Fri Apr 8 06:49:41 PDT 2016
Management: Duties: What duties should the ICS information protection (IP) Lead have?
Options:
Option S: The ICS IP Lead can specify ICS protection activities.
Option O: The ICS IP Lead can manage/perform ICS protection activities.
Option E: The ICS IP Lead can verify ICS protection activities.
Decision:
Fill in the following table detailing alternatives for Specifying
(S), Performing (P), and Verifying (V) ICS systems for Low, Medium, and
High risk ICS systems following the rules here:
IF Risk is Low,
THEN The ICS IPO Lead can specify, perform, and verify the same ICS element. (SPV)
IF Risk is Medium,
THEN The ICS IP Lead can specify and verify OR perform the same ICS element, but not both. (SV) OR (P)
IF Risk is High, THEN
No individual may do more than one of specify, perform, or verify the same ICS element. (S) OR (P) OR (V)
AND No individual may do any of S, P, or V for more than one of Business, Assurance, or Operations aspects.
Type | Item | Low | Medium | High |
Business | Policy | . | . | . |
Business | Control Standards | . | . | . |
Business | Procedures | . | . | . |
Business | HR | . | . | . |
Business | Legal | . | . | . |
Business | Risk Management | . | . | . |
Operations | Testing | . | . | . |
Operations | Change Control | . | . | . |
Operations | Physical technical safeguards | . | . | . |
Operations | Logical technical safeguards | . | . | . |
Operations | Incident handling | . | . | . |
Assurance | Audit | . | . | . |
Assurance | Knowledge | . | . | . |
Assurance | Awareness | . | . | . |
Assurance | Documentation | . | . | . |
Duties of the ICS IP Lead
Basis:
The roles of the ICS information proteciton (IP) Lead are limited by requirements for
separation of duties. In particular, any one individual who specifies,
manages/performs, and verifies any particular activity is essentially able to
subvert that activity in its entirety. For that reason, any activity
that is important enough to assure should be assured with separation
of duties. Indeed, as risk goes up, more separation is reasonably
applied. Thus the decision is about how to separate the duties of the
ICS IP Lead.
Specify:The ICS IP Lead can specify ICS protection
activities. Specifying an activity implies the ability to bound
its scope and mandate its implementation. Generally, specifications
are not so complete or perfect that they are implementable as is
in performance.
Perform: The ICS IP Lead can perform/manage ICS protection
activities. Performing an activity implies that specific
actions are taken. They are supposed to reflect the specification, but
do not always precisely do so. Management implies direct control over performance.
Verify: The ICS IP Lead can verify ICS protection
activities. Verifying an activity implies determining whether
and to what extent, the specification was properly performed or the
performance properly varied from the specification. Hindsight is often
touted as 20/20, but then history is often rewritten by the victors.
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved
|