公司治理需要找到一個好的方式來綜覽是否各個事務都有做好資安配置,之前網路星期二聽到 Allen Own 演講的內容提到的 NIST Cybersecurity Framework 讓我非常感興趣,畢竟有個框架,才知道怎樣盤點公司狀態,來看我們面對資安事務的準備有哪些方面不足。
NIST Cybersecurity Framework 很有趣的是,把資安相關的事情,做了一個生命週期的分類。從識別、安全保護、偵測資安事件、應對資安事件、和從資安事件復原,可以看出其概念上是想要傳輸大家對資安事件有正確的理解,裡頭的內容也算簡單易讀,對於公司治理的管理人、負責研發的人員、負責業務的人員、客服等等,都有幫助。雖然國內盛行的認證是 ISO 27001,較無聽說根據 NIST Cybersecurity Framework 進行的認證。不過我覺得,無論有無認證,資安框架都是認識公司資安的一個不錯的管道,能夠了解用什麼架構來看資安,也對後續導入 ISO 有所幫助。
在幾週跟同事的讀書會之下,一邊檢閱了裡頭逐項的內容,也進行了部份內容的翻譯。雖然翻譯可能不盡然正確、翻譯用詞沒有很精確,但仍希望這樣的中英對照,能夠幫助到未來想要認真檢閱資安的公司。
也推薦可以參考
- NIST Cybersecurity Framework quick start guide: https://csrc.nist.gov/Projects/cybersecurity-framework/nist-cybersecurity-framework-a-quick-start-guide
- Allen Own 的演講: https://nettuesday.tw/events/2022/10/1178
--
識別 IDENTIFY(ID)
資產管理 Asset Management(ID.AM)
The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.
辦公室所使用的數據、人員、設備、系統和設施應根據它們對組織目標和風險策略的相對重要性進行識別和管理。
ID.AM-1: Physical devices and systems within the organization are inventoried
組織內部的物理設備和系統已被盤點清單化。
ID.AM-2: Software platforms and applications within the organization are inventoried
組織內部的軟體平台和應用程式已被盤點清單化。
ID.AM-3: Organizational communication and data flows are mapped
組織內部的溝通和資料流程已被規劃與管理。
ID.AM-4: External information systems are catalogued
外部資訊系統已被分類。
ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value.
根據它們的分類、關鍵性和商業價值,資源(例如硬體、設備、數據、時間、人員和軟體)會被優先考慮。
ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established.
建立了整個工作人員和第三方利益相關者(例如供應商、客戶、合作夥伴)的網路安全角色和責任。
營運環境 Business Environment (ID.BE)
The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.
了解並排序組織的宗旨、目標、利害關係人,還有活動。這個資訊用來知會資安的角色、責任和風險管理決策。
ID.BE-1: The organization’s role in the supply chain is identified and communicated
辨識和溝通組織在供應鍊的角色。
ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated
辨識和溝通組織在關鍵基礎設施的位置,還有產業的區位。
ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated
建立和溝通組織的宗旨、任務和活動排序
ID.BE-4: Dependencies and critical functions for delivery of critical services are established
建立相依性、關鍵功能、關鍵服務的傳遞。
ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)
在承受攻擊、復原,或是一般情況下,能夠達成提供關鍵服務的韌性。
治理 Governance(ID.GV)
The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.
治理是組織管理和監控自己日常事務的政策、程序、處過程,這些能夠被好好了解和管理資安風險。日常事物包含法律、風險、組織環境、運作的必要事項...等
ID.GV-1: Organizational cybersecurity policy is established and communicated
組織已建立資安政策也已充分溝通
ID.GV-2: Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners
資安角色和責任已與內部角色、外部夥伴充分協調、保持一致
ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed
已充分了解和管理跟資安相關的法律和日常需求,包含隱私和公民自由義務。
ID.GV-4: Governance and risk management processes address cybersecurity risks
治理和風險管理流程已包含資安相關的風險
風險評估Risk Management Strategy(ID.RA)
The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
使組織了解網路安全風險的組織性運作(包含目的、職能、形象(image)及聲譽)、組織資產以及個人。
ID.RA-1: Asset vulnerabilities are identified and documented
識別並記錄資產漏洞
ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources
從資訊共享論壇和資源接收網路威脅情報
ID.RA-3: Threats, both internal and external, are identified and documented
識別和紀錄內部和外部威脅
ID.RA-4: Potential business impacts and likelihoods are identified
識別潛在的業務影響和可能性
ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
用於確認風險的威脅、漏洞、可能性和影響
ID.RA-6: Risk responses are identified and prioritized
確定風險應對措施的優先度
風險管理策略 Risk Management Strategy(ID.RM)
The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.
建立並使用組織的優先度、限制、風險承受能力和假設來決定如何執行風險操作。
ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders
建立、管理和同意組織利害關係人的風險管理流程
ID.RM-2: Organizational risk tolerance is determined and clearly expressed
確定並清楚表達組織風險承受能力
ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis.
組織對風險承受能力的確定取決於其在關鍵基礎設施和行業特定風險分析中的作用。
供應鍊風險管理 Supply Chain Risk Management (ID.SC)
The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks.
組織的優先排序、約束、風險容忍度,和假設都已經建立,並用在支援供應鍊的風險決策管理的一環。組織已建立與實施辨識、評估和管理供應鍊風險的流程。
ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders
已辨識、建立、評估和管理資安供應鍊風險管理流程,並獲得利害關係人的同意
ID.SC-2: Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process
已辨識、排序、評估供應方和第三方合作夥伴的資訊系統、元件、服務,且這些評估有使用資安供應鍊風險評估流程。
ID.SC-3: Contracts with suppliers and third-party partners are used to implement
appropriate measures designed to meet the objectives of an organization’s
cybersecurity program and Cyber Supply Chain Risk Management Plan.
供應者的合約、第三方合作夥伴的合約,已與組織的資安計畫目標和資安風險管理計畫對應設計。
ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.
供應者和第三方夥伴有經常性的提供稽核、測試結果或各種形式的評估,以確認符合他們的合約義務。
ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers
回應和復原計畫,已考量供應者和第三方合作夥伴,測試並實施完成。
保護 PROTECT(PR)
身分認證管理、授權及存取控制 Identity Management, Authentication and Access Control (PR.AC)
Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.
對物理和邏輯資產及相關設施的訪問僅限於授權用戶、流程或設備,並根據未經授權訪問授權活動和交易的評估風險進行管理。
影片講解:video
PR.AC-1: Identities and credentials are issued, managed , verified, revoked, and audited for authorized devices and, users and processes
為授權設備、用戶和流程頒發、管理、驗證、撤銷和審計身份和憑證
為每個員工創建唯一的帳戶,並確保障戶只能訪問其工作所需的資訊。
PR.AC-2: Physical access to assets is managed and protected
對物理存取進行管理和保護
物理存取: 人員在實體層面上存取(接觸)電腦系統本體的能力。
PR.AC-3: Remote access is managed
管理遠程訪問
當需要遠端連回系統操作時,需要權限管理 (ex: yubi key)
PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
管理訪問許可和授權,結合最小特權和職責分離原則
R.AC-5: Network integrity is protected, incorporating (e.g., network segregationwhere appropriate, network segmentation)
網絡完整性受到保護,合併
PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions
身份被證明並綁定到憑據並在交互中聲明,需要認證這個被雇用的人
PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)
根據交易風險(例如,個人安全和隱私風險以及其他組織風險)對用戶、設備和其他資產進行認證(例如,SFA(PWD)、2FA(兩階段驗證))
意識及教育訓練 Awareness and Traning (PR.AT)
The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurityrelated duties and responsibilities consistent with related policies, procedures, and agreements.
為組織的人員和合作夥伴提供網絡安全意識教育,並接受培訓以履行與相關政策、程序和協議一致的網絡安全相關職責和責任。
影片講解:https://youtu.be/M58a5-FJM74
PR.AT-1: All users are informed and trained
所有使用者都得到通知和培訓。
PR.AT-2: Privileged users understand their roles and responsibilities
特許使用者(擁有與安全性相關的權限)了解他們的角色和責任。
PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities
第三方利害關係人(例如,供應商、客戶、合作夥伴)了解他們的角色和責任。
PR.AT-4: Senior executives understand their roles and responsibilities
高階管理人員了解他們的角色和責任。
PR.AT-5: Physical and cybersecurity personnel understand their roles and responsibilities
物理和網路安全人員了解他們的角色和責任。
資料安全 Data Securtity (PR.DS)
Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.
資訊和記錄(資料)的管理與組織的風險策略一致,以保護資訊的機密性、完整性和可用性。
PR.DS-1: Data-at-rest is protected
已被儲存的資料例如 server 上的檔案受到保護
PR.DS-2: Data-in-transit is protected
傳輸中的資料受到保護
PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition
資產在整個移除、轉移和處置過程中得到正式管理
PR.DS-4: Adequate capacity to ensure availability is maintained
足夠的容量以確保維持可用性
PR.DS-5: Protections against data leaks are implemented
實施防止資料洩露的措施
PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity
完整地檢查機制用於驗證軟體、硬體和資訊的完整性
PR.DS-7: The development and testing environment(s) are separate from the production environment
開發、測試環境與正式環境分開
PR.DS-8: Integrity checking mechanisms are used to verify hardware integrity
完整地檢查機制用於驗證硬體完整性
資訊保護流程及過程 Information Protection Processes and Procedures (PR.IP)
Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.
維護資訊安全策略(包含目的,範圍,角色,職責,管理承諾以及組織間的合作),流程和過程用於管理資訊系統和資產的保護。
PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)
必須要新增資訊科技、基礎控制系統的安全原則,例如:最小功能概念
PR.IP-2: A System Development Life Cycle to manage systems is implemented
實施系統開發生命週期(意指從規劃、建立、測試到最終完成部署的全部過程)來管理系統
PR.IP-3: Configuration change control processes are in place
配置變更的控制流程是適當好的
PR.IP-4: Backups of information are conducted, maintained, and tested
持續進行的資料備份,而且要測試資料是可以用的
PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets are met
滿足有關組織資產物理操作環境的政策和法規
PR.IP-6: Data is destroyed according to policy
數據有根據政策銷毀
PR.IP-7: Protection processes are improved
改進保護流程
PR.IP-8: Effectiveness of protection technologies is shared
共享保護技術的有效性
PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed
響應計劃(事件響應和業務連續性)和恢復計劃(事件恢復和災難恢復)已到位並得到管理
PR.IP-10: Response and recovery plans are tested
測試響應和恢復計劃
PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
網絡安全包含在人力資源實踐中(例如,取消配置、人員篩選)
PR.IP-12: A vulnerability management plan is developed and implemented
制定並實施漏洞管理計畫
維護 Maintenance (PR.MA)
Maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures.
PR.MA-1: Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools
維護和修復組織資產應使用經批准和受控的工具進行,並進行記錄。
PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access
組織資產的遠程維護應經批准、記錄,並以防止未經授權的訪問的方式進行。
防護技術 Protective Technology (PR.PT)
Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.
管理技術安全解決方案以確保系統和資產的安全性和彈性,並與相關政策、程序和協議一致。
PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy
根據政策來決定、記錄、實施和審查稽核/日誌記錄
PR.PT-2: Removable media is protected and its use restricted according to policy
可移動媒體(可攜式的資料儲存裝置)受到保護並根據政策限制其使用
PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities
透過配置系統以僅提供基本功能來納入最少功能原則,例如 CRM 的角色控管影片說明
PR.PT-4: Communications and control networks are protected
通訊和網路控制受到保護
PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations
實施機制(例如,故障保護、負載平衡、熱插拔)以在正常和不利情況下實現彈性要求
偵測 DETECT(DE)
異常偵測及事件管理 Anomalies and Events (DE.AE)
Anomalous activity is detected, and the potential impact of events is understood.
異常活動被偵測到,並且理解事件的潛在影響。
DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed
建立並管理用戶和系統的網路操作和預期資料流的基礎資訊。
DE.AE-2: Detected events are analyzed to understand attack targets and methods
對檢測到的事件進行分析,以了解攻擊目標和方法。
DE.AE-3: Event data are collected and correlated from multiple sources and sensors
從多種來源和感應器收集關聯的事件資料。
DE.AE-4: Impact of events is determined
確定事件的影響。
DE.AE-5: Incident alert thresholds are established
建立事件警報門檻。
安全持續性監控 Security Continuous Monitoring (DE.CM)
The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures.
對資訊系統和資產進行監控,以確認網絡安全事件並驗證保護措施是有效的。
DE.CM-1: The network is monitored to detect potential cybersecurity events
監控網路以偵測潛在的網路安全事件。
DE.CM-2: The physical environment is monitored to detect potential cybersecurity events
監控物理環境以偵測潛在的網路安全事件。
DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events
監控人員活動以偵測潛在的網路安全事件。
DE.CM-4: Malicious code is detected
偵測惡意程式碼。
DE.CM-5: Unauthorized mobile code is detected
偵測未經授權的行動程式碼。
DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events
監控外部服務提供商的活動以偵測潛在的網路安全事件。
DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed
執行監控未經授權人員、連線、設備和軟體。
DE.CM-8: Vulnerability scans are performed
執行弱點掃描。
偵測流程 Detection Processes (DE.DP)
Detection processes and procedures are maintained and tested to ensure awareness of anomalous events.
檢測過程和程序得到維護和測試,以確保了解異常事件。
DE.DP-1: Roles and responsibilities for detection are well defined to ensure accountability
明確定義檢測的角色和職責以確保問責制
DE.DP-2: Detection activities comply with all applicable requirements
檢測活動符合所有適用要求
DE.DP-3: Detection processes are tested
檢測流程經過測試
DE.DP-4: Event detection information is communicated
傳達事件檢測信息
DE.DP-5: Detection processes are continuously improved
檢測流程不斷改進
應對 RESPOND(RS)
應變計畫 Response Planning (RS.RP)
Response processes and procedures are executed and maintained, to ensure response to detected cybersecurity incidents.
執行和維護應變流程,以確保對檢測到的網路安全事件做出反應。
RS.RP-1: Response plan is executed during or after an incident.
在資安事件期間或之後執行應變計劃。
溝通 Communications (RS.CO)
Response activities are coordinated with internal and external stakeholders, as appropriate, to include (e.g.external support from law enforcement agencies.).
斟酌情形處理內外部利益相關者的協調活動,包括(例如,來自執法機構的外部支持)。
RS.CO-1: Personnel know their roles and order of operations when a response is needed
當需要溝通回應時,人員知道他們的角色和操作順序。
RS.CO-2: Incidents are reported consistent with established criteria
事件報告符合既定標準
RS.CO-3: Information is shared consistent with response plans
根據應變計畫共享信息
RS.CO-4: Coordination with stakeholders occurs consistent with response plans
與利益相關者的協調與應變計畫一致
RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness
與外部利益相關者分享信息,以實現更廣泛的網絡安全態勢和感知
事件分析 Analysis (RS.AN): Analysis is conducted to ensure effective response and support recovery activities.
進行分析以確保有效應對和支援復原活動。
RS.AN-1: Notifications from detection systems are investigated
調查偵測系統的通知。
RS.AN-2: The impact of the incident is understood
了解事件的影響。
RS.AN-3: Forensics are performed
進行取證。
RS.AN-4: Incidents are categorized consistent with response plans
事件分類須與應變計劃一致。
RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)
建立流程以接收、分析並對內部和外部來源(例如內部測試、安全公告或安全研究人員)揭露的漏洞做出回應。
事件緩解 Mitigation (RS.MI)
Activities are performed to prevent expansion of an event, mitigate its effects, and eradicateresolve the incident.
開展活動以防止事件擴大,減輕影響並消除事件。
RS.MI-1: Incidents are contained
事件得到控制
RS.MI-2: Incidents are mitigated
事件得到緩解
RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks
新發現的漏洞被緩解或被記錄為可接受的風險
改善 Improvements(RS.IM)
Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities.
透過現在與過去的檢測所學習到的經驗,來實施改進計畫。
RS.IM-1: Response plans incorporate lessons learned
包含學習到的教訓(經驗傳承)的回應計劃,以往活動中得到的經驗,應該在未來的活動或行動時列入考慮
RS.IM-2: Response strategies are updated
回應策略更新
復原 RECOVER(RC)
復原計劃 Recovery Planning (RC.RP):
Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity incidents.
執行和維護恢復的流程與步驟,以保障受網絡安全事件影響的系統及資產。
RC.RP-1: Recovery plan is executed during or after a cybersecurity incident
在一次網絡安全事件期間或之後執行恢復計劃。
參考: ISO 27001:2013 A.16.1.5 :對資訊安全事故之回應,控制措施包括
應依文件化程序,回應資訊安全事故。
改善 Improvements (RC.IM)
Improvements (RC.IM): Recovery planning and processes are improved by incorporating
lessons learned into future activities.
通過整合改進恢復計劃和流程所吸取的教訓融入未來的活動中。
RC.IM-1: Recovery plans incorporate lessons learned
包含學習到的教訓(經驗傳承)的恢復計劃
RC.IM-2: Recovery strategies are updated
恢復策略更新
溝通 Communications (RC.CO)
RC.CO-1: Public relations are managed
公共關係管理
RC.CO-2: Reputation is repaired after an incident
事件之後的聲譽恢復
RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams
將恢復活動傳達給內部和外部利益相關者以及執行和管理團隊
