Appendix 4 ANSSI Security Measures

This appendix presents the measures proposed by the ANSSI guides (ANSSI 2013a; ANSSI 2013b). They are defined according to the class of the system (Chapter 6).

Recommendations are prefixed with an R and directives with a letter D.

A4.1. Organizational measures

A4.1.1. Knowledge of the industrial system

Table A4.1. Recommendations and guidelines for system knowledge

Roles and responsibilities C1 R1 – A cybersecurity chain of responsibility must be put in place. It should cover all systems. R2 – Responsibilities for cybersecurity should be clearly defined for each of the stakeholders regardless of the aspect concerned (development, integration, operation, maintenance, etc.).
C2 D3 – R1 is mandatory. D4 – R2 is mandatory.
C3 D5 – The identity and contact details of the person in charge of the cybersecurity chain of custody must be communicated to the cyber defense authority. D6 – The limits of liability must be reviewed periodically, at least once a year.
Mapping C1 R7 – Build a map:
  • – physical;
  • – logical (flow);
  • – of applications.
C2 D8 – Build a map:
  • – physical;
  • – logical (flow);
  • – related applications;
  • – of the system administration.
  • R9 – Review the mapping at least once a year and with each modification.
C3 D10 – R9 is mandatory.
Risk analysis C1 R11 – Carry out a risk analysis for cybersecurity, however brief.
C2 D12 – Carry out a risk analysis for cybersecurity according to a method chosen by the responsible entity. ...

Get Cybersecurity of Industrial Systems now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.