美国能源部C2M2 V2.0：网络安全成熟度模型解析

需积分: 5 135 浏览量更新于2024-07-09 收藏 1.61MB PDF 举报

身份认证购VIP最低享 7 折!

领优惠券(最高得80元）

"Cybersecurity Capability Maturity Model (C2M2) V2.0 是美国能源部在2021年推出的网络安全能力成熟度模型，旨在帮助组织提升其网络安全防御能力并确保关键基础设施的安全性。该模型为成熟度评估提供了框架，并包括核心概念、模型架构、使用方法和各个领域的具体实践内容。" C2M2模型是一个针对网络安全的成熟度评估工具，主要关注的是组织如何系统性地改进和增强其网络安全能力。以下是对模型主要内容的详细说明： 1. **目标受众**：C2M2模型适用于各种规模和类型的组织，特别是那些对国家安全和关键基础设施至关重要的机构，例如能源部门。它为管理层、安全专业人员和政策制定者提供了一个通用的语言和基准来衡量和提升网络安全性能。 2. **背景**：模型的开发采用了综合的方法，结合了最佳实践和行业标准，以确保其适应性和实用性。它的目标是帮助组织识别安全漏洞，并制定有针对性的改进策略。 3. **核心概念**： - **成熟度模型**：C2M2基于成熟度模型的概念，通过不同的级别（通常是1到5级）来衡量组织在特定安全实践上的成熟度。 - **关键基础设施目标**：考虑到关键基础设施的保护至关重要，模型特别强调了对这些目标的保护措施。 - **企业、组织和功能**：模型区分了企业层面、组织层面和具体功能层面的网络安全责任和实践。 4. **模型架构**： - **领域、目标和实践**：模型分为多个领域，每个领域有明确的目标和实施实践，如资产、变更和配置管理（ASSET）、威胁和漏洞管理等。 - **成熟度指标级别**：每个实践都有一个关联的成熟度指标级别，描述了从基本到优化的实施程度。 - **进度方法**：模型阐述了如何从低级别的实践向更高级别的实践发展。 - **管理进度**：强调了在管理层面如何推进和监督成熟度提升的过程。 - **实践参考符号**：提供了用于清晰记录和沟通实践实现情况的符号系统。 5. **使用模型**：C2M2的使用流程包括四个步骤： - **步骤1：进行评估**：对当前的网络安全实践进行评估，确定组织在各个领域的成熟度水平。 - **步骤2：分析识别的差距**：根据评估结果，识别需要改进的领域和差距。 - **步骤3：优先级和规划**：设定优先级，制定改进计划。 - **步骤4：实施计划并定期重新评估**：执行改进措施，并定期检查进展和效果。 6. **模型领域**：模型涵盖了一系列关键领域，例如资产管理、威胁和漏洞管理、事件响应、身份和访问管理等，每个领域都包含了具体的实践和目标，以帮助组织在这些领域内建立和完善安全能力。 C2M2模型的使用可以帮助组织系统性地提升网络安全防御能力，通过评估、规划和实施改进措施，确保其网络环境的稳健性和适应性。同时，这个模型也鼓励持续改进，以应对日益复杂和动态的网络安全挑战。

资源详情

资源推荐

Cybersecurity Capability Maturity Model, Version 2.0

CORE CONCEPTS

objectives can be interpreted to mean industry objectives, community objectives, or any other

objectives that transcend the specific business or operational objectives for the organization

but which the organization has a role and interest in fulfilling.

3.3 Enterprise, Organization, and Function

The terms enterprise, organization, and function identify which part of an entity the text of the

model is referring to. Function refers to the part of an entity to which the C2M2 will be applied

(as described further in Section 3.3.1). Organization is a higher level administrative unit in

which the function resides (e.g., an operating company). Enterprise refers to the highest level

administrative unit within an entity using the C2M2 (e.g., a parent company).

It is also important to consider that the C2M2 model was designed to apply to a wide variety of

entity types. Some enterprises may consist of multiple organizations (e.g., a holding company

with one or more operating companies); other organizations may have a more homogenous

structure that does not necessitate any differentiation between the terms enterprise and

organization. For those organizations, enterprise and organization may be used

interchangeably. Figure 1 depicts how the enterprise, organization, and function may be

organized in a notional entity.

Figure 1: Example of the Structure of a Notional Entity

3.3.1 Function

In the model, the term function is used as a scoping mechanism; it refers to the operations of

the organization that are being evaluated based on the model. It is common for an organization

to use the model to evaluate a subset of its operations.

As stated earlier, the C2M2 focuses on the implementation and management of cybersecurity

practices associated with information, information technology, and operations technology

assets and the environments in which they operate. Selecting the function that will be the focus

of a C2M2 evaluation determines both the specific assets and people to be evaluated.

Together, they constitute the function’s operating environment.

Cybersecurity Capability Maturity Model, Version 2.0

CORE CONCEPTS

The model broadly defines the function to allow organizations the greatest degree of flexibility

in determining the scope of the evaluation that is appropriate for them. Functions can align

with organizational boundaries or they can align to a single product line or system that may

cross organizational boundaries. They might include departments; lines of business; distinct

facilities; network security zones; groupings of assets; or assets, processes and resources

managed externally, such as assets that reside in the cloud. Examples of functions include

Enterprise IT, Power Distribution, Power Generation, Plant Control and Monitoring System,

E-Services, Bulk Electric SCADA System, ICS for Refinement Operations, Fuel Transportation,

and Storage Terminals. To help clarify evaluation responses, organizations will sometimes limit

the scope even further, based on whether the assets are regulated or unregulated or based on

their location, such as by region or on-site versus off-site.

Some things to consider when defining the function are:

 its significance to the organization’s mission

 its stakeholders

 its supporting assets

 whether the organization has identifiable ownership (that is, authority) over its

supporting assets

Organizations should select only functions that they can clearly determine based on the criteria

above.

For example, an organization evaluates Plant Control and Monitoring systems. The organization

describes the function’s criteria as follows:

 its significance to the organization’s mission

- The function directly supports our largest plant in the state.

 its stakeholders

- Internally our finance department gets a report of our output per week.

- Internally our parent organization requires access to collect information.

- Externally the plant provides power for X number of people, Y cities, Z

counties.

 its supporting assets

- IT equipment that directly supports the function.

- OT equipment that directly supports the function.

- Information assets that directly support the function.

- Finance and HQ receive reports directly from the system.

- There are 3 stations that are staffed 24/7 with 4 people per shift for 4 shifts.

- We have 2 vendors that can provide administrative support to the IT or OT

systems via VPN.

- The maintenance and engineering team has endpoint connection access to

the equipment but not the control room.

- The ICS system is redundant and can be swapped in by the control room.

Cybersecurity Capability Maturity Model, Version 2.0

CORE CONCEPTS

- There is a backup site about 100 miles away, which is connected through VPN

and backs up the software and data on the network daily. ICS data files are

backed up during maintenance periods every 6 months.

 whether the organization has identifiable ownership (that is, authority) over its

supporting assets

- Ownership is shared between the IT department (IT equipment and network)

and the Plant (ICS and other OT equipment).

When determining the function, one should try to avoid encompassing multiple organizations

that have substantially different cybersecurity activities. For example, if an organization has a

subsidiary whose cybersecurity activities are substantially different from those of headquarters,

it is recommended that the organization perform separate evaluations for the subsidiary and

headquarters. Combining these units in one evaluation may result in less accurate or actionable

evaluation results for headquarters and the subsidiary.

3.4 Assets

Many C2M2 practices refer to assets. For the purposes of the model, assets are IT assets, OT

assets, and information assets. Some practices specify particular asset types. IT and OT assets

include both hardware and software, such as traditional and emerging enterprise IT assets and

any industrial control system (ICS) devices, process control system devices and components,

safety instrumented systems, Internet of things (IoT) devices, industrial Internet of things (IIoT)

devices, supervisory control and data acquisition (SCADA) system devices and components,

network and communications assets, and assets residing in the cloud. Information assets are

produced and used by IT, OT, and people to support the delivery of the function. Examples of

information assets include customer data, financial records, firewall configuration files, security

information and event management (SIEM) log files, historian data, SCADA set points, and

configuration files. When evaluating whether a practice is performed completely, all forms of

assets that the function relies on should be considered.

To ensure a comprehensive evaluation, organizations should account for all types of assets that

may be in scope for the self-evaluation, such as virtualized assets, regulated assets, cloud

assets, and mobile assets. Additionally, each type of asset may have several unique variations.

For example, cloud assets may include software as a service, platform as a service,

infrastructure as a service, etc., and may be public, private, or hybrid.

Additionally, C2M2 refers to two other groupings of assets: assets that are important to the

delivery of the function and assets within the function that may be leveraged to achieve a

threat objective.

Assets that are important to the delivery of the function includes assets that are required for a

normal state of operation of the function and output of the function’s products or services. Loss

of an asset that is considered important to the delivery of the function may not directly result in

an inability to deliver the function but could result in operations being degraded. Identification

剩余89页未读，继续阅读

chzhuang316

粉丝: 0
资源: 2

美国能源部C2M2 V2.0：网络安全成熟度模型解析

智能网联汽车安全渗透白皮书 2.0.pdf

智能网联汽车信息物理系统参考架构2.0.pdf.pdf

iso sae 21434-2021 road vehicles — cybersecurity engineering.pdf

Write a 5,000-word thesis on "Application of Sandbox Technology in Cybersecurity Engineering."

cyber security she标准

elsticsearch

vda aspice for cybersecurity

aspice for cybersecurity yellow volume

信息安全（Cyber Security）

Cyber Security 脆弱性

Cyber Security

automotive spice for cybersecurity

aspice for cybersecurity

cybersecurity testing and validation

写出20个在中国的与网络安全相关的专业期刊名称

汽车电子软件由哪些cyber security 策略

vda automotive cybersecurity management system audit

hands-on artificial intelligence for cybersecurity

网络安全区块链参考文献

最新资源