June 03, 2012

ELECTRICITY SUBSECTOR CYBERSECURITY CAPABILITY MATURITY MODEL (MAY 2012)


TABLE OF CONTENTS
Acknowledgments..................................................................................................................................................iii
CAUTIONARY NOTE Intended Scope and Use of This Publication..................................................................................vi
1 Introduction.....................................................................................................................................................1
2 Background.....................................................................................................................................................1
3 About the Electricity Subsector.........................................................................................................................2
4 The Model........................................................................................................................................................4
4.1 Model Development Approach..................................................................................................................4
4.2 Model Architecture..................................................................................................................................5
4.2.1 Domains...................................................................................................................................5
4.2.2 Maturity Indicator Levels.............................................................................................................9
4.3 Model Domains.....................................................................................................................................14
4.3.1 Risk Management (RISK)...........................................................................................................15
Domain-Specific Objectives and Practices..................................................................................16
Common Objective and Practices..............................................................................................17
4.3.2 Asset, Change, and Configuration Management (ASSET).............................................................18
Domain-Specific Objectives and Practices..................................................................................19
Common Objective and Practices..............................................................................................20
4.3.3 Identity and Access Management (ACCESS)...............................................................................21
Domain-Specific Objectives and Practices..................................................................................22
Common Objective and Practices..............................................................................................23
4.3.4 Threat and Vulnerability Management (THREAT).........................................................................24
Domain-Specific Objectives and Practices..................................................................................25

Common Objective and Practices..............................................................................................26
4.3.5 Situational Awareness (SITUATION)............................................................................................27
Domain-Specific Objectives and Practices..................................................................................28
Common Objective and Practices..............................................................................................29
4.3.6 Information Sharing and Communications (SHARING).................................................................30
Domain-Specific Objectives and Practices..................................................................................31
Common Objective and Practices..............................................................................................31
4.3.7 Event and Incident Response, Continuity of Operations (RESPONSE)............................................32
Domain-Specific Objectives and Practices..................................................................................33
Common Objective and Practices..............................................................................................35
4.3.8 Supply Chain and External Dependencies Management (DEPENDENCIES)....................................36
Domain-Specific Objectives and Practices..................................................................................37
Common Objective and Practices..............................................................................................38
4.3.9 Workforce Management (WORKFORCE).....................................................................................39
Domain-Specific Objectives and Practices..................................................................................40
Common Objective and Practices..............................................................................................42
4.3.10 Cybersecurity Program Management (CYBER)............................................................................43
Domain-Specific Objectives and Practices..................................................................................44
Common Objective and Practices..............................................................................................46
5 Using the Model.............................................................................................................................................47
Perform an Evaluation.....................................................................................................................................48
Analyze Identified Gaps...................................................................................................................................48
Prioritize and Plan...........................................................................................................................................49
Implement Plans and Periodically Re-evaluate....................................................................................................49
Sharing Results...............................................................................................................................................49
Appendix A: References........................................................................................................................................50
Appendix B: Annotated Bibliography......................................................................................................................60
Risk Management (RISK).................................................................................................................................60
Asset, Change, and Configuration Management (ASSET).....................................................................................60
Identity and Access Management (ACCESS).......................................................................................................61
Threat and Vulnerability Management (THREAT).................................................................................................61
Situational Awareness (SITUATION)....................................................................................................................61
Information Sharing and Communications (SHARING).........................................................................................62
Event and Incident Response, Continuity of Operations (RESPONSE)....................................................................62
Supply Chain and External Dependencies Management (DEPENDENCIES)............................................................63
Workforce Management (WORKFORCE).............................................................................................................63
Cybersecurity Program Management (CYBER)....................................................................................................64
Appendix C: Glossary............................................................................................................................................65
Appendix D: Acronyms..........................................................................................................................................79
Appendix E: Related Initiatives..............................................................................................................................81
Notices.................................................................................................................................................................84
Read more:
http://energy.gov/sites/prod/files/Electricity%20Subsector%20Cybersecurity%20Capabilities%20Maturity%20Model%20%28ES-C2M2%29%20-%20May%202012.pdf
Enhanced by Zemanta