ECSO State of the Art Syllabus V1 ABOUT ECSO

Total Page:16

File Type:pdf, Size:1020Kb

ECSO State of the Art Syllabus V1 ABOUT ECSO STATE OF THE ART SYLLABUS Overview of existing Cybersecurity standards and certification schemes WG1 I Standardisation, certification, labelling and supply chain management JUNE 2017 ECSO State of the Art Syllabus v1 ABOUT ECSO The European Cyber Security Organisation (ECSO) ASBL is a fully self-financed non-for-profit organisation under the Belgian law, established in June 2016. ECSO represents the contractual counterpart to the European Commission for the implementation of the Cyber Security contractual Public-Private Partnership (cPPP). ECSO members include a wide variety of stakeholders across EU Member States, EEA / EFTA Countries and H2020 associated countries, such as large companies, SMEs and Start-ups, research centres, universities, end-users, operators, clusters and association as well as European Member State’s local, regional and national administrations. More information about ECSO and its work can be found at www.ecs-org.eu. Contact For queries in relation to this document, please use [email protected]. For media enquiries about this document, please use [email protected]. Disclaimer The document was intended for reference purposes by ECSO WG1 and was allowed to be distributed outside ECSO. Despite the authors’ best efforts, no guarantee is given that the information in this document is complete and accurate. Readers of this document are encouraged to send any missing information or corrections to the ECSO WG1, please use [email protected]. This document integrates the contributions received from ECSO members until April 2017. Cybersecurity is a very dynamic field. As a result, standards and schemes for assessing Cybersecurity are being developed and updated frequently. To take these developments into account, this document may be updated on a regularly basis, each 6 months, based on received contributions. Third-party sources are quoted as appropriate. ECSO is not responsible for the content of the external sources including external websites referenced in this publication. The use of the information contained in this document is at your own risk, and no relationship is created between ECSO and any person accessing or otherwise using the document or any part of it. ECSO is not liable for actions of any nature arising from any use of the document or part of it. Neither ECSO nor any person acting on its behalf is responsible for the use that might be made of the information contained in this publication. Copyright Notice © European Cyber Security Organisation (ECSO), 2017 Reproduction is authorised provided the source is acknowledged. European Cyber Security Organisation (ECSO) • www.ecs-org.eu Rue Montoyer, 10, 1000 Brussels Belgium i ECSO State of the Art Syllabus v1 TABLE OF CONTENTS 1 INTRODUCTION ............................................................................... 1 2 Overview ........................................................................................... 5 2.1 Cybersecurity standards and schemes for products and components (SWG 1.1) 5 2.1.1 Standards and schemes for generic IT products ............................................... 5 2.1.2 Standards and schemes for products used in Industry 4.0 and ICS (SWG3.1) .. 6 2.1.3 Standards and schemes for products used in energy networks and smart grids (SWG3.2) ....................................................................................................................... 6 2.1.4 Standards and schemes for products used in telecom, media and content (SWG3.8) ....................................................................................................................... 7 2.1.5 Standards and schemes for products used in the payment industry .................. 7 2.1.6 Standards and schemes for cryptographic modules .......................................... 8 2.1.7 Standards and schemes for web applications ................................................... 8 2.1.8 Standards and schemes for IoT products .......................................................... 8 2.1.9 Standards and schemes for other IT products ................................................... 9 2.2 Standards and schemes for cloud service providers (SWG 1.2) .................... 9 2.3 Standards and schemes for service providers and organisations (SWG 1.3) 10 2.3.1 Standards and schemes for generic organisations .......................................... 10 2.3.2 Standards and schemes for Industry 4.0 and ICS (SWG 3.1) .......................... 13 2.3.3 Standards for energy networks and smart grids (SWG 3.2) ............................. 14 2.3.4 Standards and schemes for transportation (road, rail, air, sea) (SWG 3.3) ...... 15 2.3.5 Standards and schemes for financial services and insurance (SWG3.4) ......... 15 2.3.6 Standards and schemes for public services / eGovernment / Digital Citizenship (SWG 3.5) .................................................................................................................... 16 2.3.7 Standards and schemes for healthcare (SWG 3.6) ......................................... 17 2.3.8 Standards and schemes for smart cities and smart buildings (SWG3.7) ......... 17 2.3.9 Standards and schemes for telecom, media and content (SWG 3.8) ............... 18 2.3.10 Standards and schemes for critical infrastructures .......................................... 18 2.3.11 Standards and schemes for general secure software development ................. 19 2.3.12 Standards and schemes for cybersecurity service providers ........................... 20 2.3.13 Standards and schemes for the payment industry ........................................... 20 2.3.14 Standards and schemes for IoT device vendors .............................................. 21 2.4 Standards and schemes for security professionals ...................................... 22 3 Cybersecurity standards and schemes for products and components ......................................................................................... 23 3.1 Standards and schemes for generic IT products .......................................... 23 3.1.1 Certification de Sécurité de Premier Niveau (CSPN) ....................................... 23 European Cyber Security Organisation (ECSO) • www.ecs-org.eu Rue Montoyer, 10, 1000 Brussels Belgium ii ECSO State of the Art Syllabus v1 3.1.2 Commercial Product Assurance (CPA) ........................................................... 25 3.1.3 Common Criteria (CC)..................................................................................... 27 3.1.4 European Privacy Seal .................................................................................... 31 3.1.5 National IT Evaluation Scheme (NITES) ......................................................... 33 3.1.6 Software Improvement Group (SIG) Software Quality Model for Security ........ 34 3.1.7 UL Cybersecurity Assurance Program (UL 2900-1 / 2) .................................... 35 3.1.8 ULD Datenschutz-Gütesiegel .......................................................................... 37 3.2 Standards and schemes for products used in Industry 4.0 and ICS (SWG 3.1) 39 3.2.1 ISA/IEC 62443 (Security for Industrial Automation and Control Systems) ....... 39 3.2.2 IACS Cybersecurity Certification Framework ................................................... 40 3.3 Standards and schemes for products used in energy networks and smart grids (SWG 3.2) ..................................................................................................... 42 3.3.1 IEEE 1686 (Substation Intelligent Electronic Devices (IEDs) Cyber Security Capabilities) .................................................................................................................. 42 3.3.2 IEEE C37.240 (Cybersecurity Requirements for Substation Automation, Protection, and Control Systems) ................................................................................. 43 3.4 Standards and schemes for products used in the telecom industry (SWG3.8) 44 3.4.1 GSMA Network Equipment Security Assurance Scheme ................................ 44 3.5 Standards and schemes for products used in the payment industry ............ 46 3.5.1 EMVCo Security Evaluation ............................................................................ 46 3.5.2 PCI PTS HSM Security Requirements ............................................................ 48 3.5.3 PCI Payment Application Data Security Standard (PCI PA-DSS) .................... 49 3.5.4 PCI PIN Transaction Security Point of Interaction Security (PCI PTS POI)...... 50 3.6 Standards and schemes for cryptographic modules .................................... 52 3.6.1 ASD Cryptographic Evaluation ........................................................................ 52 3.6.2 CESG Assisted Products Scheme (CAPS) ...................................................... 53 3.6.3 FIPS 140-2 ...................................................................................................... 54 3.6.4 ISO/IEC 19790 (Security requirements for cryptographic modules) ................. 56 3.7 Standards and schemes for web applications .............................................. 58 3.7.1 OWASP Application Security Verification Standard (incl. OWASP Top 10) ..... 58 3.7.2 OWASP Testing Guide .................................................................................... 59 3.8 Standards and schemes for IoT products .................................................... 60 3.8.1 ICSA Labs IoT Security Testing Framework ...................................................
Recommended publications
  • 650 Series ANSI DNP3 Communication Protocol Manual
    Relion® Protection and Control 650 series ANSI DNP3 Communication Protocol Manual Document ID: 1MRK 511 257-UUS Issued: June 2012 Revision: A Product version: 1.2 © Copyright 2012 ABB. All rights reserved Copyright This document and parts thereof must not be reproduced or copied without written permission from ABB, and the contents thereof must not be imparted to a third party, nor used for any unauthorized purpose. The software and hardware described in this document is furnished under a license and may be used or disclosed only in accordance with the terms of such license. Trademarks ABB and Relion are registered trademarks of the ABB Group. All other brand or product names mentioned in this document may be trademarks or registered trademarks of their respective holders. Warranty Please inquire about the terms of warranty from your nearest ABB representative. ABB Inc. 1021 Main Campus Drive Raleigh, NC 27606, USA Toll Free: 1-800-HELP-365, menu option #8 ABB Inc. 3450 Harvester Road Burlington, ON L7N 3W5, Canada Toll Free: 1-800-HELP-365, menu option #8 ABB Mexico S.A. de C.V. Paseo de las Americas No. 31 Lomas Verdes 3a secc. 53125, Naucalpan, Estado De Mexico, MEXICO Phone: (+1) 440-585-7804, menu option #8 Disclaimer The data, examples and diagrams in this manual are included solely for the concept or product description and are not to be deemed as a statement of guaranteed properties. All persons responsible for applying the equipment addressed in this manual must satisfy themselves that each intended application is suitable and acceptable, including that any applicable safety or other operational requirements are complied with.
    [Show full text]
  • Multi-Processor Digital Control System NDC/P39814
    Multi-Processor Digital Control System NDC/P39814 Our digital control system enables success in modern reactive power compensation. The ultimate parallel processing power of the system tops even the most demanding requirements. In the heart of SVC control or Series Capacitor protection, there is no room for errors. Instant response of the system is always based on accurate data measurement and reliable real-time calculations. NDC supports a high order of redundancy with a hot-swapable secondary system. Both systems, primary and secondary, are always up to date with the latest system events and measurements. They are also both synchronised with a common system time with TrueTime GPS. High reliability and performance of our control system ensures maximum availability for your investment. Technical data • Up to four parallel CPUs, 2310 MIPS/CPU • CPU card: MVME5500 • MPC7455 PowerPC® processor 1GHz • 512MB 133 MHz SDRAM • 32MB and 8MB Flash memory • Dual independent 64-bit 66 MHz PCI buses and PMC sites • VME bus • Gigabit Ethernet interface • 10/100BaseTX Ethernet interface • GPS Clock Synchronisation • Fast I/O: - Programmable digital inputs and outputs - AD: 64 x 16 bit @ 10 kHz - DA: 8 x 16 bit @ 10 kHz • Parallel HMI PC units • Data Concentrator / SCADA Gateway • Device Protocols • NDC SW Tool Chain: - INTERBUS - Compiler - EtherCAT - Configurator - IRIG-B - Simulator - IEC-60870-5-101 - System Debugger - IEC-60870-5-104 - Runtime - DNP3.0 - HMI RAD Tool Competence at your service Competence Map • Project Management • Electrical Engineering
    [Show full text]
  • PREVENT DER CHAOS: a Guide to Selecting the Right Communications Protocols for DER Management
    PREVENT DER CHAOS: A Guide to Selecting the Right Communications Protocols for DER Management Published January 2020 DISCLAIMERS Why QualityLogic’s Recommendations QualityLogic occupies a unique role in the development and implementation of communications protocols for DER management by vendors and utilities. Developing and supporting test tools for DER protocols provides an unparalleled knowledge of both the technologies and eco-systems working with the technologies. We have the privilege of advising utilities, vendors, alliances, research labs and regulators on the capabilities and implementation of specific DER protocol standards. We are constantly asked for both training and recommendations for the selection of a standard for specific applications. The increasing interest in the monitoring and management of DER resources begs for the type of analysis and guidance QualityLogic provides in this Guide. These Recommendations are a Starting Point The recommendations contained in this guide are those of QualityLogic and do not represent any other organization, alliance, company or government entity. The Recommendations should be viewed as a starting point and are based on models for use cases and deployment strategies. For specific applications an independent analysis should be conducted which may yield different results. The Recommendations also use a “snapshot” of the current state and adoption of protocols which is subject to change over time and may lead to different results than included here. To find out more about how recommendations were developed, or how to conduct an analyis for your situation contact us at [email protected]. ACKNOWLEDGEMENT QualityLogic would like to thank our long-time associate, Mark T. Osborn, for his major contribution to this white paper.
    [Show full text]
  • IEEE-SA STANDARDS BOARD (SASB) MEETING MINUTES 07 November 2019 IEEE Operations Center, Piscataway, New Jersey, USA 9:00 A.M
    IEEE-SA STANDARDS BOARD (SASB) MEETING MINUTES 07 November 2019 IEEE Operations Center, Piscataway, New Jersey, USA 9:00 a.m. – 5:00 p.m. Attendees Chair: Gary Hoffman Vice Chair: Ted Burse Past Chair: Jean-Philippe Faure Secretary: Konstantinos Karachalios Members: Stephen Dukes, TAB Rep. Travis Griffith Guido Hiertz Christel Hunter Thomas Koshy John Kulick David Law Joseph Levy Xiaohui Liu Kevin Lu Daleep Mohla Andrew Myles Annette Reilly Dorothy Stanley Philip Winston Howard Wolfman Feng Wu Jingyi Zhou Members Absent: Masayuki Ariyoshi Howard Li Sha Wei Phil Wennblom Joe Koepfinger, Member Emeritus IEEE Staff: Julie Alessi Tina Alston Melissa Aranzamendez Christy Bahn Ian Barbour Adrien Barmaksiz Christina Bellottie Christina Boyce Kim Breitfelder Justin Caso Matthew Ceglia Ravindra Desai Karen Evangelista Josh Gay Jonathan Goldberg Jodi Haasz Mary Ellen Hanntz Yvette Ho Sang Karen Kenney Soo Kim Michael Kipness Vanessa Lalitte Juanita Lewis Greg Marchini Karen McCabe Patrick McCarren Ashley Moran Luigi Napoli Mary Lynne Nielsen Nikoi Nikoi Lauren Rava Dave Ringle, Recording Secretary Pat Roder Anasthasie Sainvilus Gil Santiago Rudi Schubert Sam Sciacca Alpesh Shah Tanya Steinhauser Tom Thompson Lisa Weisser Jonathan Wiggins Malia Zaman Meng Zhao IEEE Outside Legal Counsel: Claire Topp – Dorsey & Whitney LLP IEEE Government Engagement Program on Standards (GEPS) Representatives: Ramy Ahmed Fathy – Egypt, National Telecom Regulatory Authority (NTRA) Simon Hicks – United Kingdom, Department for Digital, Culture, Media & Sport (DCMS)
    [Show full text]
  • Mgate W5108/W5208 Series Modbus/DNP3 Gateway User's
    MGate W5108/W5208 Series Modbus/DNP3 Gateway User’s Manual Edition 3.0, December 2017 www.moxa.com/product © 2017 Moxa Inc. All rights reserved. MGate W5108/W5208 Series Modbus/DNP3 Gateway User’s Manual The software described in this manual is furnished under a license agreement and may be used only in accordance with the terms of that agreement. Copyright Notice © 2017 Moxa Inc. All rights reserved. Trademarks The MOXA logo is a registered trademark of Moxa Inc. All other trademarks or registered marks in this manual belong to their respective manufacturers. Disclaimer Information in this document is subject to change without notice and does not represent a commitment on the part of Moxa. Moxa provides this document as is, without warranty of any kind, either expressed or implied, including, but not limited to, its particular purpose. Moxa reserves the right to make improvements and/or changes to this manual, or to the products and/or the programs described in this manual, at any time. Information provided in this manual is intended to be accurate and reliable. However, Moxa assumes no responsibility for its use, or for any infringements on the rights of third parties that may result from its use. This product might include unintentional technical or typographical errors. Changes are periodically made to the information herein to correct such errors, and these changes are incorporated into new editions of the publication. Technical Support Contact Information www.moxa.com/support Moxa Americas Moxa China (Shanghai office) Toll-free: 1-888-669-2872 Toll-free: 800-820-5036 Tel: +1-714-528-6777 Tel: +86-21-5258-9955 Fax: +1-714-528-6778 Fax: +86-21-5258-5505 Moxa Europe Moxa Asia-Pacific Tel: +49-89-3 70 03 99-0 Tel: +886-2-8919-1230 Fax: +49-89-3 70 03 99-99 Fax: +886-2-8919-1231 Moxa India Tel: +91-80-4172-9088 Fax: +91-80-4132-1045 Table of Contents 1.
    [Show full text]
  • Medical Devices
    FRAUNHOFER INSTITUTE FOR EXPERIMENTAL SOFTWARE ENGINEERING IESE MEDICAL DEVICES Contact Fraunhofer Institute for Experimental Software Engineering IESE Ralf Kalmar Software is a part of our lives. Embedded into everyday equipment, into living and working en- [email protected] vironments or modern means of transportation, countless processors and controllers make our Phone: +49 631 6800-1603 lives simpler, safer, and more pleasant. We help organizations to develop software systems that www.iese.fraunhofer.de are dependable in every aspect, and empirically validate the necessary processes, methods, and techniques, emphasizing engineering-style principles such as measurability and transparency. Fraunhofer Institute for The Fraunhofer Institute for Experimental Software Engineering IESE in Kaiserslautern has been Experimental Software one of the world’s leading research institutes in the area of software and systems engineering Engineering IESE for more than 20 years. Its researchers have contributed their expertise in the areas of Process- es, Architecture, Security, Safety, Requirements Engineering, and User Experience in more than Fraunhofer-Platz 1 1,200 projects. 67663 Kaiserslautern Germany Under the leadership of Prof. Peter Liggesmeyer, Fraunhofer IESE is working on innovative topics related to digital ecosystems, such as Industrie 4.0, Big Data, and Cyber-Security. As a technology and innovation partner for the digital transformation in the areas of Autonomous & Cyber-Physical Systems and Digital Services, the institute’s research focuses on the interaction between embedded systems and information systems in digital ecosystems. Fraunhofer IESE is one of 72 institutes and research units of the Fraunhofer-Gesellschaft. To- gether they have a major impact on shaping applied research in Europe and contribute to Ger- many’s competitiveness in international markets.
    [Show full text]
  • 2021 Product and Solutions Guide
    PRODUCT AND SOLUTION GUIDE +1.509.332.1890 [email protected] selinc.com Making Electric Power Safer, More Reliable, and More Economical 385-0080 2021 Technology Highlights Example Popular Models for the SEL-2411P Pump Automation Controller For a complete popular models listing, visit selinc.com/products/popular Select models typically ship in 2 days Application Details Item No. Price Ultra-High-Speed Protection Capacitor Bank Control Advanced Generator Protection Meet the SEL-T401L Ultra-High-Speed Enhance your distribution system Provide advanced generator, bus, trans- Line Relay, which combines time-domain using the new SEL-734W Capacitor former, and auxiliary system protection Simplex, duplex, and triplex pump control for float switch level control 2411#GJ44 $2,130 USD technologies and high-performance Bank Control with wireless current for hydro, thermal, and pumped-storage and integration with SCADA. distance elements for a complete pro- sensors to improve power quality. applications with the new SEL-400G. tection and monitoring system. Simplex, duplex, and triplex pump control for float switch level control 2411#BGCG $2,490 USD and/or analog level control and integration with SCADA. Fault Transmitter and Receiver Synchrowave® Operations Time-Domain Link (TiDL®) Technology Apply the SEL-FT50 and SEL-FR12 Software Convert data using a TiDL merging unit and Simplex, duplex, and triplex pump control for float switch level control and/or analog level control, integration with SCADA, and ac voltage 2411#M9HF $2,700 USD Fault Transmitter and Receiver System Increase grid safety and reliability transport them via fiber to as many as four phase monitoring with diagnostic waveform event reports.
    [Show full text]
  • Secure Network Design Techniques for Safety System Applications at Nuclear Power Plants
    Secure Network Design Techniques for Safety System Applications at Nuclear Power Plants A Letter Report to the U.S. NRC September 20, 2010 Prepared by: John T. Michalski, Francis J. Wyant, David Duggan, Aura Morris, Phillip Campbell, John Clem, Raymond Parks, Luis Martinez, and Munawar Merza Sandia National Laboratories P.O. Box 5800 Albuquerque, New Mexico 87185 Prepared for: Paul Rebstock, NRC Program Manager U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research Division of Engineering Digital Instrumentation & Control Branch Washington, DC 20555-0001 U.S. NRC Job Code: JCN N6116 i Abstract This report describes a comprehensive best practice approach to the design and protection of a modern digital nuclear power plant data network (NPPDN). The important network security elements associated with the design, operation, and protection of the NPPDN are presented. This report includes an examination and discussion of newer proposed designs of modern Digital Safety Systems architectures and their potential design and operational vulnerabilities. The report explains the security issues associated with a modern NPPDN design and suggests mitigations, where appropriate, to enhance network security. Reference and discussion of the application of relevant regulatory guidance for each of the topics are also included. ii Contents Executive Summary ....................................................................................................................... ix 1. Introduction .............................................................................................................................1
    [Show full text]
  • Iso 22301:2019
    INTERNATIONAL ISO STANDARD 22301 Second edition 2019-10 Security and resilience — Business continuity management systems — Requirements Sécurité et résilience — Systèmes de management de la continuité d'activité — Exigences Reference number ISO 22301:2019(E) © ISO 2019 ISO 22301:2019(E) COPYRIGHT PROTECTED DOCUMENT © ISO 2019 All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of the requester. ISO copyright office CP 401 • Ch. de Blandonnet 8 CH-1214 Vernier, Geneva Phone: +41 22 749 01 11 Fax:Website: +41 22www.iso.org 749 09 47 Email: [email protected] iiPublished in Switzerland © ISO 2019 – All rights reserved ISO 22301:2019(E) Contents Page Foreword ..........................................................................................................................................................................................................................................v Introduction ................................................................................................................................................................................................................................vi 1 Scope ................................................................................................................................................................................................................................
    [Show full text]
  • En Iso 22300
    Terminology in Crisis and Disaster Management CEN Workshop Agreement Georg Neubauer, AIT http://www.ait.ac.at Background . The FP7 project EPISECC develops a concept of a common information space including taxonomy building to improve interoperability between European crisis managers and stakeholders . EPISECC is mandated to provide the outcome of its research to international standardisation – involvement in CEN TC391 . Within the FP7 project DRIVER a standard on terminology in crisis management shall be developed (among multiple other goals) . DRIVER & EPISECC will jointly co-operate on this issue . Additional support is planned from the FP7 projects REDIRNET, SECINCORE and SECTOR (all dealing with interoperability) 2 Scope and Purpose . Provision of an overview of existing terminologies and definitions applied in multiple domains of crisis and disaster management . Overview on synonyms with the same or similar definitions . Overview on different definitions for the same term . Benefit: Support enhancement of mutual understanding of users/organizations applying different standards/taxonomies . Benefit: Potential long term perspective: enhanced use of most suitable terms and definitions arising from multiple sources 3 Scope and Purpose (Example) Domain Term Definition Standard/document Intended Users situation where widespread human, material, economic or environmental losses have occurred which exceeded the ability of the affected organization (2.2.9), community or society to respond and recover using its own resources Societal security disaster ISO 22300 (2012) not specified A serious disruption of the functioning of a community or a society involving widespread human, material, economic or environmental losses and impacts, which exceeds the ability of the affected community or society to cope using its own authorities, pratictioners not specified disaster resources.
    [Show full text]
  • Risk Management in Crisis: Winners and Losers During the COVID-19 Pandemic/Piotr Jedynak and Sylwia Bąk
    Risk Management in Crisis Risk management is a domain of management which comes to the fore in crisis. This book looks at risk management under crisis conditions in the COVID-19 pandemic context. The book synthesizes existing concepts, strategies, approaches and methods of risk management and provides the results of empirical research on risk and risk management during the COVID-19 pandemic. The research outcome was based on the authors’ study on 42 enterprises of different sizes in various sectors, and these firms have either been negatively affected by COVID-19 or have thrived successfully under the new conditions of conducting business activities. The anal- ysis looks at both the impact of the COVID-19 pandemic on the selected enter- prises and the risk management measures these enterprises had taken in response to the emerging global trends. The book puts together key factors which could have determined the enterprises’ failures and successes. The final part of the book reflects on how firms can build resilience in chal- lenging times and suggests a model for business resilience. The comparative anal- ysis will provide useful insights into key strategic approaches of risk management. Piotr Jedynak is Professor of Management. He works at Jagiellonian University in Cracow, Poland, where he holds the positions of Vice-Rector for Financial and HR Policy and Head of the Management Systems Department. He specializes in risk management, strategic management and management systems. He is the author of numerous publications, an auditor and consultant to many public and business organizations. Sylwia Bąk holds a PhD in Management Sciences.
    [Show full text]
  • Linee Guida Per Lo Sviluppo E La Definizione Del Modello Nazionale
    Linee guida per lo sviluppo e la definizione del modello nazionale di riferimento per i CERT regionali AGID 13 feb 2020 Indice 1 Premessa 3 2 Riferimenti 5 2.1 Leggi...................................................5 2.2 Linee Guida e Standard.........................................5 3 Definizioni e Acronimi 7 4 Contesto 9 4.1 Quadro di riferimento nazionale.....................................9 4.2 Impianto normativo applicabile ai CERT................................ 12 4.3 Organismi a supporto della Cyber Security............................... 18 4.4 Standard per la Cyber Security...................................... 21 5 Introduzione ai CERT 31 5.1 CERT: significato e definizioni generali................................. 31 5.2 Categorie di CERT............................................ 32 5.3 Mission dei CERT............................................ 32 5.4 Identificazione della constituency.................................... 33 5.5 CERT regionali.............................................. 34 6 Modello organizzativo 39 6.1 Modello indipendente.......................................... 39 6.2 Modello incorporato........................................... 41 6.3 Modello campus............................................. 43 7 Modello amministrativo 45 8 Servizi 47 8.1 Modelli di classificazione dei servizi.................................. 47 8.2 Servizi offerti dai CERT Regionali.................................... 50 9 Processo di gestione degli incidenti di sicurezza 57 9.1 Definizioni...............................................
    [Show full text]