Process: Difference between revisions

From CyberWiki
Jump to navigation Jump to search
(Created page with "Process and Integration Overview == Topic 1 ==")
 
No edit summary
Line 1: Line 1:
Process and Integration Overview
Process and Integration Overview


== Topic 1 ==
Processes, Integration, and Standards: Researching and developing technical approaches to address process and coordination challenges associated with cyber security. (i.e., cyber-informed engineering, governance, risk management, workforce development, etc.). Cyber security requires people and processes to implement and maintain measures consistent with strategies. Security tools will not be effective without a trained workforce and repeatable processes. Studies show that people are often an organization's weakest cyber security link. For example, the 2024 Verizon Data Breach Investigations report found that 68% of breaches involve the human element.
 
Key process and integration topics include:
*Governance, Risk, and Compliance
*Program Development
*Workforce Development
*Supply Chain
 
==Governance, Risk, and Compliance ==
Governance, Risk, and Compliance refers to organizations’ integrated approach to ensuring that their cyber security programs are aligned with business objectives, compliant with regulations, and resilient against cyber threats. Effective GRC strategies allow organizations to proactively manage risks, maintain regulatory compliance, and enhance their overall cybersecurity posture.
 
'''Challenges and key practices''' with GRC  in power generation facilities include:
*NIST Cyber Security Framework 2.0 (Draft) adds “GOVERN” as the sixth function.
*Regulatory compliance has traditionally been the major driving force in shaping cyber security processes and integration; emerging incentives from investor interests and the government are now encouraging the industry to go beyond compliance.
**Regulations are always changing, and their requirement scope expanding. For instance, in North America, five high-priority NERC standards projects affecting CIP standards are planned to be completed by 2024, which address virtualization, Internal Network Security Monitoring, enhancing low impact category, etc. In the European Union, the NIS2 Directive came into force in 2023 and Member States have until October 2024 to transpose its measures into national law.
**In the U.S., FERC issued an order establishing incentive-based rate treatment to encourage utilities' investments in Advanced Cyber Security Technology and participation in cyber security threat information sharing programs.
*Risk-informed approach allows for optimal cyber security programs resistant to changing threats, regulations, and asset lifecycles. Implementing an effective risk management program involves several components. It is crucial to ensure that consistent and periodic risk assessments are performed to respond to evolving cyber threats. Risk Assessment refers to identifying, analyzing, and evaluating potential risks. A practical risk-based approach also involves Risk Treatment and Risk Monitoring to accompany the Risk Assessment. Risk Treatment refers to strategic actions and measures to mitigate, transfer, or accept identified risks. Risk Monitoring is a continuous process that follows Risk Treatment to evaluate the effectiveness of implemented risk mitigations.

Revision as of 14:07, 30 October 2024

Process and Integration Overview

Processes, Integration, and Standards: Researching and developing technical approaches to address process and coordination challenges associated with cyber security. (i.e., cyber-informed engineering, governance, risk management, workforce development, etc.). Cyber security requires people and processes to implement and maintain measures consistent with strategies. Security tools will not be effective without a trained workforce and repeatable processes. Studies show that people are often an organization's weakest cyber security link. For example, the 2024 Verizon Data Breach Investigations report found that 68% of breaches involve the human element.

Key process and integration topics include:

  • Governance, Risk, and Compliance
  • Program Development
  • Workforce Development
  • Supply Chain

Governance, Risk, and Compliance

Governance, Risk, and Compliance refers to organizations’ integrated approach to ensuring that their cyber security programs are aligned with business objectives, compliant with regulations, and resilient against cyber threats. Effective GRC strategies allow organizations to proactively manage risks, maintain regulatory compliance, and enhance their overall cybersecurity posture.

Challenges and key practices with GRC in power generation facilities include:

  • NIST Cyber Security Framework 2.0 (Draft) adds “GOVERN” as the sixth function.
  • Regulatory compliance has traditionally been the major driving force in shaping cyber security processes and integration; emerging incentives from investor interests and the government are now encouraging the industry to go beyond compliance.
    • Regulations are always changing, and their requirement scope expanding. For instance, in North America, five high-priority NERC standards projects affecting CIP standards are planned to be completed by 2024, which address virtualization, Internal Network Security Monitoring, enhancing low impact category, etc. In the European Union, the NIS2 Directive came into force in 2023 and Member States have until October 2024 to transpose its measures into national law.
    • In the U.S., FERC issued an order establishing incentive-based rate treatment to encourage utilities' investments in Advanced Cyber Security Technology and participation in cyber security threat information sharing programs.
  • Risk-informed approach allows for optimal cyber security programs resistant to changing threats, regulations, and asset lifecycles. Implementing an effective risk management program involves several components. It is crucial to ensure that consistent and periodic risk assessments are performed to respond to evolving cyber threats. Risk Assessment refers to identifying, analyzing, and evaluating potential risks. A practical risk-based approach also involves Risk Treatment and Risk Monitoring to accompany the Risk Assessment. Risk Treatment refers to strategic actions and measures to mitigate, transfer, or accept identified risks. Risk Monitoring is a continuous process that follows Risk Treatment to evaluate the effectiveness of implemented risk mitigations.