Various standards relating to risk management exist to provide principles and generic guidelines on risk management. Existing cybersecurity standards include ETSI Cybersecurity Technical Committee, ISO 27001 and 27002, Standard of Good Practice, NERC, NIST, ISO 15408, RFC 2196, ISA/IEC-62443, IEC 62443 Conformity Assessment Program, IASME, and the like.
The ETSI Cybersecurity Technical Committee is responsible for the standardization of Cybersecurity internationally and for providing a center of relevant expertise for other ETSI committees. However, the different methods of governing secure transactions in the various Member States of the European Union can make it difficult to assess the respective risks and to ensure adequate security.
The ISO 27001 and 27002 is part of the growing ISO/IEC 27000 family of standards. The ISO 27001 formally specifies a management system that is intended to bring information security under explicit management control. ISO 27002 provides beset practice recommendations on information security management. However, without ISO 27001, ISO 27002 control objectives are ineffective.
The Standard of Good Practice is a comprehensive list of best practices for information security. However, the list is only updated every two years at the most.
NERC is the North American Electric Reliability Corporation which addresses patching in NERC CIP 007-6 Requirement 2. However, NERC requires Bulk Power System Operator/Owners to identify the source or sources utilized to provide security related patches for cyber assets.
NIST is the National Institute of Standards and Technology which provides a high-level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes. However, NIST may be limited in that NIST is intended to help private sector organizations that provide critical infrastructure with guidance on how to protect it.
ISO 15408 is a standard that develops Common Criteria, which allows different software applications to be integrated and tested in a secure way. However, ISO 15408 does not directly provide a list of product security requirements or features for specific products.
RFC (Request for Comments) 2196 is a memorandum for developing security policies and procedures for information systems connected to the internet. The RFC 2196 provides a general and broad overview of information security including network security, incident response, and security policies. However, RFC 2196 may be limited to information systems connected to the internet.
ISA/IEC-62443 is a series of standards, technical reports, and related information that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS). This guidance applies to end-users (i.e. asset owner), system integrators, security practitioners, and control systems manufacturers responsible for manufacturing, designing, implementing, or managing industrial automation and control systems. However, the ISA/IEC-62443 may be limited to Industrial Automation and Control Systems.
The IEC 62443 Conformity Assessment Program certifies Commercial Off-the-shelf IACS products and systems addressing securing the IACS supply chain. However, the IEC 62443 can be limited to certifying products from predetermined industries (e.g., automotive, oil and gas, etc.).
The IASME is a UK-based standard for information assurance at small-to-medium enterprises. The IASME provides criteria and certification for small-to-medium business cybersecurity readiness. However, the IASME may be limited as it may not apply to large businesses.
Existing survey tools lack a holistic understanding of the cyber exposures of a business, especially across different business units and various business aspects within larger organizations. Additionally, the existing survey tools fail to link risks to specific threats and identify areas of weakness while providing actionable improvement recommendations. As a result, existing survey tools fail to enhance risk financing and insurance coverage linked to priority cyber risk exposure, as well as preventing clients from understanding the insurability of their technology assets with respect to cybersecurity risks.
The “background” description provided herein is for the purpose of generally presenting the context of the disclosure. Work of the presently named inventors, to the extent it is described in this background section, as well as aspects of the description which may not otherwise qualify as prior art at the time of filing, are neither expressly or impliedly admitted as prior art against the present invention.