Establishing an Industrial Automation and Control Systems Security Program

Question 1

Whats means:

CSMS

Answer 1

Cyber Security Management System

Question 2

CSMS Categories

Answer 2

Risk Analysis
Addressing Risk with the CSMS
Monitoring & Improving the CSMS

Question 3

How CSMS are organized?

Answer 3

Categories
Elements
Element Groups

Question 4

Risk Analysis

Answer 4

Includes business rationale along with risk identificacion, classification and assesment

Question 5

Addressing Risk with CSMS

Answer 5

Includes security policy, organization & awarness along with security countermeasures and implementation

Question 6

Monitoring & Improving CSMS

Answer 6

Includes conformance along with review, improvement and maintenance of CSMS

Question 7

CSMS six top level activities

Answer 7

• Initiate CSMS Program
• Initial high level risk assessment
• Detailed risk assessment
• Establish policy, organization and awareness
• Select and implement countermeasures
• Maintain the CSMS

Question 8

Initiate CSMS Program

Answer 8

• Develop a business rationale
• Develop the CSMS Scope
• Involve stakeholder(s)
• Obtain leadership commitment, support and funding.

Question 9

Initial High Level Risk Assessment

Answer 9

• Drives the content of CSMS
• Threats
• Likelihood
• Vulnerabilities
• Consequences

Address risk assessment at a high level to reduce resources expenses and to establish an overall risk context

Question 10

Detailed risk Assessment

Answer 10

• Detailed technical assessment
• Focus on vulnerabilities identified at initial / high level

Question 11

Establish Policy, organization and awareness

Answer 11

• Driven by initial/high-level and detailed risk assessment results
• Creation of policies and procedures
• Communicate policies
• Assignment of organizational responsibilities
• Planning and execution of training

Question 12

Select and implement countermeasures

Answer 12

• Establish the risk tolerance
• Select countermeasures
• Implement countermeasures
• Develop new or modify existing systems

Question 13

Maintain the CSMS

Answer 13

• Is organization maturing in it CSMS activities?
• Does organization conform to policies and procedures?
• Are cyber security goals met effectively ?
• Do the goals need to change in light of internal or external events?
• Is a review of initial/high-level or detailed risk assessment required?
• Are there improvements identified and implemented?
• Are there training enhancements to make?
• Has enthusiams and support waned?
• Have other priorities pushed CSMS to the back burner?

Question 14

True or False

Risk tolerance is determined by external, governing organizations

Answer 14

False

Question 15

True or False

Detailed risk assesment should be conducted prior to a high-level risk assessment

Answer 15

False

Question 16

True of False

CSMS includes 10 top level activities

Answer 16

False

CSMS include 6 top level activities

Question 17

True or False

The elements of the CSMS list the following; the objetive, the description, the rationale, and the requirements

Answer 17

True

Question 18

When initiating a CSMS program, why is it important to develop a business rationale first?

Answer 18

To help justify the program to management

Question 19

True or False

ISA 62443-2-1 contains a combination of SHOULD, MAY and SHALL requirements

Answer 19

TRUE

Question 20

What is the desired outcome of the initiate a CSMS program activity?

Answer 20

Obtain leadership commitment, support, and funding