IC34M02 - Conceptual Design Flashcards
Key Componentes of Conceptual Design
- Interpret Risk Assessment Result
- Mitigate Results (4T’s)
- Treat Risk (5 D’s)
- Develop Security Strategy
- Prepare Conceptual Design Specification
Example Risk Profile
Security Level (SL) Definitions
- Level 0: No requirements or security protection necessary
- Level 1: Protection against casual or coincidental violation
- Level 2: Protection against violation with low resources, generic skill, and low motivation
- Level 3: Protection against violation with moderate resources, IACS specific skills, and moderate motivation
- Level 4: Protection against intentional violation with extended resources, IACS specific skill, and high motivation
See 62443-3-3 Annex A
CRRF (Ciber Risk Reduction Factor)
Is a measure of the degree of risk reduction required to achieve tolerable risk.
Fourt T’s of Managing Risk
Tolerate
The risk is known and accepted by the organization. The organization is willing to Tolerate this risk
Transfer
The risk is passed to a third party, for example an insurer or an outsource, to manage the risk. This does not eliminate the risk.
Terminate
The process, activity, tool, etc. is no longer used. Terminating or stopping the usage the risk is no longer relevant.
Treat
Redice the likelihood of the threat materializing or the resultant impact by introducing relevant controls and continuity strategies. Treat the risk through mitigating controls.
Five D’s of Treating Risk
** Deter**
Objetive is to deter attacker from attemping breach
** Detect**
Objetive is to monitor large areas of spaces to acuurately detect unauthorized intrusion in time to respond appropriately
Delay
Objetive is to delay an active intrusion to force intruduer to give up or allow security to respond.
Deny
Objetive is to deny access or keep unauthorized person out while allowing authorized persons to enter.
Defeat
Objetive is to defeat intrusion by apprehending intruder often involving law enforcement.
Developing a Security Strategy
- Identify zones
- Review risk assessment
- Establish Target Security Level
- Identify physical and cyber access points
- Develop 5D physical and cyber security strategy
Foundational Requirements
FR1 – Identification and Authentication Control
FR2 – Use Control
FR3 - System Integrity
FR4 – Data Confidentiality
FR5 – Restricted Data Flow
FR6 – Timely Response to Events
FR7 – Resource Availability
What should be included in a good risk assessment
- Risk Profile
- Severity of Consequences
- Threats & Vulnerabilities from least to highest risks
- Target Security Levels
- Recomendations
Name three characteristics of a Target Security Level (SL-T)?
- SL-T is required for each security zone or conduit
- SL-T is dependent upon Cyber Risk Reduction Factor (CRRF)
- Relationship between CRRF and SL-T is based upon organizations risk matrix and risk tolerance.
What is CRRF?
Cyber Risk Reduction Factor (CRRF) is:
* A measure of the degree of risk reduction required to achieve tolerable risk
* Calculated as ratio by dividing unmitigated risk by tolerable risk
What are the four T’s of Managing Risk?
- Tolerate
- Transfer
- Terminate
- Treat
What are the 5D’s of treating risk?
- Deter
- Detect
- Delay
- Deny
- Defeat
What are the steps to developing a Security Strategy?
- Identify zones
- Review risk assessment results
- Establish SL-T
- Identify physical and cyber access points
- Develop 5D physical & cyber security strategy for each access point.
What are four components of Conceputal Cybersecurity Design Specification?
- Document new or upgraded security countermeasures to achieve with SL-T
- Scope of Work
- Conceptual system architecture
- Budgetary and schedule estimates
