Download MS Word template for internal docs

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
Document related concepts

Access control wikipedia , lookup

Information privacy law wikipedia , lookup

Mobile security wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Cyberattack wikipedia , lookup

Medical privacy wikipedia , lookup

Security-focused operating system wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Computer security wikipedia , lookup

Information security wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Social engineering (security) wikipedia , lookup

Transcript 
"PREVENTION, PREPAREDNESS AND CONSEQUENCE
MANAGEMENT OF TERRORISM AND OTHER SECURITYRELATED RISKS"
HOME/2012/CIPS/AG
Call identifier: CIPS/ISEC 2012
Project acronym: CYSM
Project full title: Collaborative Cyber/Physical Security Management System
Grant agreement no.:
D2.2 Report on Stakeholder requirements
Deliverable Id :
Deliverable Name :
Due date of deliverable :
Actual submission date :
Work Package :
Organisation name of lead
contractor for this
deliverable:
Author(s):
Partner(s) contributing :
D2.2
Report on stakeholder requirements
M5
M5
WP2
PPA
I. Papagiannopoulos, I. Koliousis
PVF, SiLo, UPRC, DITEN
Abstract
A report (from the desk research and analysis of questionnaires) presents the main
requirements of the CYSM Collaborative Approach to Maritime Security Management imposed
by the national and international standardization efforts, methodologies, best practices as well
as the existing legal and regulatory regime (described in D2.1). The report will also depict the
fundamental aspects of the proposed security management system and services.
 Copyright by CYSM
Name
Month Year
History
Version
1
Date
05-06-2013
Modification reason
Formulation of the Table of Content
Modified by
N.Polemi, Y.
Papagianopoulos,
S. Papastergiou
CYSM
Page 2 of 45
Name
Month Year
Table of contents
1.
INTRODUCTION (PPA) ............................................................................ 7
2.
PORT SECURITY AWARENESS (SILO) ..................................................... 8
3.
INTERNATIONAL SAFETY PORT REQUIREMENTS (VPF) .......................... 9
4.
INTERNATIONAL SECURITY PORT REQUIREMENTS (DITEN) ................ 10
5.
REQUIREMENTS FOR A TARGETED, HOLISTIC SECURITY MANAGEMENT
METHODOLOGY (DITEN) ............................................................................. 27
6.
SYSTEM SECURITY MANAGEMENT REQUIREMENTS (UPRC, SILO)......... 31
7.
ADDITIONAL NATIONAL REQUIREMENTS (VPF, PPA, SILO, DITEN) ..... 41
8.
7.1.
PIRAEUS PORT (PPA) ............................................................................ 41
7.2.
VALENCIA PORT (VPF) ........................................................................... 41
7.3.
PORT OF MYKONOS (SILO/PORT OF MYKONOS) .............................................. 41
7.4.
PORT OF GENOA CASE (DITEN- UNIGE) .................................................... 41
CONCLUSIONS (PPA) ............................................................................ 42
GLOSSARY ................................................................................................... 43
REFERENCES ............................................................................................... 44
A.
APPENDIX A ......................................................................................... 45
CYSM
Page 3 of 45
Name
Month Year
List of figures
Error! No table of figures entries found.
CYSM
Page 4 of 45
Name
Month Year
List of tables
Error! No table of figures entries found.
CYSM
Page 5 of 45
Name
Month Year
Executive summary (PPA)
CYSM
Page 6 of 45
Name
Month Year
1. Introduction (PPA)
[This section will introduce the main concepts of the Deliverable in a very high-level
description]
CYSM
Page 7 of 45
Name
Month Year
2. Port security awareness (SiLo)
[This section will analyze the outcomes of the questionnaire completed in D.2.1 by all
ports. In particular it will provide an overview of the security awareness of all topics
of the questionnaire.]
CYSM
Page 8 of 45
Name
Month Year
3. International Safety Port Requirements (VPF,
PPA)
[Overview of the requirements imposed by ISPS and E.U. legislation. In this section
we will derive from the ISPS all the safety requirements for all port physical assets
which will be used in the CYSM methodology. A table may also be formulated where
the first column will list all port physical assets which need to be protected (according
to the ISPS), and the second column of the table will include all measures need to be
taken by the ports for protecting the respectful assets. ]
CYSM
Page 9 of 45
Name
4. International
Month Year
Security
Port
Requirements
(DITEN, UPRC)
The following scheme illustrates the information security management objectives and
controls as exposed in the ISO 27002.
Security Policies
1 - Management direction for information security
Objective: To provide management direction and support for information security in
accordance with business requirements and relevant laws and regulations.
Policies for information security
Control  A set of policies for information security shall be defined, approved by
management, published and communicated to employees and relevant external
parties
Review of the policies for information security
Control  The policies for information security shall be reviewed at planned intervals
or if significant changes occur to ensure their continuing suitability, adequacy and
effectiveness
Organization of information security
1 - Internal organization
Objective: To establish a management framework to initiate and control the
implementation of information security within the organization.
Information security roles and responsibilities
Control  All information security responsibilities shall be defined and allocated
Contact with authorities
Control  Appropriate contacts with relevant authorities shall be maintained
Contact with special interest groups
Control  Appropriate contacts with special interest groups or other specialist
security forums and professional associations shall be maintained
Information security in project management
CYSM
Page 10 of 45
Name
Month Year
Control  Information security shall be addressed in project management, regardless
of the type of the project
Segregation of duties
Control  Conflicting duties and areas of responsibility shall be segregated to reduce
opportunities for unauthorized or unintentional modification or misuse of the
organization’s assets
2 - Mobile devices and teleworking
Objective: To ensure the security of teleworking and use of mobile devices.
Mobile device policy
Control  A policy and supporting security measures shall be adopted to protect
against the risks introduced by using mobile devices
Teleworking
Control  A policy and supporting security measures shall be implemented to protect
information accessed, processed or stored on teleworking sites
Human resource security
1 - Prior to employment
Objective: To establish a management framework to initiate and control the
implementation of information security within the organization.
Screening
Control  Background verification checks on all candidates for employment shall be
carried out in accordance with relevant laws, regulations and ethics and proportional
to the business requirements, the classification of the information to be accessed and
the perceived risks
Terms and conditions of employment
Control  As part of their contractual obligation, employees shall agree and sign the
terms and conditions of their employment contract, which shall state their and the
organization’s responsibilities for information security
2 - During employment
Objective: To ensure that employees and external party users are aware of and fulfill
their information security responsibilities.
Management responsibilities
CYSM
Page 11 of 45
Name
Month Year
Control  Management shall require all employees and external party users to apply
security in accordance with established policies and procedures of the organization
Information security awareness, education and training
Control  All employees of the organization and, where relevant, external party
users shall receive appropriate awareness programme, education and training and
regular updates in organizational policies and procedures, as relevant for their job
function
Disciplinary process
Control  There shall be a formal and communicated disciplinary process in place to
take action against employees who have committed an information security breach
3 - Termination and change of employment
Objective: To protect the organization’s interests as part of the process of changing
or terminating employment.
Termination or change of employment responsibilities
Control  Information security responsibilities and duties that remain valid after
termination or change of employment shall be defined, communicated to the
employee or external party user and enforced
Asset management
1 - Responsibility for assets
Objective: To achieve and maintain appropriate protection of organizational assets.
Inventory of assets
Control  Assets associated with information and information processing facilities
shall be identified and an inventory of these assets shall be drawn up and maintained
Ownership of assets
Control  Assets maintained in the inventory shall be owned
Acceptable use of assets
Control  Rules for the acceptable use of information and assets associated with
information and information processing facilities shall be identified, documented and
implemented
2 - Information classification
CYSM
Page 12 of 45
Name
Month Year
Objective: To ensure that information receives an appropriate level of protection in
accordance with its importance to the organization.
Classification of information
Control  Information shall be classified in terms of its value, legal requirements,
sensitivity or criticality to the organization
Labeling of information
Control  An appropriate set of procedures for information labeling shall be
developed and implemented in accordance with the information classification scheme
adopted by the organization
Handling of assets
Control  Procedures for handling assets shall be developed and implemented in
accordance with the information classification scheme adopted by the organization
Return of assets
Control  All employees and external party users shall return all of the organizational
assets in their possession upon termination of their employment, contract or
agreement
3 - Media handling
Objective: To prevent unauthorized disclosure, modification, removal or destruction
of information stored on media.
Management of removable media
Control  Procedures shall be implemented for the management of removable media
in accordance with the classification scheme adopted by the organization
Disposal of media
Control  Media shall be disposed of securely when no longer required, using formal
procedures
Physical media transfer
Control  Media containing information shall be protected against unauthorized
access, misuse or corruption during transportation
Access control
1 - Business requirements of access control
Objective: To restrict access to information and information processing facilities.
CYSM
Page 13 of 45
Name
Month Year
Access control policy
Control  An access control policy shall be established, documented and reviewed
based on business and security requirements
Policy on the use of network services
Control  Users shall only be provided with access to the network and network
services that they have been specifically authorized to use
2 - User access management
Objective: To ensure authorized user access and to prevent unauthorized access to
systems and services.
User registration and de-registration
Control  A formal user registration and de-registration procedure shall be
implemented for granting and revoking access for all user types to all systems and
services
Privilege management
Control  The allocation and use of privileged access rights shall be restricted and
controlled
Management of secret authentication information of users
Control  The allocation of secret authentication information shall be controlled
through a formal management process
Review of user access rights
Control  Asset owners shall review users’ access rights at regular intervals
Removal or adjustment of access rights
Control  The access rights of all employees and external party users to information
and information processing facilities shall be removed upon termination of their
employment, contract or agreement, or adjusted upon change
3 - User responsibilities
Objective:
To
make
users
accountable
for
safeguarding
their authentication
information.
Use of secret authentication information
Control  Users shall be required to follow the organization’s security practices in the
use of secret authentication information
CYSM
Page 14 of 45
Name
Month Year
4 - System and application access control
Objective: To prevent unauthorized access to systems and applications.
Information access restriction
Control  Access to information and application system functions shall be restricted
in accordance with the access control policy
Secure log-on procedures
Control  Where required by the access control policy, access to systems and
applications shall be controlled by a secure log-on procedure
Password management system
Control  Passwords management systems shall be interactive and shall ensure
quality passwords
Use of privileged utility programs
Control  The use of utility programs that might be capable of overriding system and
application controls shall be restricted and tightly controlled
Access control to program source code
Control  Access to program source code shall be restricted
Cryptography
1 - Cryptographic controls
Objective: To ensure proper and effective use of cryptography to protect the
confidentiality, authenticity or integrity of information.
Policy on the use of cryptographic controls
Control  A policy on the use of cryptographic controls for protection of information
shall be developed and implemented
Key management
Control  A policy on the use, protection and lifetime of cryptographic keys shall be
developed and implemented through their whole lifecycle
Physical and environmental security
1 - Secure areas
Objective: To prevent unauthorized physical access, damage and interference to the
organization’s information and information processing facilities.
CYSM
Page 15 of 45
Name
Month Year
Physical security perimeter
Control  Security perimeters shall be defined and used to protect areas that contain
either sensitive or critical information and information processing facilities
Physical entry controls
Control  Secure areas shall be protected by appropriate entry controls to ensure
that only authorized personnel are allowed access
Securing office, room and facilities
Control  Physical security for offices, rooms and facilities shall be designed and
applied
Protecting against external end environmental threats
Control  Physical protection against natural disasters, malicious attack or accidents
shall be designed and applied
Working in secure areas
Control  Physical protection and guidelines for working in secure areas shall be
designed and applied
Delivery and loading areas
Control  Access points such as delivery and loading areas and other points where
unauthorized persons may enter the premises shall be controlled and, if possible,
isolated from information processing facilities to avoid unauthorized access
2 - Equipment
Objective: To prevent loss, damage, theft or compromise of assets and interruption
to the organization’s operations.
Equipment siting and protection
Control  Equipment shall be sited and protected to reduce the risks from
environmental threats and hazards, and opportunities for unauthorized access
Supporting utilities
Control  Equipment shall be protected from power failures and other disruptions
caused by failures in supporting utilities
Cabling security
Control  Power and telecommunications cabling carrying data or supporting
information services shall be protected from interception, interference or damage
CYSM
Page 16 of 45
Name
Month Year
Equipment maintenance
Control  Equipment shall be correctly maintained to ensure its continued availability
and integrity
Removal of assets
Control  Equipment, information or software shall not be taken off-site without prior
authorization
Security of equipment and assets off-premises
Control  Security shall be applied to off-site assets taking into account the different
risks of working outside the organization’s premises
Security disposal or reuse of equipment
Control  All items of equipment containing storage media shall be verified to ensure
that any sensitive data and licensed software has been removed or securely
overwritten prior to disposal or re-use
Unattended user equipment
Control  Users shall ensure that unattended equipment has appropriate protection
Clear desk and clear screen policy
Control  A clear desk policy for papers and removable storage media and a clear
screen policy for information processing facilities shall be adopted
Operations security
1 - Operational procedures and responsibilities
Objective: To ensure correct and secure operations of information processing
facilities.
Documented operating procedures
Control  Operating procedures shall be documented and made available to all users
who need them
Change management
Control  Changes to the organization, business processes, information processing
facilities and systems shall be controlled
Capacity management
CYSM
Page 17 of 45
Name
Month Year
Control  The use of resources shall be monitored, tuned and projections made of
future capacity requirements to ensure the required system performance
Separation of development, testing and operational environments
Control  Development, testing, and operational environments shall be separated to
reduce the risks of unauthorized access or changes to the operational environment
2 - Protection from malware
Objective: To ensure that information and information processing facilities are
protected against malware.
Controls against malware
Control  Detection, prevention and recovery controls to protect against malware
shall be implemented, combined with appropriate user awareness
3 - Backup
Objective: To protect against loss of data.
Information backup
Control  Backup copies of information, software and system images shall be taken
and tested regularly in accordance with the agreed backup policy
4 - Logging and monitoring
Objective: To record events and generate evidence.
Event logging
Control  Event logs recording user activities, exceptions, faults and information
security events shall be produced, kept and regularly reviewed
Protection of log information
Control  Logging facilities and log information shall be protected against tampering
and unauthorized access
Administrator and operator logs
Control  System administrator and system operator activities shall be logged,
protected and regularly reviewed
Clock synchronization
Control  The clocks of all relevant information processing systems within an
organization or security domain shall be synchronized to single reference time source
CYSM
Page 18 of 45
Name
Month Year
5 - Control of operational software
Objective: To ensure the integrity of operational systems.
Installation of software on operational systems
Control  Procedures shall be implemented to control the installation of software on
operational systems
6 - Technical vulnerability management
Objective: To prevent exploitation of technical vulnerabilities.
Management of technical vulnerabilities
Control  Information about technical vulnerabilities of information systems being
used shall be obtained in a timely fashion, the organization's exposure to such
vulnerabilities evaluated and appropriate measures taken to address the associated
risk
Restrictions on software installation
Control  Rules governing the installation of software by users shall be established
and implemented
7 - Information systems audit considerations
Objective: To minimize the impact of audit activities on operational systems.
Information systems audit controls
Control  Audit requirements and activities involving verification of operational
systems shall be carefully planned and agreed to minimize disruptions to business
processes
Communications security
1 - Network security management
Objective: To ensure the protection of information in networks and its supporting
information processing facilities.
Network controls
Control  Networks shall be managed and controlled to protect information in
systems and applications
Security of network services
CYSM
Page 19 of 45
Name
Month Year
Control  Security mechanisms, service levels and management requirements of all
network services shall be identified and included in network services agreements,
whether these services are provided in-house or outsourced
Segregation in networks
Control  Groups of information services, users and information systems shall be
segregated on networks
2 - Information transfer
Objective: To maintain the security of information transferred within an organization
and with any external entity.
Information transfer policies and procedures
Control  Formal transfer policies, procedures and controls shall be in place to
protect the transfer of information through the use of all types of communication
facilities
Agreements on information transfer
Control  Agreements shall address the secure transfer of business information
between the organization and external parties
Electronic messaging
Control  Information involved in electronic messaging shall be appropriately
protected
Confidentiality or nondisclosure agreements
Control  Requirements for confidentiality or non-disclosure agreements reflecting
the organization’s needs for the protection of information shall be identified, regularly
reviewed and documented
System acquisition, development and maintenance
1 - Security requirements of information systems
Objective: To ensure that security is an integral part of information systems across
the entire lifecycle. This includes in particular specific security requirement for
information systems which provide services over public networks.
Security requirements analysis and specification
Control  The requirements for information security controls shall be included in the
statements of business and technical requirements for new information systems or
CYSM
Page 20 of 45
Name
Month Year
enhancements to existing information systems, taking into account all relevant
criteria such as the entire lifecycle or whether the application is available over public
networks
Securing applications services on public networks
Control  Information involved in application services passing over public networks
shall be protected from fraudulent activity, contract dispute and unauthorized
disclosure and modification
Protecting application services transactions
Control  Information involved in application service transactions shall be protected
to prevent incomplete transmission, mis-routing, unauthorized message alteration,
unauthorized disclosure, unauthorized message duplication or replay
2 - Security in development and support processes
Objective: To ensure that information security is designed and implemented within
the development lifecycle of information systems.
Secure development policy
Control  Rules for the development of software and systems shall be established
and applied to developments within the organization
Change control procedures
Control  The implementation of changes shall be controlled by the use of formal
change control procedures
Technical review of applications after operating platform changes
Control  When operating platforms are changed, business critical applications shall
be reviewed and tested to ensure there is no adverse impact on organizational
operations or security
Restrictions on changes to software packages
Control  Modifications to software packages shall be discouraged, limited to
necessary changes and all changes shall be strictly controlled
System development procedures
Control

Principles
for
engineering
secure
systems
shall
be
established,
documented, maintained and applied to any information system development efforts
Secure development environment
CYSM
Page 21 of 45
Name
Month Year
Control  Organizations shall establish and appropriately protect secure development
environment for system development and integration efforts that covers the entire
system development lifecycle
Outsourced development
Control  The organization shall supervise and monitor the activity of outsourced
system development
System security testing
Control  Tests of the security functionality shall be carried out during development
System acceptance testing
Control  Acceptance testing programs and related criteria shall be established for
new information systems, upgrades and new versions
3 - Test data
Objective: To ensure the protection of data used for testing.
Protection of test data
Control  Test data shall be selected carefully, protected and controlled
Supplier relationships
1 - Security in supplier relationships
Objective: To ensure protection of the organization’s information that is accessible by
suppliers.
Information security policy for supplier relationships
Control  Information security requirements for mitigating the risks associated with
supplier access to organization’s information or information processing facilities shall
be documented
Addressing security within supplier agreements
Control  All relevant information security requirements shall be established and
agreed with each supplier that may have access to, process, store, communicate or
provide IT infrastructure components for the organization’s information
ICT supply chain
Control  Agreements with suppliers shall include requirements to address the
information
security
risks
associated
with
Information
and
Communications
Technology services and product supply chain
CYSM
Page 22 of 45
Name
Month Year
2 - Supplier service delivery management
Objective: To maintain an agreed level of information security and service delivery in
line with supplier agreements.
Monitoring and review of supplier services
Control  Organizations shall regularly monitor, review and audit supplier service
delivery
Managing changes to supplier services
Control  Changes to the provision of services by suppliers, including maintaining
and improving existing information security policies, procedures and controls, shall
be managed, taking account of the criticality of business information, systems and
processes involved and re-assessment of risks
Information security incident management
1 - Management of information security incidents and improvements
Objective: To ensure a consistent and effective approach to the management of
information security incidents, including communication on security events and
weaknesses.
Responsibilities and procedures
Control  Management responsibilities and procedures shall be established to ensure
a quick, effective and orderly response to information security incidents
Reporting information security events
Control  Information security events shall be reported through appropriate
management channels as quickly as possible
Reporting information security weaknesses
Control  Employees and external parties using the organization’s information
systems and services shall be required to note and report any observed or suspected
information security weaknesses in systems or services
Assessment and decision of information security events
Control  Information security events shall be assessed and decided if they shall be
classified as information security incidents
Response to information security incidents
CYSM
Page 23 of 45
Name
Control 
Month Year
Information security incidents shall be responded to in accordance with
the documented procedures
Learning from information security incidents
Control  Knowledge gained from analyzing and resolving information security
incidents shall be used to reduce the likelihood or impact of future incidents
Collection of evidence
Control  The organization shall define and apply procedures for the identification,
collection, acquisition and preservation of information, which can serve as evidence
Information
security
aspects
of
business
continuity
management
1 - Information security continuity
Objective: Information security continuity shall be embedded in organization’s
business continuity management (BCM) to ensure protection of information at any
time and to anticipate adverse occurrences.
Planning information security continuity
Control  The organization shall determine its requirements for information security
and continuity of information security management in adverse situations, e.g. during
a crisis or disaster
Implementing information security continuity
Control  The organization shall establish, document, implement and maintain
processes, procedures and controls to guarantee the required level of continuity for
information security during an adverse situation
Verify, review and evaluate information security continuity
Control  The organization shall verify the established and implemented information
security continuity controls at regular intervals in order to ensure that they are valid
and effective during adverse situations
2 - Redundancies
Objective: To ensure availability of information processing facilities.
Availability of information processing facilities
Control  Information processing facilities shall be implemented with redundancy
sufficient to meet availability requirements
CYSM
Page 24 of 45
Name
Month Year
Compliance
1 - Information security reviews
Objective: To ensure that information security is implemented and operated in
accordance with the organizational policies and procedures.
Independent review of information security
Control  The organization’s approach to managing information security and its
implementation (i.e. control objectives, controls, policies, processes and procedures
for information security) shall be reviewed independently at planned intervals or
when significant changes to the security implementation occur
Compliance with security policies and standards
Control  Managers shall regularly review the compliance of information processing
and procedures within their area of responsibility with the appropriate security
policies, standards and any other security requirements
Technical compliance inspection
Control  Information systems shall be regularly inspected for compliance with the
organization’s information security policies and standards
2 - Compliance with legal and contractual requirements
Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations
related to information security and of any security requirements.
Identification of applicable legislation and contractual requirements
Control  All relevant statutory, regulatory, contractual requirements and the
organization’s approach to meet these requirements shall be explicitly identified,
documented and kept up to date for each information system and the organization
Intellectual property rights (IPR)
Control  Appropriate procedures shall be implemented to ensure compliance with
legislative, regulatory and contractual requirements on the use of material in respect
of which there may be intellectual property rights and on the use of proprietary
software products
Protection of documented information
Control

Records
shall
be
protected
from
loss,
destruction,
falsification,
unauthorized access and unauthorized release, in accordance with statutory,
regulatory, contractual and business requirements
CYSM
Page 25 of 45
Name
Month Year
Privacy and protection of personally identifiable information
Control  Privacy and protection of personally identifiable information shall be
ensured as required in relevant legislation, regulations, and, if applicable, contractual
clauses
Regulation of cryptographic controls
Control  Cryptographic controls shall be used in compliance with all relevant
agreements, laws and regulations
CYSM
Page 26 of 45
Name
Month Year
5. Requirements for the CYSM targeted, holistic
security management methodology (UPRC,
DITEN)
By identifying the constraints it is possible to list those that have an impact on the
scope and determine which are nevertheless amenable to action. The following
paragraphs present a non-exhaustive list of possible types of constraints, coherently
with ISO 27005.
Constraints arising from pre-existing processes
Application projects are not necessarily developed simultaneously. Some depend on
pre-existing processes. Even though a process can be broken down into subprocesses, the process is not necessarily influenced by all the sub-processes of
another process.
Technical constraints
Technical constraints, relating to infrastructure, generally arise from installed
hardware and software, and rooms or sites housing the processes:

Files (requirements concerning organization, media management,
management of access rules, etc.)

General architecture (requirements concerning topology (centralized,
distributed, client-server), physical architecture, etc.)

Application software (requirements concerning specific software design,
market standards, etc.);

Package software (requirements concerning standards, level of evaluation,
quality, compliance with norms, security, etc.)

Hardware (requirements concerning standards, quality, compliance with
norms, etc.)

Communication networks (requirements concerning coverage, standards,
capacity, reliability, etc.)

Building infrastructure (requirements concerning civil engineering,
construction, high voltages, low voltages, etc.)
Financial constraints
The implementation of security controls is often restricted by the budget that the
organization can commit. However, the financial constraint should still to be the last
CYSM
Page 27 of 45
Name
Month Year
to be considered as the budget allocation for security can be negotiated on the basis
of the security study.
Environmental constraints
Environmental constraints arise from the geographical or economic environment in
which the processes are implemented: country, climate, natural risks, geographical
situation, economic climate, etc.
Time constraints
The time required for implementing security controls should be considered in relation
to the ability to upgrade the information system; if the implementation time is very
long, the risks for which the control was designed may have changed. Time is a
determining factor for selecting solutions and priorities.
Constraints related to methods
Methods appropriate to the organization's know-how should be used for project
planning, specifications, development and so on.
Organizational constraints
Various constraints may follow from organizational requirements:

Operation (requirements concerning lead-times, supply of services,
surveillance, monitoring, emergency plans, degraded operation, etc.)

Maintenance (requirements for incident troubleshooting, preventive actions,
rapid correction, etc.)

Human resources management (requirements concerning operator and user
training, qualification for posts such as system administrator or data
administrator, etc.)

Administrative management (requirements concerning responsibilities, etc.)

Development management (requirements concerning development tools,
computer-aided software engineering, acceptance plans, organization to be
set up, etc.)

Management of external relations (requirements concerning organization of
third-party relations, contracts, etc.)
The following table gives examples of typical threats. The list can be used during the
threat assessment process. Threats may be deliberate, accidental or environmental
(natural) and may result, for example, in damage or loss of essential services. The
following list indicates for each threat type where D (deliberate), A (accidental), E
(environmental) is relevant. D is used for all deliberate actions aimed at information
CYSM
Page 28 of 45
Name
Month Year
assets, A is used for all human actions that can accidentally damage information
assets, and E is used for all incidents that are not based on human actions. The
groups of threats are not in priority order.
Type
Threats
Origin
Physical damage
Fire
A, D, E
Physical damage
Water damage
A, D, E
Physical damage
Pollution
A, D, E
Physical damage
Major accident
A, D, E
Physical damage
Destruction of equipment or media
A, D, E
Physical damage
Dust, corrosion, freezing
A, D, E
Natural events
Climatic phenomenon
E
Natural events
Seismic phenomenon
E
Natural events
Volcanic phenomenon
E
Natural events
Meteorological phenomenon
E
Natural events
Flood
E
Loss of essential services
Failure
of
air-conditioning
or
water
A, D
supply system
Loss of essential services
Loss of power supply
A, D, E
Loss of essential services
Failure of telecommunication equipment
A, D
Disturbance
due
to
Electromagnetic radiation
A, D, E
due
to
Thermal radiation
A, D, E
due
to
Electromagnetic pulses
A, D, E
radiation
Disturbance
radiation
Disturbance
CYSM
Page 29 of 45
Name
Month Year
radiation
Compromise
of
information
Compromise
Interception
of
compromising
D
interference signals
of
Remote spying
D
of
Eavesdropping
D
of
Theft of media or documents
D
of
Theft of equipment
D
of
Retrieval of recycled or discarded media
D
of
Disclosure
A, D
of
Data from untrustworthy sources
A, D
of
Tampering with hardware
D
of
Tampering with software
A, D
of
Position detection
D
Technical failures
Equipment failure
A
Technical failures
Equipment malfunction
A
Technical failures
Saturation of the information system
A, D
information
Compromise
information
Compromise
information
Compromise
information
Compromise
information
Compromise
information
Compromise
information
Compromise
information
Compromise
information
Compromise
information
CYSM
Page 30 of 45
Name
Month Year
Technical failures
Software malfunction
Technical failures
Breach
of
A
information
system
A, D
maintainability
Unauthorized actions
Unauthorized use of equipment
D
Unauthorized actions
Fraudulent copying of software
D
Unauthorized actions
Use of counterfeit or copied software
A, D
Unauthorized actions
Corruption of data
D
Unauthorized actions
Illegal processing of data
D
Compromise of functions
Error in use
A
Compromise of functions
Abuse of rights
A, D
Compromise of functions
Forging of rights
D
Compromise of functions
Denial of actions
D
Compromise of functions
Breach of personnel availability
A, D, E
Particular attention should be paid to human threat sources. These are specifically
itemized in the following table:
Origin of threat
Motivation
Possible consequences
Hacker, cracker
• Challenge
• Hacking
• Ego
• Social engineering
• Rebellion
• System intrusion, breakins
• Status
•
• Money
Unauthorized
system
access
Computer criminal
•
Destruction
information
CYSM
of
• Computer crime (e.g.
cyber stalking)
Page 31 of 45
Name
Month Year
•
Illegal
information
•
Fraudulent
disclosure
replay,
• Monetary gain
impersonation,
•
Unauthorized
data
alteration
act
(e.g.
interception)
• Information bribery
• Spoofing
• System intrusion
Terrorist
• Blackmail
• Bomb/Terrorism
• Destruction
• Information warfare
• Exploitation
•
• Revenge
• Political Gain
• Media Coverage
System
attack
(e.g.
distributed denial
of service)
• System penetration
• System tampering
Industrial
(Intelligence,
foreign
other
espionage
companies,
• Competitive advantage
• Defence advantage
• Economic espionage
• Political advantage
governments,
• Economic exploitation
government
• Information theft
interests)
•
Intrusion
on
personal
privacy
• Social engineering
• System penetration
•
Unauthorized
access
system
(access
classified,
to
proprietary,
and/or technology-related
information)
Insiders (poorly trained,
• Curiosity
• Assault on an employee
disgruntled,
• Ego
• Blackmail
CYSM
malicious,
Page 32 of 45
Name
negligent,
Month Year
dishonest,
or
• Intelligence
terminated employees)
• Browsing of proprietary
• Monetary gain
information
• Computer abuse
• Revenge
• Unintentional errors and
omissions (e.g. data entry
error, programming error)
• Fraud and theft
• Information bribery
•
Input
of
falsified,
corrupted data
• Interception
•
Malicious
code
(e.g.
virus, logic bomb, Trojan
horse)
•
Sale
of
personal
information
• System bugs
• System intrusion
• System sabotage
•
Unauthorized
system
access
The following table gives examples for vulnerabilities in various security areas,
including examples of threats that might exploit these vulnerabilities. The lists can
provide help during the assessment of threats and vulnerabilities, to determine
relevant incident scenarios. It is emphasized that in some cases other threats may
exploit these vulnerabilities as well.
Types
Examples of vulnerabilities
Examples of threats
Hardware
Insufficient
Breach
Hardware
of
information
installation of storage media
system maintainability
Lack
Destruction of equipment
of
schemes
CYSM
maintenance/faulty
periodic
replacement
or media
Page 33 of 45
Name
Hardware
Month Year
Susceptibility
to
humidity,
dust,
Dust, corrosion, freezing
soiling
Hardware
Sensitivity
to
electromagnetic
Electromagnetic radiation
radiation
Hardware
Lack
of
efficient
configuration
Error in use
change controls
Hardware
Susceptibility to voltage variations
Loss of power supply
Hardware
Susceptibility
Meteorological
Hardware
to
temperature
variations
phenomenon
Unprotected storage
Theft
of
media
or
media
or
media
or
documents
Hardware
Lack of care at disposal
Theft
of
documents
Hardware
Uncontrolled copying
Theft
of
documents
Software
No or insufficient software testing
Abuse of rights
Software
Well-known flaws in the software
Abuse of rights
Software
No
'logout'
when
leaving
the
Abuse of rights
Disposal or reuse of storage media
Abuse of rights
workstation
Software
without proper erasure
Software
Lack of audit trail
Abuse of rights
Software
Wrong allocation of access rights
Abuse of rights
Software
Widely-distributed software
Corruption of data
Software
Applying application programs to
Corruption of data
the wrong data in terms of time
CYSM
Page 34 of 45
Name
Month Year
Software
Complicated user interface
Error in use
Software
Lack of documentation
Error in use
Software
Incorrect parameter set up
Error in use
Software
Incorrect dates
Error in use
Software
Lack
of
identification
and
Forging of rights
authentication mechanisms like user
authentication
Software
Unprotected password tables
Forging of rights
Software
Poor password management
Forging of rights
Software
Unnecessary services enabled
Illegal processing of data
Software
Immature or new software
Software malfunction
Software
Unclear or incomplete specifications
Software malfunction
for developers
Software
Lack of effective change control
Software malfunction
Software
Uncontrolled downloading and use
Tampering with software
of software
Software
Lack of back-up copies
Tampering with software
Software
Lack of physical protection of the
Theft
building, doors and windows
documents
Failure
Unauthorized
Software
Network
to
produce
management
of
media
or
use
of
reports
equipment
Lack of proof of sending or receiving
Denial of actions
a message
Network
Unprotected communication lines
Eavesdropping
Network
Unprotected sensitive traffic
Eavesdropping
CYSM
Page 35 of 45
Name
Network
Month Year
Poor joint cabling
Failure
of
telecommunication
equipment
Network
Single point of failure
Failure
of
telecommunication
equipment
Network
Lack
of
identification
authentication
of
and
sender
Forging of rights
and
receiver
Network
Insecure network architecture
Remote spying
Network
Transfer of passwords in clear
Remote spying
Network
Inadequate
Saturation
network
management
(resilience of routing)
Network
Personnel
Unprotected
of
the
information system
public
network
Unauthorized
connections
equipment
Absence of personnel
Breach
of
use
of
personnel
availability
Personnel
Inadequate recruitment procedures
Destruction of equipment
or media
Personnel
Insufficient security training
Personnel
Incorrect
use
of
software
Error in use
and
Error in use
hardware
Personnel
Lack of security awareness
Error in use
Personnel
Lack of monitoring mechanisms
Illegal processing of data
Personnel
Unsupervised work by outside or
Theft
cleaning staff
documents
Lack of policies for the correct use
Unauthorized
Personnel
CYSM
of
media
or
use
of
Page 36 of 45
Name
Month Year
of telecommunications media and
equipment
messaging
Site organization
Inadequate
or
careless
use
of
physical access control to buildings
Destruction of equipment
or media
and rooms
Site organization
Location in an area susceptible to
Flood
flood
Site organization
Unstable power grid
Loss of power supply
Site organization
Lack of physical protection of the
Theft of equipment
building, doors and windows
Site organization
Lack of formal procedure for user
Abuse of rights
registration and de-registration
Site organization
Lack of formal process for access
Abuse of rights
right review (supervision)
Site organization
Lack
or
insufficient
provisions
Abuse of rights
(concerning security) in contracts
with customers and/or third parties
Site organization
Lack of procedure of monitoring of
Abuse of rights
information processing facilities
Site organization
Lack of regular audits (supervision)
Abuse of rights
Site organization
Lack
risk
Abuse of rights
Lack of fault reports recorded in
Abuse of rights
of
procedures
of
identification and assessment
Site organization
administrator and operator logs
Site organization
Site organization
CYSM
Inadequate
service
maintenance
Breach
of
information
response
system maintainability
Lack or insufficient Service Level
Breach
Agreement
system maintainability
of
information
Page 37 of 45
Name
Site organization
Month Year
Lack of change control procedure
Breach
of
information
system maintainability
Site organization
Lack of formal procedure for ISMS
Corruption of data
documentation control
Site organization
Lack of formal procedure for ISMS
Corruption of data
record supervision
Site organization
Lack
of
formal
authorization
of
process
public
for
available
Data from untrustworthy
sources
information
Site organization
Lack
of
proper
allocation
of
Denial of actions
information security responsibilities
Site organization
Lack of continuity plans
Equipment failure
Site organization
Lack of e-mail usage policy
Error in use
Site organization
Lack of procedures for introducing
Error in use
software into operational systems
Site organization
Lack of records in administrator and
Error in use
operator logs
Site organization
Lack of procedures for classified
Error in use
information handling
Site organization
Lack
of
information
security
Error in use
responsibilities in job descriptions
Site organization
Lack
or
insufficient
provisions
Illegal processing of data
(concerning information security) in
contracts with employees
Site organization
Lack of defined disciplinary process
in
case
of
information
Theft of equipment
security
incident
CYSM
Page 38 of 45
Name
Site organization
Month Year
Lack of formal policy on mobile
Theft of equipment
computer usage
Site organization
Lack of control of off-premise assets
Theft of equipment
Site organization
Lack or insufficient 'clear desk and
Theft
clear screen' policy
documents
Site organization
Lack
of
information
processing
facilities authorization
Site organization
Site organization
Site organization
Site organization
CYSM
Lack
of
established
of
Theft
of
monitoring
Theft
of
documents
Lack
Unauthorized
regular
or
media
or
media
or
use
of
use
of
documents
mechanisms for security breaches
of
media
management
reviews
equipment
Lack of procedures for reporting
Unauthorized
security weaknesses
equipment
Lack of procedures of provisions
Use
compliance with intellectual rights
copied software
of
counterfeit
Page 39 of 45
or
Name
6. CYSM
Month Year
Security
management
System
Requirements (SiLo, UPRC)
[Formulate the technical, technological and functional requirements of the CYSM
system and services]
CYSM
Page 40 of 45
Name
Month Year
7. Additional National requirements (VPF, PPA,
SiLo, Diten)
[This section will describe requirements arise from the needs, the particularities and
the nature of the involved ports as well as the national legal framework and best
practices]
7.1. Piraeus Port (PPA)
[Overview of the requirements arise from the needs, the particularities and the
nature of the Piraeus Port Authority as well as the Greek legislation and national best
practices and guidelines]
7.2. Valencia Port (VPF)
[Overview of the requirements arise from the needs, the particularities and the
nature of the Port of Valencia as well as the Spanish legislation and national best
practices and guidelines]
7.3. Port of Mykonos (SiLo/Port of Mykonos)
[Overview of the requirements arise from the needs, the particularities and the
nature of the Port of Mykonos as well as the Greek legislation and national best
practices and guidelines]
7.4. Port of Genoa Case (DITEN- UNIGE)
[Overview of the requirements arise from the needs, the particularities and the
nature of the Port of Genoa as well as the Italian legislation and national best
practices and guidelines]
CYSM
Page 41 of 45
Name
Month Year
8. Conclusions (PPA)
[This section will draw conclusions]
CYSM
Page 42 of 45
Name
Month Year
Glossary
CYSM
Term
Definition
Table Cell 1
Table Cell 2
Table Cell 4
Table Cell 5
Table Cell 7
Table Cell 8
Page 43 of 45
Name
Month Year
References
[1]
References are marked using a numbered list style referred to as References.
[2]
Additional references.
[3]
CYSM
Page 44 of 45
Name
Month Year
A. Appendix A
[The ports may provide additional information if needed]
CYSM
Page 45 of 45
Related documents
OS_Integrity
OS_Integrity
Securing Information Systems
Securing Information Systems
STUDENT COMPUTER USE
STUDENT COMPUTER USE
Emerging Technologies Vocabulary
Emerging Technologies Vocabulary
ITS_8_Security Vocab Answers
ITS_8_Security Vocab Answers
Nona*s Homemade * Marketing Project * C Block Marketing Class
Nona*s Homemade * Marketing Project * C Block Marketing Class
E-Commerce and Bank Security
E-Commerce and Bank Security
Chapter 14
Chapter 14
Input device-computer hardware equipment used to provide data
Input device-computer hardware equipment used to provide data
Jorge Gomez Intro to Animation September 3, 2015 Input device
Jorge Gomez Intro to Animation September 3, 2015 Input device