:2013 SR 4.2 | |||
· ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.8.3.3, A.11.2.5, A.11.2.7 | |||
· NIST SP 800-53 Rev. 4 CM-8, MP-6, PE-16 | |||
PR.DS-4: Adequate capacity to ensure availability is maintained 足够的容量以确保可用性 | · CIS CSC 1, 2, 13 | ||
· COBIT 5 APO13.01, BAI04.04 | |||
· ISA 62443-3-3:2013 SR 7.1, SR 7.2 | |||
· ISO/IEC 27001:2013 A.12.1.3, A.17.2.1 | |||
· NIST SP 800-53 Rev. 4 AU-4, CP-2, SC-5 | |||
PR.DS-5: Protections against data leaks are implemented 实施数据泄露保护措施 | · CIS CSC 13 | ||
· COBIT 5 APO01.06, DSS05.04, DSS05.07, DSS06.02 | |||
· ISA 62443-3-3:2013 SR 5.2 | |||
· ISO/IEC 27001:2013 A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3 | |||
· NIST SP 800-53 Rev. 4 AC-4, AC-5, AC-6, PE-19, PS-3, PS-6, SC-7, SC-8, SC-13, SC-31, SI-4 | |||
PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity 完整性检查机制用于验证软件、固件和信息的完整性 | · CIS CSC 2, 3 | ||
· COBIT 5 APO01.06, BAI06.01, DSS06.02 | |||
· ISA 62443-3-3:2013 SR 3.1, SR 3.3, SR 3.4, SR 3.8 | |||
· ISO/IEC 27001:2013 A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4 | |||
· NIST SP 800-53 Rev. 4 SC-16, SI-7 | |||
PR.DS-7: The development and testing environment(s) are separate from the production environment 开发和测试环境与生产环境是分离的 | · CIS CSC 18, 20 | ||
· COBIT 5 BAI03.08, BAI07.04 | |||
· ISO/IEC 27001:2013 A.12.1.4 | |||
· NIST SP 800-53 Rev. 4 CM-2 | |||
PR.DS-8: Integrity checking mechanisms are used to verify hardware integrity 完整性检查机制用于验证硬件的完整性 | · COBIT 5 BAI03.05 | ||
· ISA 62443-2-1:2009 4.3.4.4.4 | |||
· ISO/IEC 27001:2013 A.11.2.4 | |||
· NIST SP 800-53 Rev. 4 SA-10, SI-7 | |||
Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets. 信息保护过程和程序(PR.IP):维护和使用安全政策(说明组织实体之间的目的、范围、角色、责任、管理承诺和协调)、过程和程序来管理信息系统和资产的保护。 | PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality) 创建和维护信息技术/工业控制系统的基线配置,并结合安全原则(例如,最小功能的概念) | · CIS CSC 3, 9, 11 | |
· COBIT 5 BAI10.01, BAI10.02, BAI10.03, BAI10.05 | |||
· ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3 | |||
· ISA 62443-3-3:2013 SR 7.6 | |||
· ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4 | |||
· NIST SP 800-53 Rev. 4 CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-9, SA-10 | |||
PR.IP-2: A System Development Life Cycle to manage systems is implemented 一个系统开发生命周期来管理系统 | · CIS CSC 18 | ||
· COBIT 5 APO13.01, BAI03.01, BAI03.02, BAI03.03 | |||
· ISA 62443-2-1:2009 4.3.4.3.3 | |||
· ISO/IEC 27001:2013 A.6.1.5, A.14.1.1, A.14.2.1, A.14.2.5 | |||
· NIST SP 800-53 Rev. 4 PL-8, SA-3, SA-4, SA-8, SA-10, SA-11, SA-12, SA-15, SA-17, SI-12, SI-13, SI-14, SI-16, SI-17 | |||
PR.IP-3: Configuration change control processes are in place 配置变更控制流程已经到位 | · CIS CSC 3, 11 | ||
· COBIT 5 BAI01.06, BAI06.01 | |||
· ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3 | |||
· ISA 62443-3-3:2013 SR 7.6 | |||
· ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4 | |||
· NIST SP 800-53 Rev. 4 CM-3, CM-4, SA-10 | |||
PR.IP-4: Backups of information are conducted, maintained, and tested 执行、维护和测试信息备份 | · CIS CSC 10 | ||
· COBIT 5 APO13.01, DSS01.01, DSS04.07 | |||
· ISA 62443-2-1:2009 4.3.4.3.9 | |||
· ISA 62443-3-3:2013 SR 7.3, SR 7.4 | |||
· ISO/IEC 27001:2013 A.12.3.1, A.17.1.2, A.17.1.3, A.18.1.3 | |||
· NIST SP 800-53 Rev. 4 CP-4, CP-6, CP-9 | |||
PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets are met 符合组织资产物理运行环境的政策和法规 | · COBIT 5 DSS01.04, DSS05.05 | ||
· ISA 62443-2-1:2009 4.3.3.3.1 4.3.3.3.2, 4.3.3.3.3, 4.3.3.3.5, 4.3.3.3.6 | |||
· ISO/IEC 27001:2013 A.11.1.4, A.11.2.1, A.11.2.2, A.11.2.3 | |||
· NIST SP 800-53 Rev. 4 PE-10, PE-12, PE-13, PE-14, PE-15, PE-18 | |||
PR.IP-6: Data is destroyed according to policy 按照策略销毁数据 | · COBIT 5 BAI09.03, DSS05.06 | ||
· ISA 62443-2-1:2009 4.3.4.4.4 | |||
· ISA 62443-3-3:2013 SR 4.2 | |||
· ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.11.2.7 | |||
· NIST SP 800-53 Rev. 4 MP-6 | |||
PR.IP-7: Protection processes are improved 改进保护流程 | · COBIT 5 APO11.06, APO12.06, DSS04.05 | ||
· ISA 62443-2-1:2009 4.4.3.1, 4.4.3.2, 4.4.3.3, 4.4.3.4, 4.4.3.5, 4.4.3.6, 4.4.3.7, 4.4.3.8 | |||
· ISO/IEC 27001:2013 A.16.1.6, Clause 9, Clause 10 | |||
· NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-8, PL-2, PM-6 | |||
PR.IP-8: Effectiveness of protection technologies is shared 防护技术的有效性共享 | · COBIT 5 BAI08.04, DSS03.04 | ||
· ISO/IEC 27001:2013 A.16.1.6 | |||
· NIST SP 800-53 Rev. 4 AC-21, CA-7, SI-4 | |||
PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed 响应计划(事件响应和业务连续性)和恢复计划(事件恢复和灾难恢复)已经就位并得到管理 | · CIS CSC 19 | ||
· COBIT 5 APO12.06, DSS04.03 | |||
· ISA 62443-2-1:2009 4.3.2.5.3, 4.3.4.5.1 | |||
· ISO/IEC 27001:2013 A.16.1.1, A.17.1.1, A.17.1.2, A.17.1.3 | |||
· NIST SP 800-53 Rev. 4 CP-2, CP-7, CP-12, CP-13, IR-7, IR-8, IR-9, PE-17 | |||
PR.IP-10: Response and recovery plans are tested 测试响应和恢复计划 | · CIS CSC 19, 20 | ||
· COBIT 5 DSS04.04 | |||
· ISA 62443-2-1:2009 4.3.2.5.7, 4.3.4.5.11 | |||
· ISA 62443-3-3:2013 SR 3.3 | |||
· ISO/IEC 27001:2013 A.17.1.3 | |||
· NIST SP 800-53 Rev. 4 CP-4, IR-3, PM-14 | |||
PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening) 网络安全包括在人力资源实践中(例如,遣散、人员筛选) | · CIS CSC 5, 16 | ||
· COBIT 5 APO07.01, APO07.02, APO07.03, APO07.04, APO07.05 | |||
· ISA 62443-2-1:2009 4.3.3.2.1, 4.3.3.2.2, 4.3.3.2.3 | |||
· ISO/IEC 27001:2013 A.7.1.1, A.7.1.2, A.7.2.1, A.7.2.2, A.7.2.3, A.7.3.1, A.8.1.4 | |||
· NIST SP 800-53 Rev. 4 PS-1, PS-2, PS-3, PS-4, PS-5, PS-6, PS-7, PS-8, SA-21 | |||
PR.IP-12: A vulnerability management plan is developed and implemented 制定并实施漏洞管理计划 | · CIS CSC 4, 18, 20 | ||
· COBIT 5 BAI03.10, DSS05.01, DSS05.02 | |||
· ISO/IEC 27001:2013 A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3 | |||
· NIST SP 800-53 Rev. 4 RA-3, RA-5, SI-2 | |||
Maintenance (PR.MA): Maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures. 维护(PR.MA):工业控制和信息系统部件的维护和维修是按照政策和程序进行的。 | PR.MA-1: Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools 使用经批准和受控的工具执行和记录组织资产的维护和维修 | · COBIT 5 BAI03.10, BAI09.02, BAI09.03, DSS01.05 | |
· ISA 62443-2-1:2009 4.3.3.3.7 | |||
· ISO/IEC 27001:2013 A.11.1.2, A.11.2.4, A.11.2.5, A.11.2.6 | |||
· NIST SP 800-53 Rev. 4 MA-2, MA-3, MA-5, MA-6 | |||
PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access 以防止非法访问的方式批准、记录和执行组织资产的远程维护 | · CIS CSC 3, 5 | ||
· COBIT 5 DSS05.04 | |||
· ISA 62443-2-1:2009 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8 | |||
· ISO/IEC 27001:2013 A.11.2.4, A.15.1.1, A.15.2.1 | |||
· NIST SP 800-53 Rev. 4 MA-4 | |||
Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. 防护技术(PR.PT):管理技术安全解决方案,以确保系统和资产的安全性和弹性,与相关政策、程序和协议一致。 | PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy 审核/日志记录根据政策确定、形成文件、实施和评审 | · CIS CSC 1, 3, 5, 6, 14, 15, 16 | |
· COBIT 5 APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01 | |||
· ISA 62443-2-1:2009 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 | |||
· ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12 | |||
· ISO/IEC 27001:2013 A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1 | |||
· NIST SP 800-53 Rev. 4 AU Family | |||
PR.PT-2: Removable media is protected and its use restricted according to policy 可移动介质受保护,其使用受政策限制 | · CIS CSC 8, 13 | ||
· COBIT 5 APO13.01, DSS05.02, DSS05.06 | |||
· ISA 62443-3-3:2013 SR 2.3 | |||
· ISO/IEC 27001:2013 A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.9 | |||
· NIST SP 800-53 Rev. 4 MP-2, MP-3, MP-4, MP-5, MP-7, MP-8 | |||
PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities 通过配置系统只提供必要的功能,就包含了最小功能的原则 | · CIS CSC 3, 11, 14 | ||
· COBIT 5 DSS05.02, DSS05.05, DSS06.06 | |||
· ISA 62443-2-1:2009 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4 | |||
· ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7 | |||
· ISO/IEC 27001:2013 A.9.1.2 | |||
· NIST SP 800-53 Rev. 4 AC-3, CM-7 | |||
PR.PT-4: Communications and control networks are protected 通信和控制网络受到保护 | · CIS CSC 8, 12, 15 | ||
· COBIT 5 DSS05.02, APO13.01 | |||
· ISA 62443-3-3:2013 SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 | |||
· ISO/IEC 27001:2013 A.13.1.1, A.13.2.1, A.14.1.3 | |||
· NIST SP 800-53 Rev. 4 AC-4, AC-17, AC-18, CP-8, SC-7, SC-19, SC-20, SC-21, SC-22, SC-23, SC-24, SC-25, SC-29, SC-32, SC-36, SC-37, SC-38, SC-39, SC-40, SC-41, SC-43 | |||
PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations 实现了各种机制(如故障安全、负载均衡、热插拔),以在正常和不利情况下实现弹性需求 | · COBIT 5 BAI04.01, BAI04.02, BAI04.03, BAI04.04, BAI04.05, DSS01.05 | ||
· ISA 62443-2-1:2009 4.3.2.5.2 | |||
· ISA 62443-3-3:2013 SR 7.1, SR 7.2 | |||
· ISO/IEC 27001:2013 A.17.1.2, A.17.2.1 | |||
· NIST SP 800-53 Rev. 4 CP-7, CP-8, CP-11, CP-13, PL-8, SA-14, SC-6 | |||
DETECT (DE) 检测 | Anomalies and Events (DE.AE): Anomalous activity is detected and the potential impact of events is understood. 异常和事件(DE.AE):检测到异常活动,了解事件的潜在影响。 | DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed 为用户和系统建立和管理网络操作和预期数据流的基线 | · CIS CSC 1, 4, 6, 12, 13, 15, 16 |
· COBIT 5 DSS03.01 | |||
· ISA 62443-2-1:2009 4.4.3.3 | |||
· ISO/IEC 27001:2013 A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2 | |||
· NIST SP 800-53 Rev. 4 AC-4, CA-3, CM-2, SI-4 | |||
DE.AE-2: Detected events are analyzed to understand attack targets and methods 对检测到的事件进行分析,了解攻击目标和方法 | · CIS CSC 3, 6, 13, 15 | ||
· COBIT 5 DSS05.07 | |||
· ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8 | |||
· ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12, SR 3.9, SR 6.1, SR 6.2 | |||
· ISO/IEC 27001:2013 A.12.4.1, A.16.1.1, A.16.1.4 | |||
· NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, SI-4 | |||
DE.AE-3: Event data are collected and correlated from multiple sources and sensors 从多个源和传感器收集和关联事件数据 | · CIS CSC 1, 3, 4, 5, 6, 7, 8, 11, 12, 13, 14, 15, 16 | ||
· COBIT 5 BAI08.02 | |||
· ISA 62443-3-3:2013 SR 6.1 | |||
· ISO/IEC 27001:2013 A.12.4.1, A.16.1.7 | |||
· NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-5, IR-8, SI-4 | |||
DE.AE-4: Impact of events is determined 确定事件的影响 | · CIS CSC 4, 6 | ||
· COBIT 5 APO12.06, DSS03.01 | |||
· ISO/IEC 27001:2013 A.16.1.4 | |||
· NIST SP 800-53 Rev. 4 CP-2, IR-4, RA-3, SI-4 | |||
DE.AE-5: Incident alert thresholds are established 已建立事件警报阈值 | · CIS CSC 6, 19 | ||
· COBIT 5 APO12.06, DSS03.01 | |||
· ISA 62443-2-1:2009 4.2.3.10 | |||
· ISO/IEC 27001:2013 A.16.1.4 | |||
· NIST SP 800-53 Rev. 4 IR-4, IR-5, IR-8 | |||
Security Continuous Monitoring (DE.CM): The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures. 安全持续监控(DE.CM):对信息系统和资产进行监控,以识别网络安全事件并验证保护措施的有效性。 | DE.CM-1: The network is monitored to detect potential cybersecurity events 监控网络,检测潜在的网络安全事件 | · CIS CSC 1, 7, 8, 12, 13, 15, 16 | |
· COBIT 5 DSS01.03, DSS03.05, DSS05.07 | |||
· ISA 62443-3-3:2013 SR 6.2 | |||
· NIST SP 800-53 Rev. 4 AC-2, AU-12, CA-7, CM-3, SC-5, SC-7, SI-4 | |||
DE.CM-2: The physical environment is monitored to detect potential cybersecurity events 监控物理环境,检测潜在的网络安全事件 | · COBIT 5 DSS01.04, DSS01.05 | ||
· ISA 62443-2-1:2009 4.3.3.3.8 | |||
· ISO/IEC 27001:2013 A.11.1.1, A.11.1.2 | |||
· NIST SP 800-53 Rev. 4 CA-7, PE-3, PE-6, PE-20 | |||
DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events 监控人员活动以检测潜在的网络安全事件 | · CIS CSC 5, 7, 14, 16 | ||
· COBIT 5 DSS05.07 | |||
· ISA 62443-3-3:2013 SR 6.2 | |||
· ISO/IEC 27001:2013 A.12.4.1, A.12.4.3 | |||
· NIST SP 800-53 Rev. 4 AC-2, AU-12, AU-13, CA-7, CM-10, CM-11 | |||
DE.CM-4: Malicious code is detected 检测恶意代码 | · CIS CSC 4, 7, 8, 12 | ||
· COBIT 5 DSS05.01 | |||
· ISA 62443-2-1:2009 4.3.4.3.8 | |||
· ISA 62443-3-3:2013 SR 3.2 | |||
· ISO/IEC 27001:2013 A.12.2.1 | |||
· NIST SP 800-53 Rev. 4 SI-3, SI-8 | |||
DE.CM-5: Unauthorized mobile code is detected 检测未授权的移动代码 | · CIS CSC 7, 8 | ||
· COBIT 5 DSS05.01 | |||
· ISA 62443-3-3:2013 SR 2.4 | |||
· ISO/IEC 27001:2013 A.12.5.1, A.12.6.2 | |||
· NIST SP 800-53 Rev. 4 SC-18, SI-4, SC-44 | |||
DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events 监控外部服务提供商的活动,以检测潜在的网络安全事件 | · COBIT 5 APO07.06, APO10.05 | ||
· ISO/IEC 27001:2013 A.14.2.7, A.15.2.1 | |||
· NIST SP 800-53 Rev. 4 CA-7, PS-7, SA-4, SA-9, SI-4 | |||
DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed 对未经授权的人员、连接、设备和软件进行监控 | · CIS CSC 1, 2, 3, 5, 9, 12, 13, 15, 16 | ||
· COBIT 5 DSS05.02, DSS05.05 | |||
· ISO/IEC 27001:2013 A.12.4.1, A.14.2.7, A.15.2.1 | |||
· NIST SP 800-53 Rev. 4 AU-12, CA-7, CM-3, CM-8, PE-3, PE-6, PE-20, SI-4 | |||
DE.CM-8: Vulnerability scans are performed 执行漏洞扫描 | · CIS CSC 4, 20 | ||
· COBIT 5 BAI03.10, DSS05.01 | |||
· ISA 62443-2-1:2009 4.2.3.1, 4.2.3.7 | |||
· ISO/IEC 27001:2013 A.12.6.1 | |||
· NIST SP 800-53 Rev. 4 RA-5 | |||
Detection Processes (DE.DP): Detection processes and procedures are maintained and tested to ensure awareness of anomalous events. 检测过程(DE.DP):对检测过程和程序进行维护和测试,以确保对异常事件的感知。 | DE.DP-1: Roles and responsibilities for detection are well defined to ensure accountability 很好地定义了检测的角色和职责,以确保可靠性 | · CIS CSC 19 | |
· COBIT 5 APO01.02, DSS05.01, DSS06.03 | |||
· ISA 62443-2-1:2009 4.4.3.1 | |||
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2 | |||
· NIST SP 800-53 Rev. 4 CA-2, CA-7, PM-14 | |||
DE.DP-2: Detection activities comply with all applicable requirements 检测活动符合所有适用的要求 | · COBIT 5 DSS06.01, MEA03.03, MEA03.04 | ||
· ISA 62443-2-1:2009 4.4.3.2 | |||
· ISO/IEC 27001:2013 A.18.1.4, A.18.2.2, A.18.2.3 | |||
· NIST SP 800-53 Rev. 4 AC-25, CA-2, CA-7, SA-18, SI-4, PM-14 | |||
DE.DP-3: Detection processes are tested 检测进程进行测试 | · COBIT 5 APO13.02, DSS05.02 | ||
· ISA 62443-2-1:2009 4.4.3.2 | |||
· ISA 62443-3-3:2013 SR 3.3 | |||
· ISO/IEC 27001:2013 A.14.2.8 | |||
· NIST SP 800-53 Rev. 4 CA-2, CA-7, PE-3, SI-3, SI-4, PM-14 | |||
DE.DP-4: Event detection information is communicated 事件检测信息互通 | · CIS CSC 19 | ||
· COBIT 5 APO08.04, APO12.06, DSS02.05 | |||
· ISA 62443-2-1:2009 4.3.4.5.9 | |||
· ISA 62443-3-3:2013 SR 6.1 | |||
· ISO/IEC 27001:2013 A.16.1.2, A.16.1.3 | |||
· NIST SP 800-53 Rev. 4 AU-6, CA-2, CA-7, RA-5, SI-4 | |||
DE.DP-5: Detection processes are continuously improved 检测流程不断改进 | · COBIT 5 APO11.06, APO12.06, DSS04.05 | ||
· ISA 62443-2-1:2009 4.4.3.4 | |||
· ISO/IEC 27001:2013 A.16.1.6 | |||
· NIST SP 800-53 Rev. 4, CA-2, CA-7, PL-2, RA-5, SI-4, PM-14 | |||
RESPOND (RS) 响应 | Response Planning (RS.RP): Response processes and procedures are executed and maintained, to ensure response to detected cybersecurity incidents. 响应计划(RS.RP):执行和维护响应流程和程序,以确保对检测到的网络安全事件作出响应。 | RS.RP-1: Response plan is executed during or after an incident 在事件发生期间或之后执行响应计划 | · CIS CSC 19 |
· COBIT 5 APO12.06, BAI01.10 | |||
· ISA 62443-2-1:2009 4.3.4.5.1 | |||
· ISO/IEC 27001:2013 A.16.1.5 | |||
· NIST SP 800-53 Rev. 4 CP-2, CP-10, IR-4, IR-8 | |||
Communications (RS.CO): Response activities are coordinated with internal and external stakeholders (e.g. external support from law enforcement agencies). 沟通(RS.CO):应对活动与内部和外部利益相关方协调(例如来自执法机构的外部支持)。 | RS.CO-1: Personnel know their roles and order of operations when a response is needed 当需要响应时,人员知道他们的角色和行动顺序 | · CIS CSC 19 | |
· COBIT 5 EDM03.02, APO01.02, APO12.03 | |||
· ISA 62443-2-1:2009 4.3.4.5.2, 4.3.4.5.3, 4.3.4.5.4 | |||
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2, A.16.1.1 | |||
· NIST SP 800-53 Rev. 4 CP-2, CP-3, IR-3, IR-8 | |||
RS.CO-2: Incidents are reported consistent with established criteria 事件报告符合既定标准 | · CIS CSC 19 | ||
· COBIT 5 DSS01.03 | |||
· ISA 62443-2-1:2009 4.3.4.5.5 | |||
· ISO/IEC 27001:2013 A.6.1.3, A.16.1.2 | |||
· NIST SP 800-53 Rev. 4 AU-6, IR-6, IR-8 | |||
RS.CO-3: Information is shared consistent with response plans 根据应对计划共享信息 | · CIS CSC 19 | ||
· COBIT 5 DSS03.04 | |||
· ISA 62443-2-1:2009 4.3.4.5.2 | |||
· ISO/IEC 27001:2013 A.16.1.2, Clause 7.4, Clause 16.1.2 | |||
· NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-4, IR-8, PE-6, RA-5, SI-4 | |||
RS.CO-4: Coordination with stakeholders occurs consistent with response plans 根据应对计划与利益攸关方进行协调 | · CIS CSC 19 | ||
· COBIT 5 DSS03.04 | |||
· ISA 62443-2-1:2009 4.3.4.5.5 | |||
· ISO/IEC 27001:2013 Clause 7.4 | |||
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8 | |||
RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness 自愿与外部利益相关者共享信息,以获得更广泛的网络安全态势感知 | · CIS CSC 19 | ||
· COBIT 5 BAI08.04 | |||
· ISO/IEC 27001:2013 A.6.1.4 | |||
· NIST SP 800-53 Rev. 4 SI-5, PM-15 | |||
Analysis (RS.AN): Analysis is conducted to ensure effective response and support recovery activities. 分析(RS.AN):进行分析以确保有效的响应和支持恢复活动。 | RS.AN-1: Notifications from detection systems are investigated 调查来自检测系统的通知 | · CIS CSC 4, 6, 8, 19 | |
· COBIT 5 DSS02.04, DSS02.07 | |||
· ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8 | |||
· ISA 62443-3-3:2013 SR 6.1 | |||
· ISO/IEC 27001:2013 A.12.4.1, A.12.4.3, A.16.1.5 | |||
· NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-5, PE-6, SI-4 | |||
RS.AN-2: The impact of the incident is understood 事件的影响是可以理解的 | · COBIT 5 DSS02.02 | ||
· ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8 | |||
· ISO/IEC 27001:2013 A.16.1.4, A.16.1.6 | |||
· NIST SP 800-53 Rev. 4 CP-2, IR-4 | |||
RS.AN-3: Forensics are performed 进行取证 | · COBIT 5 APO12.06, DSS03.02, DSS05.07 | ||
· ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12, SR 3.9, SR 6.1 | |||
· ISO/IEC 27001:2013 A.16.1.7 | |||
· NIST SP 800-53 Rev. 4 AU-7, IR-4 | |||
RS.AN-4: Incidents are categorized consistent with response plans 根据响应计划对事件进行分类 | · CIS CSC 19 | ||
· COBIT 5 DSS02.02 | |||
· ISA 62443-2-1:2009 4.3.4.5.6 | |||
· ISO/IEC 27001:2013 A.16.1.4 | |||
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-5, IR-8 | |||
RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers) 建立过程以接收、分析和响应来自内部和外部来源(例如内部测试、安全公告或安全研究人员)向组织披露的漏洞 | · CIS CSC 4, 19 | ||
· COBIT 5 EDM03.02, DSS05.07 | |||
· NIST SP 800-53 Rev. 4 SI-5, PM-15 | |||
Mitigation (RS.MI): Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident. 缓解(RS.MI):执行活动是为了防止事件扩展、减轻其影响并解决事件。 | RS.MI-1: Incidents are contained 事件得到控制 | · CIS CSC 19 | |
· COBIT 5 APO12.06 | |||
· ISA 62443-2-1:2009 4.3.4.5.6 | |||
· ISA 62443-3-3:2013 SR 5.1, SR 5.2, SR 5.4 | |||
· ISO/IEC 27001:2013 A.12.2.1, A.16.1.5 | |||
· NIST SP 800-53 Rev. 4 IR-4 | |||
RS.MI-2: Incidents are mitigated 事件减少 | · CIS CSC 4, 19 | ||
· COBIT 5 APO12.06 | |||
· ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.10 | |||
· ISO/IEC 27001:2013 A.12.2.1, A.16.1.5 | |||
· NIST SP 800-53 Rev. 4 IR-4 | |||
RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks 新识别的漏洞被减轻或记录为可接受的风险 | · CIS CSC 4 | ||
· COBIT 5 APO12.06 | |||
· ISO/IEC 27001:2013 A.12.6.1 | |||
· NIST SP 800-53 Rev. 4 CA-7, RA-3, RA-5 | |||
Improvements (RS.IM): Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities. 改进(RS.IM):通过结合从当前和以前的检测/响应活动中吸取的经验教训来改进组织的响应活动。 | RS.IM-1: Response plans incorporate lessons learned应对计划纳入经验教训 | · COBIT 5 BAI01.13 | |
· ISA 62443-2-1:2009 4.3.4.5.10, 4.4.3.4 | |||
· ISO/IEC 27001:2013 A.16.1.6, Clause 10 | |||
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8 | |||
RS.IM-2: Response strategies are updated 更新应对战略 | · COBIT 5 BAI01.13, DSS04.08 | ||
· ISO/IEC 27001:2013 A.16.1.6, Clause 10 | |||
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8 | |||
RECOVER (RC) 恢复 | Recovery Planning (RC.RP): Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity incidents. 恢复计划(RC.RP):执行和维护恢复过程和程序,以确保受网络安全事件影响的系统或资产的恢复。 | RC.RP-1: Recovery plan is executed during or after a cybersecurity incident : 网络安全事件发生后或发生后执行恢复计划 | · CIS CSC 10 |
· COBIT 5 APO12.06, DSS02.05, DSS03.04 | |||
· ISO/IEC 27001:2013 A.16.1.5 | |||
· NIST SP 800-53 Rev. 4 CP-10, IR-4, IR-8 | |||
Improvements (RC.IM): Recovery planning and processes are improved by incorporating lessons learned into future activities. 改进(RC.IM):通过将学到的经验教训结合到未来的活动中来改进恢复计划和过程。 | RC.IM-1: Recovery plans incorporate lessons learned恢复计划要吸取教训 | · COBIT 5 APO12.06, BAI05.07, DSS04.08 | |
· ISA 62443-2-1:2009 4.4.3.4 | |||
· ISO/IEC 27001:2013 A.16.1.6, Clause 10 | |||
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8 | |||
RC.IM-2: Recovery strategies are updated 更新恢复策略 | · COBIT 5 APO12.06, BAI07.08 | ||
· ISO/IEC 27001:2013 A.16.1.6, Clause 10 | |||
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8 | |||
Communications (RC.CO): Restoration activities are coordinated with internal and external parties (e.g. coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors). 通信(RC.CO):恢复活动与内部和外部各方(例如协调中心、Internet服务提供商、攻击系统所有者、受害者、其他csirt和供应商)协调。 | RC.CO-1: Public relations are managed 管理公共关系 | · COBIT 5 EDM03.02 | |
· ISO/IEC 27001:2013 A.6.1.4, Clause 7.4 | |||
RC.CO-2: Reputation is repaired after an incident 名誉是在事故后修复 | · COBIT 5 MEA03.02 | ||
· ISO/IEC 27001:2013 Clause 7.4 | |||
RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams 与内部和外部利益相关者以及执行和管理团队沟通恢复活动 | · COBIT 5 APO12.06 | ||
· ISO/IEC 27001:2013 Clause 7.4 | |||
· NIST SP 800-53 Rev. 4 CP-2, IR-4 |