Sat Aug 30 13:01:55 PDT 2014

Management: Duties: What duties should the ICS information protection lead have?


Options:

Option S: The ICS security manager can specify ICS protection activities.
Option O: The ICS security lead can manage/perform ICS protection activities.
Option E: The ICS security lead can verify ICS protection activities.

Decisions:

Fill in the following table detailing alternatives for Specifying (S), Performing (P), and Verifying (V) ICS systems for Low, Medium, and High risk ICS systems following the rules here:

IF Risk is Low,
THEN The ICS security lead can specify, perform, and verify the same ICS element. (SPV)
IF Risk is Medium,
THEN The ICS security lead can specify and verify OR perform the same ICS element, but not both. (SV) OR (P)
IF Risk is High, THEN

TypeItemLowMediumHigh
BusinessPolicy...
BusinessControl Standards...
BusinessProcedures...
BusinessHR...
BusinessLegal...
BusinessRisk Management...
OperationsTesting...
OperationsChange Control...
OperationsPhysical technical safeguards...
OperationsLogical technical safeguards...
OperationsIncident handling...
AssuranceAudit...
AssuranceKnowledge...
AssuranceAwareness...
AssuranceDocumentation...
Duties of the ICS proteciton lead

Basis:

The roles of the ICS security lead are limited by requirements for separation of duties. In particular, any one individual who specifies, manages/performs, and verifies any particular activity is essentially able to subvert that activity in its entirety. For that reason, any activity that is important enough to assure should be assured with separation of duties. Indeed, as risk goes up, more separation is reasonably applied. Thus the decision is about how to separate the duties of the ICS security lead.

Specify:The ICS security lead can specify ICS protection activities.
Specifying an activity implies the ability to bound its scope and mandate its implementation. Generally, specifications are not so complete or perfect that they are implementable as is in performance.

Perform: The ICS security lead can perform/manage ICS protection activities.
Performing an activity implies that specific actions are taken. They are supposed to reflect the specification, but do not always precisely do so. Management implies direct control over performance.

Verify: The ICS security lead can verify ICS protection activities.
Verifying an activity implies determining whether and to what extent, the specification was properly performed or the performance properly varied from the specification. Hindsight is often touted as 20/20, but then history is often rewritten by the victors.

Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved