After having analysed the "why" behind the cybersecurity capacities evaluation model in the first entry dedicated to the C4V model and after having explained how to carry out an appropriate management of risks in the value chain in the second edition, this third edition is dedicated to explaining how to carry out an evaluation of ourselves.
In order to tackle this evaluation of our own cybersecurity capacities, INCIBE-CERT users can make use of the self-evaluation tool which helps with this process. Not surprisingly, the C4V model has the same aim as the other ENCI components: to provide tools to improve the protection level of critical infrastructures.
But, before filling out the information that the tool requests, it is important to understand certain things about the C4V model.
Identification of scope
To define the scope of the evaluation, we should identify the specific architecture of the system that provides the service to be evaluated.
It is important to highlight that "the scope should include all of the connected and not completely segregated systems for any of the system's components, since they may affect its security". In other words, if there is not any segregation on the network, it should all be included within the scope (!).
And, the components that should be considered within the scope are the typical ones in this type of analysis: people, processes and technology (servers, applications, network components, including those that are visualised, and of course, the industrial control systems' own components).
Criteria for determining the level of capability
Not all the controls included in the model have the same consideration (or what we call "importance"), and because of that it is not necessary to rely on all of them to be at a given level of capability, but rather to be evaluated at that level the following must have been implemented:
- 100% of priority 1 controls corresponding to the relevant level;
- at least 85% of priority 2 controls; and
- at least 50% of priority 3 controls.
Assessor's independence and ability
The model does not determine a specific evaluation system (self-evaluation, auditing, etc.), but it does recommend the use of an assessor who is independent from the managers of the operation of the system, whether that be internal (typically internal auditing) or external (an independent auditing company).
Likewise, as with any evaluation, it is necessary to ensure that the assessors have the sufficient knowledge and experience to carry out said evaluation.
Once the above has been assured, the steps to carry out a self-evaluation with the proposed tool are very simple:
- Identify, if so desired, a target level (otherwise the complete model will be evaluated).
- Define the scope - In other words, indicate if there is a domain or domains, within the 14 that make up the model that are not applicable (for example, self development or use of third parties).
- Indicate if the controls that figure in the detailed list have been implemented or not (it can also be individually indicated if a specific control is not applicable).
- Check the level of assigned capacities - According to the indicated responses, the tool will be responsible for calculating the percentages for the types of controls, dimensions and levels and generate the level (from A+ to D as you already know) of capacity in which the system has in each of the dimensions (confidentiality, equality and availability).
This self-evaluation allows for the identification of the systems' weakest stages as it is the weakest or least mature controls which determine the level of qualification. This mechanism allows us to ensure that systems are increasingly more robust, assuring us that improvements can always be invested in which lead to the improvement of the capacity levels of the compete system.
Why don't you try the tool for yourselves and share your experience with us? We've made it especially for you.
Antonio Ramos, Founding Partner of LEET Security