Escolar Documentos
Profissional Documentos
Cultura Documentos
Após inúmeras solicitações, também se pode adicionar à ferramenta o NIST Privacy Framework
mais, importante medir o que você faz (suas práticas) em relação ao que você diz que faz (suas p
Instruções:
1) Veja a folha 'Níveis de maturidade' para entender como classificar cada um dos cont
maturidade/Capacidade entre a coluna de Descrição e a coluna de práticas ou Evidências nos Pro
2) Na folha 'Núcleo do NIST CSF' já foram previamente inseridas na Coluna F, as evidências suge
Perfil Atual/Corrente. Para um “Perfil/Estado Desejado” optou-se por supor que se deveria alcan
O Aluno terá de preencher a Coluna E Perfil Atual/ correspondentes ao “Estado Atual” da Organ
Mais adiante o Aluno deverá preencher na Coluna K, o tipo de Solução/Controlo a utilizar, que
Sub-Categoria. (Ver exemplo para a Categoria Asset Management)
3) Na folha 'Resumo do CSF', revêm-se as as pontuações do “Perfil Atual" e “PerfilPerfil dese
coluna E, que para efeitos de Estudo pode corresonder à média dos valores registados para “Pe
O Gráfico “Radar” é desenhado automáticamente e corresponderá no final, aos valores das Tab
uridade/capacidade e Perfis de Estado de implementação de vários programas de cibersegurança, em esp
níveis de maturidade/capacidade para políticas e práticas.
uma Organização: Até que ponto as políticas, procedimentos, standards e diretrizes corporativas atende
cas operacionais reais, satisfazem os requisitos das Categorias e Sub-Categorias do NIST CSF, independen
a o NIST Privacy Framework à ferramenta. A mesma lógica foi aplicada aqui quanto ao lado do CSF - é tão
o que você diz que faz (suas políticas) quando se trata de Cibersegurança e também de privacidade, pois é
assificar cada um dos controlos na folha 'Núcleo do NIST CSF'. Existem diferentes significados pa
ráticas ou Evidências nos Processos dos Níveis de Maturidade.
fil Atual" e “PerfilPerfil desejado” inseridas conforme 2) e o aluno terá de preencher a Coluna do “Obje
valores registados para “Perfil Atual” e o “Perfil Desejado”.
no final, aos valores das Tabelas “Perfil Atual”, “Perfil Desejado” e “Objetivo Intermédio”,
Change Log
* Feb/28/2022 - Release 2.1 - Corrected
s de cibersegurança, em especial baseada no cell reference in Privacy Summary tab
(E5-E6) which resulted in incorrect
calculations and cleaned up references
retrizes corporativas atendem aos requisitos in NIST Summary for consistency.
o Intermédio”,
e Log
ase 2.1 - Corrected
cy Summary tab
d in incorrect
ed up references
onsistency.
ase 2.0. Added
eworked formulas
re updates.
se 1.0. Original
Nível Maturidade Descrição
SIM
SIM
SIM
SIM 1.0
SIM
SIM
Mitigation (RS.MI)
SIM
SIM
SIM
SIM
Analysis (RS.AN) -1.0
SIM
SIM
SIM
SIM
SIM
SIM
Response Planning (RS.RP)
SIM
SIM
SIM
Detection Processes (DE.DP)
Maintenance (PR.MA)
gy (PR.PT)
Função Categoria Subcategoria
ID.AM-1: Physical
devices and systems
within the organization
are inventoried
ID.AM-2: Software
platforms and
applications within the
organization are
inventoried
ID.AM-5: Resources
(e.g., hardware,
devices, data, time,
personnel, and
software) are
prioritized based on
their classification,
criticality, and business
value
ID.AM-6:
Cybersecurity roles
and responsibilities for
the entire workforce
and third-party
stakeholders (e.g.,
suppliers, customers,
partners) are
established
ID.BE-1: The
organization’s role in
the supply chain is
identified and
communicated
ID.BE-2: The
organization’s place in
critical infrastructure
and its industry sector
Business Environment
(ID.BE): The organization’s
mission, objectives,
stakeholders, and activities
and its industry sector
is identified and
ID.BE-3: Priorities for
Business Environment communicated
(ID.BE): The organization’s organizational mission,
mission, objectives, objectives, and
stakeholders, and activities activities are
are understood and established and
prioritized; this information communicated
is used to inform ID.BE-4:
cybersecurity roles, Dependencies and
responsibilities, and risk critical functions for
management decisions. delivery of critical
services are established
ID.BE-5: Resilience
requirements to
support delivery of
critical services are
established for all
operating states (e.g.
under duress/attack,
during recovery,
normal operations)
ID.GV-1:
Organizational
cybersecurity policy is
established and
communicated
ID.GV-2:
Cybersecurity roles
and responsibilities are
Governance (ID.GV): The coordinated and
policies, procedures, and aligned with internal
processes to manage and roles and external
monitor the organization’s partners
regulatory, legal, risk,
environmental, and
ID.GV-3: Legal and
operational requirements are
regulatory
understood and inform the
requirements regarding
management of cybersecurity
cybersecurity,
risk.
including privacy and
civil liberties
obligations, are
understood and
managed
ID.GV-4: Governance
and risk management
processes address
cybersecurity risks
IDENTIFY
ID.RA-1: Asset
(ID)
vulnerabilities are
identified and
documented
IDENTIFY
ID.RA-1: Asset
(ID)
vulnerabilities are
identified and
documented
ID.RA-4: Potential
business impacts and
likelihoods are
identified
ID.RA-5: Threats,
vulnerabilities,
likelihoods, and
impacts are used to
determine risk
ID.RA-6: Risk
responses are identified
and prioritized
ID.RM-1: Risk
management processes
are established,
managed, and agreed
to by organizational
stakeholders
Risk Management Strategy
(ID.RM): The organization’s
priorities, constraints, risk
tolerances, and assumptions ID.RM-2:
are established and used to Organizational risk
support operational risk tolerance is determined
decisions. and clearly expressed
Risk Management Strategy
(ID.RM): The organization’s
priorities, constraints, risk
tolerances, and assumptions ID.RM-2:
are established and used to Organizational risk
support operational risk tolerance is determined
decisions. and clearly expressed
ID.RM-3: The
organization’s
determination of risk
tolerance is informed
by its role in critical
infrastructure and
sector specific risk
analysis
ID.SC-1: Cyber supply
chain risk management
processes are
identified, established,
assessed, managed, and
agreed to by
organizational
stakeholders
ID.SC-2: Suppliers
and third party partners
of information
systems, components,
and services are
identified, prioritized,
and assessed using a
Supply Chain Risk
cyber supply chain risk
Management (ID.SC):
assessment process
The organization’s priorities,
constraints, risk tolerances, with suppliers and
and assumptions are third-party partners are
established and used to used to implement
support risk decisions appropriate measures
associated with managing designed to meet the
supply chain risk. The objectives of an
organization has established organization’s
and implemented the cybersecurity program
processes to identify, assess and Cyber Supply
and manage supply chain Chain Risk
risks. ID.SC-4: Suppliers
and third-party partners
are routinely assessed
using audits, test
results, or other forms
of evaluations to
confirm they are
meeting their
contractual obligations.
ID.SC-5: Response
and recovery planning
and testing are
conducted with
suppliers and third-
party providers
PR.AC-1: Identities
and credentials are
issued, managed,
verified, revoked, and
audited for authorized
devices, users and
processes
PR.AC-2: Physical
access to assets is
managed and protected
PR.AC-3: Remote
access is managed
PR.AC-4: Access
Identity Management, permissions and
Authentication and Access authorizations are
Control (PR.AC): Access to managed,
physical and logical assets incorporating the
and associated facilities is principles of least
limited to authorized users, privilege and
processes, and devices, and is separation of duties
managed consistent with the
assessed risk of unauthorized
access to authorized activities
and transactions.
PR.AC-5: Network
integrity is protected
(e.g., network
segregation, network
segmentation)
PR.AC-6: Identities
are proofed and bound
to credentials and
asserted in interactions
PR.AC-6: Identities
are proofed and bound
to credentials and
asserted in interactions
PR.AC-7: Users,
devices, and other
assets are authenticated
(e.g., single-factor,
multi-factor)
commensurate with the
risk of the transaction
(e.g., individuals’
security and privacy
risks and other
organizational risks)
PR.AT-2: Privileged
users understand their
roles and
responsibilities
PR.AT-4: Senior
executives understand
their roles and
responsibilities
PR.AT-5: Physical
and cybersecurity
personnel understand
their roles and
responsibilities
PR.DS-1: Data-at-rest
is protected
PR.DS-2: Data-in-
transit is protected
PR.DS-4: Adequate
capacity to ensure
Data Security (PR.DS): availability is
Information and records maintained
(data) are managed consistent
with the organization’s risk
strategy to protect the
confidentiality, integrity, and
availability of information.
PR.DS-5: Protections
against data leaks are
implemented
PR.DS-6: Integrity
checking mechanisms
are used to verify
software, firmware,
and information
integrity
PR.DS-7: The
development and
development and
testing environment(s)
are separate from the
production
environment
PR.DS-8: Integrity
checking mechanisms
PROTECT are used to verify
(PR) hardware integrity
PR.IP-1: A baseline
configuration of
information
technology/industrial
control systems is
created and maintained
incorporating security
principles (e.g. concept
of least functionality)
PR.IP-2: A System
Development Life
Cycle to manage
systems is
implemented
PR.IP-3:
Configuration change
control processes are in
place
PR.IP-4: Backups of
information are
conducted, maintained,
and tested
PR.IP-7: Protection
processes are improved
PR.IP-8: Effectiveness
of protection
technologies is shared
PR.IP-9: Response
plans (Incident
Response and Business
Continuity) and
recovery plans
(Incident Recovery and
Disaster Recovery) are
in place and managed
PR.IP-10: Response
and recovery plans are
tested
PR.IP-11:
Cybersecurity is
included in human
resources practices
(e.g., deprovisioning,
personnel screening)
PR.IP-12: A
vulnerability
management plan is
developed and
implemented
PR.MA-1:
Maintenance and repair
of organizational assets
are performed and
Maintenance (PR.MA): logged, with approved
Maintenance and repairs of and controlled tools
industrial control and
information system
PR.MA-1:
Maintenance and repair
of organizational assets
are performed and
Maintenance (PR.MA): logged, with approved
Maintenance and repairs of and controlled tools
industrial control and
information system
components are performed PR.MA-2: Remote
consistent with policies and maintenance of
procedures. organizational assets is
approved, logged, and
performed in a manner
that prevents
unauthorized access
PR.PT-1: Audit/log
records are determined,
documented,
implemented, and
reviewed in accordance
with policy
PR.PT-2: Removable
media is protected and
its use restricted
according to policy
PR.PT-4:
Communications and
control networks are
protected
PR.PT-4:
Communications and
control networks are
protected
PR.PT-5: Mechanisms
(e.g., failsafe, load
balancing, hot swap)
are implemented to
achieve resilience
requirements in normal
and adverse situations
DE.AE-1: A baseline
of network operations
and expected data
flows for users and
systems is established
and managed
DE.AE-2: Detected
events are analyzed to
understand attack
targets and methods
DE.AE-4: Impact of
events is determined
DE.AE-5: Incident
alert thresholds are
established
DE.CM-1: The
network is monitored
to detect potential
cybersecurity events
DE.CM-1: The
network is monitored
to detect potential
cybersecurity events
DE.CM-2: The
physical environment
is monitored to detect
potential cybersecurity
events
DE.CM-3: Personnel
activity is monitored to
detect potential
cybersecurity events
DE.CM-6: External
service provider
activity is monitored to
detect potential
cybersecurity events
DE.CM-7: Monitoring
for unauthorized
personnel, connections,
devices, and software
is performed
DE.CM-8:
Vulnerability scans are
performed
Detection Processes
(DE.DP): Detection
processes and procedures are DE.DP-3: Detection
maintained and tested to processes are tested
ensure awareness of
anomalous events.
DE.DP-4: Event
detection information
is communicated
DE.DP-5: Detection
processes are
continuously improved
Response Planning
(RS.RP): Response RS.RP-1: Response
processes and procedures are plan is executed during
executed and maintained, to or after an incident
ensure response to detected
cybersecurity incidents.
RS.CO-1: Personnel
know their roles and
order of operations
when a response is
needed
RS.CO-2: Incidents
are reported consistent
with established
criteria
Communications (RS.CO):
Response activities are
coordinated with internal and
external stakeholders (e.g.
external support from law RS.CO-3: Information
enforcement agencies). is shared consistent
with response plans
Communications (RS.CO):
Response activities are
coordinated with internal and
external stakeholders (e.g.
external support from law RS.CO-3: Information
enforcement agencies). is shared consistent
with response plans
RS.CO-4:
Coordination with
stakeholders occurs
consistent with
response plans
RS.CO-5: Voluntary
information sharing
occurs with external
stakeholders to achieve
broader cybersecurity
situational awareness
RS.AN-1:
Notifications from
detection systems are
investigated
RESPOND
(RS) RS.AN-2: The impact
of the incident is
understood
RS.AN-4: Incidents
are categorized
consistent with
response plans
receive, analyze and
respond to
vulnerabilities
disclosed to the
organization from
internal and external
sources (e.g. internal
testing, security
Mitigation (RS.MI):
Activities are performed to
RS.MI-1: Incidents are
contained
Mitigation (RS.MI):
Activities are performed to
prevent expansion of an
event, mitigate its effects, RS.MI-2: Incidents are
and resolve the incident. mitigated
RS.MI-3: Newly
identified
vulnerabilities are
mitigated or
documented as
accepted risks
RS.IM-1: Response
Improvements (RS.IM): plans incorporate
Organizational response lessons learned
activities are improved by
incorporating lessons learned
from current and previous
detection/response activities.
RS.IM-2: Response
strategies are updated
Recovery Planning
(RC.RP): Recovery
RC.RP-1: Recovery
processes and procedures are
plan is executed during
executed and maintained to
or after a cybersecurity
ensure restoration of systems
incident
or assets affected by
cybersecurity incidents.
RC.IM-1: Recovery
plans incorporate
Improvements (RC.IM):
lessons learned
Recovery planning and
processes are improved by
incorporating lessons learned
into future activities. RC.IM-2: Recovery
RECOVER strategies are updated
(RC)
RC.CO-1: Public
relations are managed
Communications (RC.CO):
Restoration activities are
coordinated with internal and RC.CO-2: Reputation
external parties (e.g. is repaired after an
coordinating centers, Internet incident
Service Providers, owners of RC.CO-3: Recovery
attacking systems, victims, activities are
other CSIRTs, and vendors). communicated to
internal and external
external parties (e.g.
coordinating centers, Internet
Service Providers, owners of
attacking systems, victims,
other CSIRTs, and vendors).
internal and external
stakeholders as well as
executive and
management teams
Perfil
Referências Informativas Atual Evidências
• Relatórios de pesquisa de
vulnerabilidades;
• Classificação das vulnerabilidades
por “facilidade de exploração” ou
qualquer outro critério definido pela
organização.
· COBIT 5 APO12.01, APO12.02, APO12.03,
• Relatórios de pesquisa de
APO12.04, DSS05.01, DSS05.02 vulnerabilidades;
• Classificação das vulnerabilidades
· ISA 62443-2-1:2009 4.2.3, 4.2.3.7, 4.2.3.9, 4.2.3.12 por “facilidade de exploração” ou
qualquer outro critério definido pela
· ISO/IEC 27001:2013 A.12.6.1, A.18.2.3 organização.
· NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8, RA-3,
RA-5, SA-5, SA-11, SI-2, SI-4, SI-5
· CIS CSC 4
· COBIT 5 BAI08.01
· ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 Não são estabelecidos contactos informais com
grupos de interesse.
· ISO/IEC 27001:2013 A.6.1.4
· ISO/IEC 27001:2013 Clause 6.1.3, Clause 8.3 • O tratamento dos riscos é feito de forma ad hoc
e não sistematizada.
· NIST SP 800-53 Rev. 4 SA-14, PM-8, PM-9, PM-11
· ISA 62443-3-3:2013 SR 3.1, SR 3.5, SR 3.8, SR 4.1, • Diagrama de redes a indicar a segmentação por
SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 zonas;
• Utilização de IDS/IPS, firewalls, proxies, WAFs
· ISO/IEC 27001:2013 A.13.1.1, A.13.2.1, A.14.1.3 (firewall de aplicações web),e outras soluções
tecnológicas para filtro e bloqueio de dados em
transmissão.
• Diagrama de redes a indicar a segmentação por
zonas;
• Utilização de IDS/IPS, firewalls, proxies, WAFs
(firewall de aplicações web),e outras soluções
tecnológicas para filtro e bloqueio de dados em
transmissão.
· NIST SP 800-53 Rev. 4 AC-4, AC-17, AC-18, CP-8,
SC-7, SC-19, SC-20, SC-21, SC-22, SC-23, SC-24, SC-
25, SC-29, SC-32, SC-36, SC-37, SC-38, SC-39, SC-40,
SC-41, SC-43
· COBIT 5 BAI04.01, BAI04.02, BAI04.03,
BAI04.04, BAI04.05, DSS01.05
· ISA 62443-2-1:2009 4.3.2.5.2
• Redundância dos sistemas críticos;
· ISA 62443-3-3:2013 SR 7.1, SR 7.2 • Adoção de soluções de balanceamento de carga
· ISO/IEC 27001:2013 A.17.1.2, A.17.2.1
· NIST SP 800-53 Rev. 4 CP-7, CP-8, CP-11, CP-13,
PL-8, SA-14, SC-6
· CIS CSC 1, 4, 6, 12, 13, 15, 16
· COBIT 5 DSS03.01 • Utilização de tecnologias de filtro e deteção de
· ISA 62443-2-1:2009 4.4.3.3 requisições anómalas (ex.: firewall, proxy, IDS/IPS);
• Registo de formação/consciencialização dos
· ISO/IEC 27001:2013 A.12.1.1, A.12.1.2, A.13.1.1, colaboradores no tema de deteção de anomalias e
A.13.1.2 eventos de segurança;
• Registo de padrões e procedimentos padrão
para modelos de referências internas
· NIST SP 800-53 Rev. 4 AC-4, CA-3, CM-2, SI-4
· ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8 • Registo de incidentes de segurança, originados
pela deteção e monitorização de eventos;
· ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR • Registo de incidentes de segurança, de forma
2.11, SR 2.12, SR 3.9, SR 6.1, SR 6.2 suficiente à sua análise e tratamento;
• Registo de incidentes a informar as partes
· ISO/IEC 27001:2013 A.12.4.1, A.16.1.1, A.16.1.4 interessadas relevantes.
· ISA 62443-2-1:2009 4.3.4.5.2, 4.3.4.5.3, 4.3.4.5.4 • Há conhecimento informal evidenciado (p. ex.
por realização de entrevistas aos colaboradores)
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2, A.16.1.1
· ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8 • Há registos das orientações para a ativação da
gestão de incidentes;
· ISA 62443-3-3:2013 SR 6.1 • Há registos de notificações elevadas a
incidentes.
· ISO/IEC 27001:2013 A.12.4.1, A.12.4.3, A.16.1.5
3.0
3.0
3.0
Aplicam-se os 3:pessoas,
processos e tecnologias
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
Document
NIST 800-53
CIS CSC
COBIT 5
ISA 62443 (All)
ISO/IEC 27001
Link
https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final
https://www.cisecurity.org/controls/
http://www.isaca.org/cobit/pages/default.aspx
https://www.isa.org/standards-and-publications/isa-standards/find-isa-standards-in-numerical-order/
https://www.iso.org/isoiec-27001-information-security.html
A tabela abaixo mostra as 10 principais áreas que a Fitch identificou juntamente com as suas categorias NIST
Key Cyber Insurance Carrier
NIST CSF
Policy Requirements
Reference
Relatorio da Fitch Set22
ID.RA
2 IT Security strength and vulnerabilities
DE.CM-8
RS.RP
7 Quality of incident response plan PR.IP-9
PR.IP-10
ID.RA-1
Penetration testing results and
10 PR.IP-7
remediation success details
PR.IP-12
Esta 'mini-avaliação' pode ajudar a empresa a identificar uma pré-aquisição de risco, bem como fornecer uma pon
em todas as empresas do portfólio para começar a atender às necessidades dos reguladores, no entanto, deve s
preliminar resultado pendente de uma avaliação completa do NIST CSF.
eas que a Fitch identificou juntamente com as suas categorias NIST CSF.
GP: All critical devices, remote access & SaaS access is protected AC - ACCESS CONTROL
by MFA. AC-7 UNSUCCESSFUL LOGON ATTEMPTS
––– . Enforce a limit of [Assignment: organization-defin
BP: All user access, regardless of origin or destination, is defined time period]; and
protected by MFA b. Automatically [Selection (one or more): lock the a
until released by an administrator; delay next logon pr
other [Assignment: organization-defined action]] whe
GP: Vulnerability scans are performed with ‘best effort’
mitigation.
–––
BP: Vulnerabilities are evaluated based on internal risk
assessments, and mitigation is prioritized and within expected
timelines.
identificar uma pré-aquisição de risco, bem como fornecer uma pontuação de maturidade básica
eçar a atender às necessidades dos reguladores, no entanto, deve ser considerada uma avaliação
r resultado pendente de uma avaliação completa do NIST CSF.
NIST SP 800-53 Rev 5
OL
L LOGON ATTEMPTS
f [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-
; and
election (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node
administrator; delay next logon prompt per [Assignment: organization-defined delay algorithm]; notify system administrator; take
organization-defined action]] when the maximum number of unsuccessful attempts is exceeded.
gnment: organization-