论文信息 - Shared responsibility for forensic readiness-related security controls: Prerequisite for critical infrastructure maintenance and supplier relationships

Shared responsibility for forensic readiness-related security controls: Prerequisite for critical infrastructure maintenance and supplier relationships

New regulation on cybersecurity for critical infrastructure mandates the implementation of a minimum set of security measures to achieve satisfactory security posture for the respective business domain. The organization responsible for operation of a given critical infrastructure may have some flexibilities in selecting recommended or mandatory national or international standards used for compliance. No matter which set of standards and guidelines are selected, security incident response will be one of the key security requirements to be met, e.g. according to ISO/IEC 27002:2013, §16, ISO/IEC 27035, ISO/IEC 27041 or NIST SP 53Rev4. This paper focuses on the business needs and practical approaches on shared responsibility with regard to the enforcement of selected security controls. The topics and case studies addressed in this paper include shared responsibility of contractors with service providers (e.g. application providers and cloud service providers) and shared responsibility related to maintenance services (site-local maintenance, remote maintenance, and preventive maintenance). As of today there is no agreed upon semi-formal representation for expressing these shared responsibilities.

Yuan Gao | Karl Waedt | Edita Bajramovic | Mithil Parekh

[1] Hardware attacks , backdoors and electronic component qualification 9 Tweet , .

[2] Karl Waedt,et al. Automatic assets identification for smart cities: Prerequisites for cybersecurity risk assessments , 2016, 2016 IEEE International Smart Cities Conference (ISC2).

[3] Chang-Tsun Li,et al. Applying a Digital forensic readiness framework: Three case studies , 2013, 2013 IEEE International Conference on Technologies for Homeland Security (HST).

[4] Marianne Swanson,et al. SP 800-14. Generally Accepted Principles and Practices for Securing Information Technology Systems , 1996 .

[5] Karl Waedt,et al. Development, Distribution and Maintenance of Application Security Controls for Nuclear , 2017 .

[6] John F Miller,et al. Supply Chain Attack Framework and Attack Patterns , 2013 .

[7] Mhlupheki George Sibiya. Digital Forensic Model for a Cloud Environment , 2015 .

[8] Robert Rowlingson,et al. A Ten Step Process for Forensic Readiness , 2004, Int. J. Digit. EVid..

[9] Yuan Gao,et al. Graded security forensics readiness of SCADA systems , 2016, GI-Jahrestagung.