Appendix 4 ANSSI Security Measures
This appendix presents the measures proposed by the ANSSI guides (ANSSI 2013a; ANSSI 2013b). They are defined according to the class of the system (Chapter 6).
Recommendations are prefixed with an R and directives with a letter D.
A4.1. Organizational measures
A4.1.1. Knowledge of the industrial system
Table A4.1. Recommendations and guidelines for system knowledge
| Roles and responsibilities | C1 | R1 – A cybersecurity chain of responsibility must be put in place. It should cover all systems. R2 – Responsibilities for cybersecurity should be clearly defined for each of the stakeholders regardless of the aspect concerned (development, integration, operation, maintenance, etc.). |
| C2 | D3 – R1 is mandatory. D4 – R2 is mandatory. | |
| C3 | D5 – The identity and contact details of the person in charge of the cybersecurity chain of custody must be communicated to the cyber defense authority. D6 – The limits of liability must be reviewed periodically, at least once a year. | |
| Mapping | C1 | R7 – Build a map:
|
| C2 | D8 – Build a map:
|
|
| C3 | D10 – R9 is mandatory. | |
| Risk analysis | C1 | R11 – Carry out a risk analysis for cybersecurity, however brief. |
| C2 | D12 – Carry out a risk analysis for cybersecurity according to a method chosen by the responsible entity. ... |
Get Cybersecurity of Industrial Systems now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
