This appendix presents the measures proposed by the ANSSI guides (ANSSI 2013a; ANSSI 2013b). They are defined according to the class of the system (Chapter 6).
Recommendations are prefixed with an R and directives with a letter D.
A4.1. Organizational measures
A4.1.1. Knowledge of the industrial system
Table A4.1. Recommendations and guidelines for system knowledge
|Roles and responsibilities||C1||R1 – A cybersecurity chain of responsibility must be put in place. It should cover all systems. R2 – Responsibilities for cybersecurity should be clearly defined for each of the stakeholders regardless of the aspect concerned (development, integration, operation, maintenance, etc.).|
|C2||D3 – R1 is mandatory. D4 – R2 is mandatory.|
|C3||D5 – The identity and contact details of the person in charge of the cybersecurity chain of custody must be communicated to the cyber defense authority. D6 – The limits of liability must be reviewed periodically, at least once a year.|
|Mapping||C1||R7 – Build a map:
|C2||D8 – Build a map:
|C3||D10 – R9 is mandatory.|
|Risk analysis||C1||R11 – Carry out a risk analysis for cybersecurity, however brief.|
|C2||D12 – Carry out a risk analysis for cybersecurity according to a method chosen by the responsible entity. ...|