ETSI TR 103 305-4-2016 CYBER Critical Security Controls for Effective Cyber Defence Part 4 Facilitation Mechanisms (V1 1 1).pdf

1、 ETSI TR 103 305-4 V1.1.1 (2016-08) CYBER; Critical Security Controls for Effective Cyber Defence; Part 4: Facilitation Mechanisms TECHNICAL REPORT ETSI ETSI TR 103 305-4 V1.1.1 (2016-08)2 Reference DTR/CYBER-0012-4 Keywords Cyber Security, Cyber-defence, information assurance ETSI 650 Route des Luc

2、ioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/stand

3、ards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in content

4、s between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. I

5、nformation on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyri

6、ght Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The c

7、opyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2016. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETS

8、I registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TR 103 305-4 V1.1.1 (2016-08)3 Contents Intellectual Property Rights 4g3Foreword . 4g3Modal verbs terminology 4g3Executive

9、summary 4g3Introduction 4g31 Scope 5g32 References 5g32.1 Normative references . 5g32.2 Informative references 5g33 Definitions and abbreviations . 6g33.1 Definitions 6g33.2 Abbreviations . 6g34 Critical Security Controls: Privacy Impact Assessment . 6g34.0 Description . 6g34.1 Privacy Impact Assess

10、ment of the Critical Security Controls 7g34.1.1 Overview 7g34.1.2 Authorities 7g34.1.3 Characterizing Control-Related Information 8g34.1.4 Uses of Control-Related Information 8g34.1.5 Security. 9g34.1.6 Notice 9g34.1.7 Data Retention 10g34.1.8 Information Sharing 10g34.1.9 Redress 10g34.1.10 Auditin

11、g and Accountability . 10g35 Critical Security Controls: Mapping to Well-Known Cyber Security Frameworks. 11g36 Critical Security Controls: Cyber Hygiene Programs 12g37 Critical Security Controls: Management Governance 12g37.0 General . 12g37.1 How the Critical Security Controls Can Help 13g37.1.0 I

12、ntroduction. 13g37.1.1 Governance item #1: Identify the most important information assets and the impact on business or mission if they are compromised 13g37.1.2 Governance Item #2: Manage the known cyber vulnerabilities of your information and make sure the necessary security policies are in place

13、to manage the risk. 13g37.1.3 Governance Item #3: Clearly identify the key threats to your information and assess the weaknesses in your defense 13g37.1.4 Governance Item #4: Confirm and control who has access to the most important information . 14g37.2 Developing an Overall Governance Strategy . 14

14、g3History 16g3ETSI ETSI TR 103 305-4 V1.1.1 (2016-08)4 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and

15、can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the E

16、TSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Forewo

17、rd This Technical Report (TR) has been produced by ETSI Technical Committee Cyber Security (CYBER). The present document is part 4 of a multi-part deliverable. Full details of the entire series can be found in part 1 i.6. Modal verbs terminology In the present document “should“, “should not“, “may“,

18、 “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. Executive summary The prese

19、nt document is an evolving repository for diverse facilitation mechanism guidelines for Critical Security Control implementations. These mechanisms initially include privacy impact assessment, mapping to well-known cybersecurity frameworks, Cyber Hygiene programs, and management governance. Introduc

20、tion The Critical Security Controls (“the Controls“) exist within a larger cyber security ecosystem that relies on the Controls as critically important defensive measures. There are a variety of facilitation mechanisms that facilitate and encourage their use. This document provides a placeholder for

21、 such mechanisms, and initially includes four of them: Privacy Impact Assessment, Mapping to Well-Known Cyber Security Frameworks, Cyber Hygiene Programs, Management Governance. ETSI ETSI TR 103 305-4 V1.1.1 (2016-08)5 1 Scope The present document is an evolving repository for diverse facilitation m

22、echanism guidelines for Critical Security Control implementations. These mechanisms initially include privacy impact assessment, mapping to well-known cyber security frameworks, Cyber Hygiene programs, and management governance. The present document is also technically equivalent and compatible with

23、 the 6.0 version of the CIS Companion Guides and Controls appendices C, D, E and F which can be found at the website https:/www.cisecurity.org/critical-controls/ i.1, i.2. 2 References 2.1 Normative references Normative references are not applicable in the present document. 2.2 Informative reference

24、s References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the reference document (including any amendments) applies. NOTE: W

25、hile any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 T

26、he Center for Internet Cybersecurity: “Toward A Privacy Impact Assessment (PIA) Companion to the CIS Critical SecurityControls“ version 6, October 15, 2015. NOTE: Available at https:/www.cisecurity.org/critical-controls.cfm. i.2 The Center for Internet Cybersecurity: “Critical Security Controls for

27、Effective Cyber Defense Version 6.0“ October 15, 2015. NOTE: Available at https:/www.cisecurity.org/critical-controls.cfm. i.3 U.S. Department of Homeland Security: “Fair Information Practice Principles (FIPPS)“. See also, NIST, “National strategy for trusted identities in cyberspace, Fair Informati

28、on Practice Principles (FIPPs)“. NOTE: Available at http:/www.dhs.gov/publication/fair-information-practice-principles-fipps and http:/www.nist.gov/nstic/NSTIC-FIPPs.pdf. i.4 Information and Privacy Commissioner of Ontario: “Introduction to PbD“. NOTE: Available at https:/www.privacybydesign.ca. i.5

29、 CIS National Campaign for Cyber Hygiene. NOTE: Available at https:/www.cisecurity.org/cyber-pledge/. i.6 ETSI TR 103 305-1: “CYBER; Critical Security Controls for Effective Cyber Defence; Part 1: The Critical Security Controls“. ETSI ETSI TR 103 305-4 V1.1.1 (2016-08)6 3 Definitions and abbreviatio

30、ns 3.1 Definitions For the purposes of the present document, the following terms and definitions apply: Critical Security Control (CSC): specified capabilities that reflect the combined knowledge of actual attacks and effective defences of experts that are maintained by the Center for Internet Cyber

31、security and found at the website https:/www.cisecurity.org/critical-controls/ 3.2 Abbreviations For the purposes of the present document, the following abbreviations apply: AC Access Control (NIST) AE Anomalies and Events (NIST) AM Asset Management (NIST) AN Analysis (NIST) ASD Australian Signals D

32、irectorate AT Awareness and Training (NIST) CDM Continuous Diagnostic and Mitigation CIS Center for Internet Security CM Continuous Monitoring (NIST) CSC Critical Security Control or Capability CSF Cybersecurity Framework (NIST) DHS Department of Homeland Security DP Detection Processes (NIST) DS Da

33、ta Security (NIST) FIP Fair Information Practice principles IM Improvements IP Information Protection IT Information Technology MI Mitigation (NIST) NIST National Institute of Standards and Technology NIST National Institute of Standards and Technology PIA Privacy Impact Assessment PII Personally id

34、entifiable information PT Principle of Transparency; Protective Technology (NIST) RA Risk Assessment RP Recovery Planning SORN Statement of Records Notice 4 Critical Security Controls: Privacy Impact Assessment 4.0 Description An effective posture of enterprise cybersecurity need not, and, indeed, s

35、hould not compromise individual privacy. Many laws, regulations, guidelines, and recommendations exist to safeguard privacy, and enterprises will, in many cases, adapt their existing policies on privacy as they apply the Controls. ETSI ETSI TR 103 305-4 V1.1.1 (2016-08)7 At a minimum, use of the Con

36、trols should conform to the general principles embodied in the Fair Information Practice principles (FIPs) i.3 and in Privacy by Design i.4. All enterprises that apply the Controls should undertake - and make available to stakeholders - privacy impact assessments of relevant systems to ensure that a

37、ppropriate protections are in place as the Controls are implemented. Every enterprise should also regularly review these assessments as material changes to its cybersecurity posture are adopted. The aim is to assess and mitigate the major potential privacy risks associated with implementing specific

38、 Controls as well as evaluate the overall impact of the Controls on individual privacy. To assist enterprises in efforts to conduct a privacy impact assessment when implementing the Controls and to contribute to the establishment of a more general reference standard for privacy and the Controls, the

39、 CIS convenes technical and privacy experts to review each Control and offer recommendations for best practice. The following framework guides this efforts and provides an outline for a Privacy Impact Assessment. 4.1 Privacy Impact Assessment of the Critical Security Controls 4.1.1 Overview Outline

40、the purpose of each Control and provide justification for any actual or potential intersection with privacy-sensitive information: Where possible, identify how technologies, procedures, and data flows are used to implement the Control. Provide a brief description of how the Control generally collect

41、s and stores information. Identify the type of data collected by the Control and the kinds of information that can be derived from this data. In discussing how the Control might collect and use PII, include a typical transaction that details the life cycle of that PII from collection to disposal. De

42、scribe the measures necessary to protect privacy data and mitigate any risks of unauthorized access or inadvertent disclosure of the data. The aim here is not to list every possible risk to privacy, but rather, to provide a holistic view of the risks to privacy that could arise from implementation o

43、f the Control. Describe any potential ad-hoc or routine information sharing that will result from the implementation of the Control both within the enterprise and with external sharing partners. Also describe how such external sharing is compatible with the original collection of the information, an

44、d what agreements would need to be in place to support this sharing. 4.1.2 Authorities Identify the legal authorities or enterprise policies that would permit or, conversely, limit or prohibit the collection or use of information by the Control: List the statutory and regulatory authorities that wou

45、ld govern operation of the Control, including the authorities to collect the information identified above. Explain how the statutory and regulatory authorities permit or would limit collection and use of the information or govern geographic storage requirements. If the Control would conceivably coll

46、ect Personally Identifiable Information (PII), also identify the specific statutory authority that would permit such collection. Would the responsible office of an enterprise be able to rely on authorities of another parent organization, subsidiary, partner or agency? Might the information collected

47、 by the Control be received from a foreign user, organization or government? If so, do any international agreement, contract, privacy policy or memorandum of understanding exist to support or otherwise govern this collection? ETSI ETSI TR 103 305-4 V1.1.1 (2016-08)8 4.1.3 Characterizing Control-Rela

48、ted Information Identify the type of data the Control collects, uses, disseminates, or maintains: For each Control, identify both the categories of technology sources, logs, or individuals from whom information would be collected, and, for each category, list any potential PII, that might be gathere

49、d, used, or stored to support the Control: - Relevant information here includes (but is not limited to): name; date of birth; mailing address; telephone numbers; social security number; e-mail address; mothers maiden name; medical records locators; bank account numbers; health plan beneficiaries; any other account numbers; certificates or other license numbers; vehicle identifiers, including license plates; marriage records; civil or criminal history information; medical records; device identifiers and serial numbers; education reco