KEMBAR78
Cybersecurity Assessment Guide | PDF | Information Security | Security
0% found this document useful (0 votes)
30 views29 pages

Cybersecurity Assessment Guide

The document contains a security risk assessment questionnaire with over 40 questions covering organizational information security, general security, network security, systems security, business continuity/disaster recovery, incident response, and auditing/client reporting. The questions are aimed at assessing a company's security practices and controls.

Uploaded by

Manjari Sugunala
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
30 views29 pages

Cybersecurity Assessment Guide

The document contains a security risk assessment questionnaire with over 40 questions covering organizational information security, general security, network security, systems security, business continuity/disaster recovery, incident response, and auditing/client reporting. The questions are aimed at assessing a company's security practices and controls.

Uploaded by

Manjari Sugunala
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 29

CYBER SECURITY ASSESSMENT –

RISK ASSESSMENT – NIST


FRAMEWORK

Assessment with company services – Public


By: Green Circle for Software Solutions LTD.
(Version 1.1)
Date: Dec 3, 2022
Doc#: GC-Tec-T301-603

GREEN CIRCLE COMPANY (GRCICO) - UNITED KINGDOM - INFO@GRCICO.COM


Table of Contents
1. Assessment Questioneer ............................................................................................................................ 3
2. Offered Service and Solutions .................................................................................................................. 23
2.1 Advanced Security Operation Center Services ....................................................................................... 23
2.2 Advanced Green Circle Services ............................................................................................................ 25
2.3 Green Circle Security Packages ............................................................................................................. 28
2.4 Green Circle Packages Prices for Partners ............................................................................................. 28

GC Proposals | Confidintial
1. Assessment Questioneer

Security Risk Assessment Questionnaire

Name of Company:

Company's Website:

Contact Person Completing the Assessment:

Email Address:

Phone Number:

Select the appropriate answer from the drop down in the


Response column, and provide a brief description in the
Comments section.
Custome
r Third
Commen Party's
ts/Questi Respons
Res Co ons e to
Information Security Assessment Questions pon mm This Custome
se ents section r
for Commen
Custome ts/Questi
r Use ons
Only

Organizational Information Security

Do you have a member of your company with


1 dedicated information security duties?

GC Proposals | Confidintial
Is a background check required for all employees
2 accessing and handling the comapny's data?
Does the company have written information
3 security policies?
3 If yes, please provide copies when responding
.1 to this assessment
Does the company have a written password
policy that details the required structure of
4 passwords?
4
.1 How do you verify password strength?
Do all staff receives information security
5 awareness training?
Does the company have a copy of Customer Data
Access Policy and are they willing to comply
with the policies as well as the data protection
6 guidelines?
Does the company have a formal change control
7 process for IT changes?
Has the company implemented an IT Governance
8 framework such as ITIL or ISO 27001?
Will your company be processing credit cards on
9 behalf of Customer ?
9
.1 If yes, is your company PCI DSS compliant?
General Security
Is antivirus software installed on data processing
10 servers?
11 Is antivirus software installed on workstations?
Are system and security patches applied to
12 workstations on a routine bases?
Are system and security patches applied to
13 servers on a routine bases?
1 Are system and security patches tested prior to
3.1 implementation in the production environment?
Do employees have a unique log-in ID when
14 accessing data?
Does the company have security measures in
15 place for data protection?
1
5.1 If yes, please describe in the comments section
Is access restricted to systems that contain
16 sensitive data?
1 If yes, what controls or are currently in place to
6.1 restrict access?
Is physical access to data processing equipment
17 (servers and network equipment) restricted?
1
7.1 If yes, what controls are currently in place?
4

GC Proposals | Confidintial
Is there a process for secure disposal of both IT
18 equipment and media?
1
8.1 If yes, please describe in the comments section

Network Security

19 Are network boundaries protected by firewalls?


Is regular network vulnerability scanning
20 performed?
Are Intrusion Detection Systems (IDS) or
Intrusion Prevention Systems (IPS) used by your
21 company?
2
1.1 If yes, please describe in the comments section
Are employees required to use a VPN when
accessing the company's systems from all remote
22 locations?
23 Is wireless access allowed in your company?
2 If yes, please describe how it is protected in the
3.1 comments section

Systems Security
Are computer systems (servers) backed up
24 according to a regular schedule?
24. Has the back-up and recovery process been
1 verified?
24.
2 Does the company store backups offsite?
24.
3 Does the company encrypt its backups?
Does the comapny replicate data to locations
25 outside of JORDAN?
26 Does the comapny outsource its data storage?
26.
1 If yes, to whom is the data outsourced?
Is there formal control of access to System
27 Administrator privileges?
Are servers configured to capture who accessed a
28 system and what changes were made?
If no, in case of a security breach, how do you
28. determine who accessed the system and what
1 changes were made?

29 is there an anti virus solution in use?


29. if yes, what are the features of AV software
1 enabled?

30 is there a PAM solution in use?

31 is there MDM solution in use?


5

GC Proposals | Confidintial
32 is there EDR solution in use?

33 is there IDS/IPS in use?

34 is there DLP in use?

35 is there Cloud Security Solutions in use?

36 is there data encryption solution in use?

37 is there a SEIM solution in use?


Are you performing code security check
38 periodically or part of development?
Business Continuity / Disaster Recovery
Does the company have disaster recovery plans
39 for data processing facilities?
3
9.1 What about Business Continuity Plans?
Are computer rooms protected against fire and
40 flood?
41 Does the company have a "Hot" recovery site?
Incident Response
If an information security breach involving
Customer's data occurred, would the Institute be
42 notified of the breach?
42. If yes, how soon would the Institute be
1 notified?
Does the company have a formal Incident
43 Response plan?
Has the company experienced an information
44 security breach in the past three to five years?
44. If so, please document what information was
1 lost in the comments section?
If so, please document how the clients were
44. notified and how quickly in the comments
2 section?
Auditing / Client Reporting
Does the company receive an SSAE-16 SOC Report,
45 ISO27001 Audit Report, TierIII DC Report, NIST, GDPR?
If so, please document which type of SOC report is being
45. obtained in the comments section. Please provide a copy of
1 the latest SOC report.
45. If not, does the company allow clients the right to audit
2 their systems and controls?
Third
Res Co Commen Party
Additional Security Questions Specific to the Service
Offering(s) Provided by the Vendor
pon mm ts/Questi Respons
se ents ons e to
Reviewe

GC Proposals | Confidintial
r
Commen
ts/Questi
ons
Operational Risk - Based on business process and Org
1 Chart to be provided!
2 Human Related Risks - Redundancy and Backup?
Industry Specific Risks - Business process and market
3 analysis! - Interviews required!

info@grcico.com

info@grcico.com
Function Category Subcategory Informative References
· CIS CSC 1
ID.AM-1: Physical · COBIT 5 BAI09.01, BAI09.02
devices and systems · ISA 62443-2-1:2009 4.2.3.4
within the
organization are · ISA 62443-3-3:2013 SR 7.8
inventoried · ISO/IEC 27001:2013 A.8.1.1, A.8.1.2
Asset
· NIST SP 800-53 Rev. 4 CM-8, PM-5
Management
(ID.AM): The data, · CIS CSC 2
personnel, devices, · COBIT 5 BAI09.01, BAI09.02, BAI09.05
systems, and ID.AM-2: Software
facilities that enable platforms and · ISA 62443-2-1:2009 4.2.3.4
the organization to applications within · ISA 62443-3-3:2013 SR 7.8
achieve business the organization are
IDENTIFY (ID) purposes are inventoried · ISO/IEC 27001:2013 A.8.1.1, A.8.1.2,
identified and A.12.5.1
managed consistent · NIST SP 800-53 Rev. 4 CM-8, PM-5
with their relative · CIS CSC 12
importance to
ID.AM-3: · COBIT 5 DSS05.02
organizational
Organizational
objectives and the · ISA 62443-2-1:2009 4.2.3.4
communication and
organization’s risk
data flows are · ISO/IEC 27001:2013 A.13.2.1, A.13.2.2
strategy.
mapped · NIST SP 800-53 Rev. 4 AC-4, CA-3, CA-
9, PL-8
· CIS CSC 12
ID.AM-4: External
· COBIT 5 APO02.02, APO10.04,
information systems
DSS01.02
are catalogued
· ISO/IEC 27001:2013 A.11.2.6
7

GC Proposals | Confidintial
· NIST SP 800-53 Rev. 4 AC-20, SA-9
ID.AM-5: · CIS CSC 13, 14
Resources (e.g.,
· COBIT 5 APO03.03, APO03.04,
hardware, devices,
APO12.01, BAI04.02, BAI09.02
data, time,
personnel, and · ISA 62443-2-1:2009 4.2.3.6
software) are · ISO/IEC 27001:2013 A.8.2.1
prioritized based on
their classification, · NIST SP 800-53 Rev. 4 CP-2, RA-2, SA-
criticality, and 14, SC-6
business value
ID.AM-6: · CIS CSC 17, 19
Cybersecurity roles
· COBIT 5 APO01.02, APO07.06,
and responsibilities
APO13.01, DSS06.03
for the entire
workforce and third- · ISA 62443-2-1:2009 4.3.2.3.3
party stakeholders · ISO/IEC 27001:2013 A.6.1.1
(e.g., suppliers,
customers, partners) · NIST SP 800-53 Rev. 4 CP-2, PS-7, PM-
are established 11
ID.BE-1: The · COBIT 5 APO08.01, APO08.04,
organization’s role APO08.05, APO10.03, APO10.04, APO10.05
in the supply chain is · ISO/IEC 27001:2013 A.15.1.1, A.15.1.2,
identified and A.15.1.3, A.15.2.1, A.15.2.2
communicated · NIST SP 800-53 Rev. 4 CP-2, SA-12
ID.BE-2: The · COBIT 5 APO02.06, APO03.01
organization’s place
in critical · ISO/IEC 27001:2013 Clause 4.1
infrastructure and its
Business industry sector is
· NIST SP 800-53 Rev. 4 PM-8
Environment identified and
(ID.BE): The communicated
organization’s ID.BE-3: Priorities · COBIT 5 APO02.01, APO02.06,
mission, objectives, for organizational APO03.01
stakeholders, and mission, objectives, · ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6
activities are and activities are
understood and established and · NIST SP 800-53 Rev. 4 PM-11, SA-14
prioritized; this communicated
information is used ID.BE-4: · COBIT 5 APO10.01, BAI04.02,
to inform Dependencies and BAI09.02
cybersecurity roles, critical functions for · ISO/IEC 27001:2013 A.11.2.2, A.11.2.3,
responsibilities, and delivery of critical A.12.1.3
risk management services are · NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-
decisions. established 11, PM-8, SA-14
ID.BE-5: Resilience · COBIT 5 BAI03.02, DSS04.02
requirements to
· ISO/IEC 27001:2013 A.11.1.4, A.17.1.1,
support delivery of
A.17.1.2, A.17.2.1
critical services are
established for all
operating states (e.g. · NIST SP 800-53 Rev. 4 CP-2, CP-11, SA-
under duress/attack, 13, SA-14
during recovery,
normal operations)
Governance · CIS CSC 19
ID.GV-1:
(ID.GV): The · COBIT 5 APO01.03, APO13.01,
Organizational
policies, EDM01.01, EDM01.02
cybersecurity policy
procedures, and
is established and · ISA 62443-2-1:2009 4.3.2.6
processes to
communicated
manage and · ISO/IEC 27001:2013 A.5.1.1

GC Proposals | Confidintial
monitor the · NIST SP 800-53 Rev. 4 -1 controls from
organization’s all security control families
regulatory, legal, · CIS CSC 19
risk, environmental, ID.GV-2: · COBIT 5 APO01.02, APO10.03,
and operational Cybersecurity roles APO13.02, DSS05.04
requirements are and responsibilities
understood and are coordinated and · ISA 62443-2-1:2009 4.3.2.3.3
inform the aligned with internal · ISO/IEC 27001:2013 A.6.1.1, A.7.2.1,
management of roles and external A.15.1.1
cybersecurity risk. partners · NIST SP 800-53 Rev. 4 PS-7, PM-1, PM-
2
ID.GV-3: Legal and · CIS CSC 19
regulatory
· COBIT 5 BAI02.01, MEA03.01,
requirements
MEA03.04
regarding
cybersecurity, · ISA 62443-2-1:2009 4.4.3.7
including privacy · ISO/IEC 27001:2013 A.18.1.1, A.18.1.2,
and civil liberties A.18.1.3, A.18.1.4, A.18.1.5
obligations, are
· NIST SP 800-53 Rev. 4 -1 controls from
understood and
all security control families
managed
· COBIT 5 EDM03.02, APO12.02,
ID.GV-4: APO12.05, DSS04.02
Governance and risk · ISA 62443-2-1:2009 4.2.3.1, 4.2.3.3,
management 4.2.3.8, 4.2.3.9, 4.2.3.11, 4.3.2.4.3, 4.3.2.6.3
processes address · ISO/IEC 27001:2013 Clause 6
cybersecurity risks · NIST SP 800-53 Rev. 4 SA-2, PM-3, PM-
7, PM-9, PM-10, PM-11
· CIS CSC 4
· COBIT 5 APO12.01, APO12.02,
ID.RA-1: Asset APO12.03, APO12.04, DSS05.01, DSS05.02
vulnerabilities are · ISA 62443-2-1:2009 4.2.3, 4.2.3.7,
identified and 4.2.3.9, 4.2.3.12
documented · ISO/IEC 27001:2013 A.12.6.1, A.18.2.3
· NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-
8, RA-3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5
Risk Assessment · CIS CSC 4
(ID.RA): The · COBIT 5 BAI08.01
ID.RA-2: Cyber
organization
threat intelligence is · ISA 62443-2-1:2009 4.2.3, 4.2.3.9,
understands the
received from 4.2.3.12
cybersecurity risk
information sharing
to organizational · ISO/IEC 27001:2013 A.6.1.4
forums and sources
operations · NIST SP 800-53 Rev. 4 SI-5, PM-15, PM-
(including mission, 16
functions, image, or
· CIS CSC 4
reputation),
organizational · COBIT 5 APO12.01, APO12.02,
ID.RA-3: Threats, APO12.03, APO12.04
assets, and both internal and
individuals. · ISA 62443-2-1:2009 4.2.3, 4.2.3.9,
external, are
4.2.3.12
identified and
documented · ISO/IEC 27001:2013 Clause 6.1.2
· NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-
12, PM-16
ID.RA-4: Potential · CIS CSC 4
business impacts and · COBIT 5 DSS04.02
likelihoods are
· ISA 62443-2-1:2009 4.2.3, 4.2.3.9,
identified
4.2.3.12

GC Proposals | Confidintial
· ISO/IEC 27001:2013 A.16.1.6, Clause
6.1.2
· NIST SP 800-53 Rev. 4 RA-2, RA-3, SA-
14, PM-9, PM-11
· CIS CSC 4
ID.RA-5: Threats,
vulnerabilities, · COBIT 5 APO12.02
likelihoods, and · ISO/IEC 27001:2013 A.12.6.1
impacts are used to
determine risk · NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-
16
· CIS CSC 4
ID.RA-6: Risk
responses are · COBIT 5 APO12.05, APO13.02
identified and · ISO/IEC 27001:2013 Clause 6.1.3
prioritized
· NIST SP 800-53 Rev. 4 PM-4, PM-9
· CIS CSC 4
ID.RM-1: Risk
management · COBIT 5 APO12.04, APO12.05,
processes are APO13.02, BAI02.03, BAI04.02
established, · ISA 62443-2-1:2009 4.3.4.2
managed, and agreed · ISO/IEC 27001:2013 Clause 6.1.3,
Risk Management to by organizational Clause 8.3, Clause 9.3
Strategy (ID.RM): stakeholders
· NIST SP 800-53 Rev. 4 PM-9
The organization’s
priorities, · COBIT 5 APO12.06
ID.RM-2:
constraints, risk Organizational risk · ISA 62443-2-1:2009 4.3.2.6.5
tolerances, and tolerance is · ISO/IEC 27001:2013 Clause 6.1.3,
assumptions are determined and Clause 8.3
established and clearly expressed
used to support · NIST SP 800-53 Rev. 4 PM-9
operational risk ID.RM-3: The · COBIT 5 APO12.02
decisions. organization’s
· ISO/IEC 27001:2013 Clause 6.1.3,
determination of risk
Clause 8.3
tolerance is informed
by its role in critical
infrastructure and · NIST SP 800-53 Rev. 4 SA-14, PM-8,
sector specific risk PM-9, PM-11
analysis
ID.SC-1: Cyber · CIS CSC 4
Supply Chain Risk supply chain risk · COBIT 5 APO10.01, APO10.04,
Management management APO12.04, APO12.05, APO13.02, BAI01.03,
(ID.SC): processes are BAI02.03, BAI04.02
The organization’s identified,
priorities, established, · ISA 62443-2-1:2009 4.3.4.2
constraints, risk assessed, managed, · ISO/IEC 27001:2013 A.15.1.1, A.15.1.2,
tolerances, and and agreed to by A.15.1.3, A.15.2.1, A.15.2.2
assumptions are organizational · NIST SP 800-53 Rev. 4 SA-9, SA-12,
established and stakeholders PM-9
used to support risk ID.SC-2: Suppliers · COBIT 5 APO10.01, APO10.02,
decisions associated and third party APO10.04, APO10.05, APO12.01, APO12.02,
with managing partners of APO12.03, APO12.04, APO12.05, APO12.06,
supply chain risk. information systems, APO13.02, BAI02.03
The organization components, and · ISA 62443-2-1:2009 4.2.3.1, 4.2.3.2,
has established and services are 4.2.3.3, 4.2.3.4, 4.2.3.6, 4.2.3.8, 4.2.3.9,
implemented the identified, 4.2.3.10, 4.2.3.12, 4.2.3.13, 4.2.3.14
processes to prioritized, and · ISO/IEC 27001:2013 A.15.2.1, A.15.2.2
identify, assess and assessed using a
manage supply cyber supply chain · NIST SP 800-53 Rev. 4 RA-2, RA-3, SA-
chain risks. risk assessment 12, SA-14, SA-15, PM-9
process

10

GC Proposals | Confidintial
ID.SC-3: Contracts · COBIT 5 APO10.01, APO10.02,
with suppliers and APO10.03, APO10.04, APO10.05
third-party partners · ISA 62443-2-1:2009 4.3.2.6.4, 4.3.2.6.7
are used to
· ISO/IEC 27001:2013 A.15.1.1, A.15.1.2,
implement
A.15.1.3
appropriate
measures designed
to meet the
objectives of an
organization’s · NIST SP 800-53 Rev. 4 SA-9, SA-11,
cybersecurity SA-12, PM-9
program and Cyber
Supply Chain Risk
Management Plan.
ID.SC-4: Suppliers · COBIT 5 APO10.01, APO10.03,
and third-party APO10.04, APO10.05, MEA01.01, MEA01.02,
partners are MEA01.03, MEA01.04, MEA01.05
routinely assessed · ISA 62443-2-1:2009 4.3.2.6.7
using audits, test
results, or other · ISA 62443-3-3:2013 SR 6.1
forms of evaluations · ISO/IEC 27001:2013 A.15.2.1, A.15.2.2
to confirm they are
meeting their · NIST SP 800-53 Rev. 4 AU-2, AU-6,
contractual AU-12, AU-16, PS-7, SA-9, SA-12
obligations.
· CIS CSC 19, 20

ID.SC-5: Response · COBIT 5 DSS04.04


and recovery · ISA 62443-2-1:2009 4.3.2.5.7, 4.3.4.5.11
planning and testing · ISA 62443-3-3:2013 SR 2.8, SR 3.3,
are conducted with SR.6.1, SR 7.3, SR 7.4
suppliers and third-
party providers · ISO/IEC 27001:2013 A.17.1.3
· NIST SP 800-53 Rev. 4 CP-2, CP-4, IR-3,
IR-4, IR-6, IR-8, IR-9
· CIS CSC 1, 5, 15, 16
· COBIT 5 DSS05.04, DSS06.03
PR.AC-1: Identities · ISA 62443-2-1:2009 4.3.3.5.1
and credentials are
Identity · ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR
issued, managed,
Management, 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9
verified, revoked,
Authentication · ISO/IEC 27001:2013 A.9.2.1, A.9.2.2,
and audited for
and Access A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2,
authorized devices,
Control (PR.AC): A.9.4.3
users and processes
Access to physical · NIST SP 800-53 Rev. 4 AC-1, AC-2, IA-
and logical assets 1, IA-2, IA-3, IA-4, IA-5, IA-6, IA-7, IA-8, IA-
and associated 9, IA-10, IA-11
facilities is limited
PROTECT (PR) · COBIT 5 DSS01.04, DSS05.05
to authorized users,
processes, and · ISA 62443-2-1:2009 4.3.3.3.2, 4.3.3.3.8
devices, and is PR.AC-2: Physical · ISO/IEC 27001:2013 A.11.1.1, A.11.1.2,
managed consistent access to assets is A.11.1.3, A.11.1.4, A.11.1.5, A.11.1.6,
with the assessed managed and A.11.2.1, A.11.2.3, A.11.2.5, A.11.2.6,
risk of unauthorized protected A.11.2.7, A.11.2.8
access to authorized · NIST SP 800-53 Rev. 4 PE-2, PE-3, PE-4,
activities and PE-5, PE-6, PE-8
transactions.
· CIS CSC 12
PR.AC-3: Remote · COBIT 5 APO13.01, DSS01.04,
access is managed DSS05.03
· ISA 62443-2-1:2009 4.3.3.6.6

11

GC Proposals | Confidintial
· ISA 62443-3-3:2013 SR 1.13, SR 2.6
· ISO/IEC 27001:2013 A.6.2.1, A.6.2.2,
A.11.2.6, A.13.1.1, A.13.2.1
· NIST SP 800-53 Rev. 4 AC-1, AC-17,
AC-19, AC-20, SC-15
· CIS CSC 3, 5, 12, 14, 15, 16, 18
PR.AC-4: Access
permissions and · COBIT 5 DSS05.04
authorizations are · ISA 62443-2-1:2009 4.3.3.7.3
managed,
incorporating the · ISA 62443-3-3:2013 SR 2.1
principles of least · ISO/IEC 27001:2013 A.6.1.2, A.9.1.2,
privilege and A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
separation of duties · NIST SP 800-53 Rev. 4 AC-1, AC-2, AC-
3, AC-5, AC-6, AC-14, AC-16, AC-24
· CIS CSC 9, 14, 15, 18
· COBIT 5 DSS01.05, DSS05.02
PR.AC-5: Network
integrity is protected · ISA 62443-2-1:2009 4.3.3.4
(e.g., network · ISA 62443-3-3:2013 SR 3.1, SR 3.8
segregation, network · ISO/IEC 27001:2013 A.13.1.1, A.13.1.3,
segmentation) A.13.2.1, A.14.1.2, A.14.1.3
· NIST SP 800-53 Rev. 4 AC-4, AC-10,
SC-7
· CIS CSC, 16
· COBIT 5 DSS05.04, DSS05.05,
DSS05.07, DSS06.03
PR.AC-6: Identities · ISA 62443-2-1:2009 4.3.3.2.2, 4.3.3.5.2,
are proofed and 4.3.3.7.2, 4.3.3.7.4
bound to credentials · ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR
and asserted in 1.4, SR 1.5, SR 1.9, SR 2.1
interactions · ISO/IEC 27001:2013, A.7.1.1, A.9.2.1
· NIST SP 800-53 Rev. 4 AC-1, AC-2, AC-
3, AC-16, AC-19, AC-24, IA-1, IA-2, IA-4,
IA-5, IA-8, PE-2, PS-3
PR.AC-7: Users, · CIS CSC 1, 12, 15, 16
devices, and other · COBIT 5 DSS05.04, DSS05.10,
assets are DSS06.10
authenticated (e.g., · ISA 62443-2-1:2009 4.3.3.6.1, 4.3.3.6.2,
single-factor, multi- 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6,
factor) 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9
commensurate with · ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR
the risk of the 1.5, SR 1.7, SR 1.8, SR 1.9, SR 1.10
transaction (e.g., · ISO/IEC 27001:2013 A.9.2.1, A.9.2.4,
individuals’ security A.9.3.1, A.9.4.2, A.9.4.3, A.18.1.4
and privacy risks · NIST SP 800-53 Rev. 4 AC-7, AC-8, AC-
and other 9, AC-11, AC-12, AC-14, IA-1, IA-2, IA-3, IA-
organizational risks) 4, IA-5, IA-8, IA-9, IA-10, IA-11
Awareness and · CIS CSC 17, 18
Training (PR.AT): · COBIT 5 APO07.03, BAI05.07
The organization’s PR.AT-1: All users
personnel and are informed and · ISA 62443-2-1:2009 4.3.2.4.2
partners are trained
· ISO/IEC 27001:2013 A.7.2.2, A.12.2.1
provided
cybersecurity · NIST SP 800-53 Rev. 4 AT-2, PM-13
awareness · CIS CSC 5, 17, 18
education and are PR.AT-2: Privileged
users understand · COBIT 5 APO07.02, DSS05.04,
trained to perform DSS06.03
12

GC Proposals | Confidintial
their cybersecurity- their roles and · ISA 62443-2-1:2009 4.3.2.4.2, 4.3.2.4.3
related duties and responsibilities
responsibilities · ISO/IEC 27001:2013 A.6.1.1, A.7.2.2
consistent with · NIST SP 800-53 Rev. 4 AT-3, PM-13
related policies,
· CIS CSC 17
procedures, and PR.AT-3: Third-
agreements. · COBIT 5 APO07.03, APO07.06,
party stakeholders APO10.04, APO10.05
(e.g., suppliers,
customers, partners) · ISA 62443-2-1:2009 4.3.2.4.2
understand their · ISO/IEC 27001:2013 A.6.1.1, A.7.2.1,
roles and A.7.2.2
responsibilities · NIST SP 800-53 Rev. 4 PS-7, SA-9, SA-
16
· CIS CSC 17, 19
PR.AT-4: Senior · COBIT 5 EDM01.01, APO01.02,
executives APO07.03
understand their · ISA 62443-2-1:2009 4.3.2.4.2
roles and
responsibilities · ISO/IEC 27001:2013 A.6.1.1, A.7.2.2
· NIST SP 800-53 Rev. 4 AT-3, PM-13
· CIS CSC 17
PR.AT-5: Physical
and cybersecurity · COBIT 5 APO07.03
personnel · ISA 62443-2-1:2009 4.3.2.4.2
understand their
roles and · ISO/IEC 27001:2013 A.6.1.1, A.7.2.2
responsibilities · NIST SP 800-53 Rev. 4 AT-3, IR-2, PM-
13
· CIS CSC 13, 14
· COBIT 5 APO01.06, BAI02.01,
BAI06.01, DSS04.07, DSS05.03, DSS06.06
PR.DS-1: Data-at-
· ISA 62443-3-3:2013 SR 3.4, SR 4.1
rest is protected
· ISO/IEC 27001:2013 A.8.2.3
· NIST SP 800-53 Rev. 4 MP-8, SC-12,
SC-28
· CIS CSC 13, 14
Data Security · COBIT 5 APO01.06, DSS05.02,
(PR.DS): DSS06.06
Information and PR.DS-2: Data-in- · ISA 62443-3-3:2013 SR 3.1, SR 3.8, SR
records (data) are transit is protected 4.1, SR 4.2
managed consistent · ISO/IEC 27001:2013 A.8.2.3, A.13.1.1,
with the A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3
organization’s risk · NIST SP 800-53 Rev. 4 SC-8, SC-11, SC-
strategy to protect 12
the confidentiality, · CIS CSC 1
integrity, and
availability of · COBIT 5 BAI09.03
PR.DS-3: Assets are
information. · ISA 62443-2-1:2009 4.3.3.3.9, 4.3.4.4.1
formally managed
throughout removal, · ISA 62443-3-3:2013 SR 4.2
transfers, and · ISO/IEC 27001:2013 A.8.2.3, A.8.3.1,
disposition A.8.3.2, A.8.3.3, A.11.2.5, A.11.2.7
· NIST SP 800-53 Rev. 4 CM-8, MP-6, PE-
16
PR.DS-4: Adequate · CIS CSC 1, 2, 13
capacity to ensure
· COBIT 5 APO13.01, BAI04.04
availability is
maintained · ISA 62443-3-3:2013 SR 7.1, SR 7.2

13

GC Proposals | Confidintial
· ISO/IEC 27001:2013 A.12.1.3, A.17.2.1
· NIST SP 800-53 Rev. 4 AU-4, CP-2, SC-
5
· CIS CSC 13
· COBIT 5 APO01.06, DSS05.04,
DSS05.07, DSS06.02
· ISA 62443-3-3:2013 SR 5.2
PR.DS-5: · ISO/IEC 27001:2013 A.6.1.2, A.7.1.1,
Protections against A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1,
data leaks are A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5,
implemented A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1,
A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3,
A.13.2.4, A.14.1.2, A.14.1.3
· NIST SP 800-53 Rev. 4 AC-4, AC-5, AC-
6, PE-19, PS-3, PS-6, SC-7, SC-8, SC-13, SC-
31, SI-4
· CIS CSC 2, 3
PR.DS-6: Integrity · COBIT 5 APO01.06, BAI06.01,
checking DSS06.02
mechanisms are used · ISA 62443-3-3:2013 SR 3.1, SR 3.3, SR
to verify software, 3.4, SR 3.8
firmware, and · ISO/IEC 27001:2013 A.12.2.1, A.12.5.1,
information integrity A.14.1.2, A.14.1.3, A.14.2.4
· NIST SP 800-53 Rev. 4 SC-16, SI-7
PR.DS-7: The · CIS CSC 18, 20
development and
testing · COBIT 5 BAI03.08, BAI07.04
environment(s) are · ISO/IEC 27001:2013 A.12.1.4
separate from the
production · NIST SP 800-53 Rev. 4 CM-2
environment
PR.DS-8: Integrity · COBIT 5 BAI03.05
checking · ISA 62443-2-1:2009 4.3.4.4.4
mechanisms are used
to verify hardware · ISO/IEC 27001:2013 A.11.2.4
integrity · NIST SP 800-53 Rev. 4 SA-10, SI-7
PR.IP-1: A baseline · CIS CSC 3, 9, 11
Information configuration of
· COBIT 5 BAI10.01, BAI10.02,
Protection information
BAI10.03, BAI10.05
Processes and technology/industrial
control systems is · ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3
Procedures
(PR.IP): Security created and · ISA 62443-3-3:2013 SR 7.6
policies (that maintained · ISO/IEC 27001:2013 A.12.1.2, A.12.5.1,
address purpose, incorporating A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4
scope, roles, security principles
(e.g. concept of least · NIST SP 800-53 Rev. 4 CM-2, CM-3,
responsibilities,
functionality) CM-4, CM-5, CM-6, CM-7, CM-9, SA-10
management
commitment, and · CIS CSC 18
coordination among · COBIT 5 APO13.01, BAI03.01,
organizational PR.IP-2: A System BAI03.02, BAI03.03
entities), processes, Development Life · ISA 62443-2-1:2009 4.3.4.3.3
and procedures are Cycle to manage
maintained and · ISO/IEC 27001:2013 A.6.1.5, A.14.1.1,
systems is
used to manage A.14.2.1, A.14.2.5
implemented
protection of · NIST SP 800-53 Rev. 4 PL-8, SA-3, SA-
information 4, SA-8, SA-10, SA-11, SA-12, SA-15, SA-17,
systems and assets. SI-12, SI-13, SI-14, SI-16, SI-17
· CIS CSC 3, 11
14

GC Proposals | Confidintial
· COBIT 5 BAI01.06, BAI06.01
PR.IP-3: · ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3
Configuration · ISA 62443-3-3:2013 SR 7.6
change control
processes are in · ISO/IEC 27001:2013 A.12.1.2, A.12.5.1,
place A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4
· NIST SP 800-53 Rev. 4 CM-3, CM-4,
SA-10
· CIS CSC 10
· COBIT 5 APO13.01, DSS01.01,
PR.IP-4: Backups DSS04.07
of information are · ISA 62443-2-1:2009 4.3.4.3.9
conducted,
maintained, and · ISA 62443-3-3:2013 SR 7.3, SR 7.4
tested · ISO/IEC 27001:2013 A.12.3.1, A.17.1.2,
A.17.1.3, A.18.1.3
· NIST SP 800-53 Rev. 4 CP-4, CP-6, CP-9
PR.IP-5: Policy and · COBIT 5 DSS01.04, DSS05.05
regulations · ISA 62443-2-1:2009 4.3.3.3.1 4.3.3.3.2,
regarding the 4.3.3.3.3, 4.3.3.3.5, 4.3.3.3.6
physical operating · ISO/IEC 27001:2013 A.11.1.4, A.11.2.1,
environment for A.11.2.2, A.11.2.3
organizational assets · NIST SP 800-53 Rev. 4 PE-10, PE-12,
are met PE-13, PE-14, PE-15, PE-18
· COBIT 5 BAI09.03, DSS05.06
· ISA 62443-2-1:2009 4.3.4.4.4
PR.IP-6: Data is
destroyed according · ISA 62443-3-3:2013 SR 4.2
to policy · ISO/IEC 27001:2013 A.8.2.3, A.8.3.1,
A.8.3.2, A.11.2.7
· NIST SP 800-53 Rev. 4 MP-6
· COBIT 5 APO11.06, APO12.06,
DSS04.05
· ISA 62443-2-1:2009 4.4.3.1, 4.4.3.2,
PR.IP-7: Protection
4.4.3.3, 4.4.3.4, 4.4.3.5, 4.4.3.6, 4.4.3.7, 4.4.3.8
processes are
· ISO/IEC 27001:2013 A.16.1.6, Clause 9,
improved
Clause 10
· NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-
2, IR-8, PL-2, PM-6
PR.IP-8: · COBIT 5 BAI08.04, DSS03.04
Effectiveness of
protection · ISO/IEC 27001:2013 A.16.1.6
technologies is · NIST SP 800-53 Rev. 4 AC-21, CA-7, SI-
shared 4
PR.IP-9: Response · CIS CSC 19
plans (Incident
Response and · COBIT 5 APO12.06, DSS04.03
Business Continuity) · ISA 62443-2-1:2009 4.3.2.5.3, 4.3.4.5.1
and recovery plans · ISO/IEC 27001:2013 A.16.1.1, A.17.1.1,
(Incident Recovery A.17.1.2, A.17.1.3
and Disaster
Recovery) are in · NIST SP 800-53 Rev. 4 CP-2, CP-7, CP-
place and managed 12, CP-13, IR-7, IR-8, IR-9, PE-17
· CIS CSC 19, 20
PR.IP-10: Response · COBIT 5 DSS04.04
and recovery plans
are tested · ISA 62443-2-1:2009 4.3.2.5.7, 4.3.4.5.11
· ISA 62443-3-3:2013 SR 3.3
15

GC Proposals | Confidintial
· ISO/IEC 27001:2013 A.17.1.3
· NIST SP 800-53 Rev. 4 CP-4, IR-3, PM-
14
· CIS CSC 5, 16
PR.IP-11: · COBIT 5 APO07.01, APO07.02,
Cybersecurity is APO07.03, APO07.04, APO07.05
included in human · ISA 62443-2-1:2009 4.3.3.2.1, 4.3.3.2.2,
resources practices 4.3.3.2.3
(e.g., · ISO/IEC 27001:2013 A.7.1.1, A.7.1.2,
deprovisioning, A.7.2.1, A.7.2.2, A.7.2.3, A.7.3.1, A.8.1.4
personnel screening) · NIST SP 800-53 Rev. 4 PS-1, PS-2, PS-3,
PS-4, PS-5, PS-6, PS-7, PS-8, SA-21
· CIS CSC 4, 18, 20
PR.IP-12: A
· COBIT 5 BAI03.10, DSS05.01,
vulnerability
DSS05.02
management plan is
· ISO/IEC 27001:2013 A.12.6.1, A.14.2.3,
developed and
A.16.1.3, A.18.2.2, A.18.2.3
implemented
· NIST SP 800-53 Rev. 4 RA-3, RA-5, SI-2
PR.MA-1: · COBIT 5 BAI03.10, BAI09.02,
Maintenance and BAI09.03, DSS01.05
repair of · ISA 62443-2-1:2009 4.3.3.3.7
Maintenance organizational assets
(PR.MA): · ISO/IEC 27001:2013 A.11.1.2, A.11.2.4,
are performed and
Maintenance and A.11.2.5, A.11.2.6
logged, with
repairs of industrial approved and · NIST SP 800-53 Rev. 4 MA-2, MA-3,
control and controlled tools MA-5, MA-6
information system
· CIS CSC 3, 5
components are PR.MA-2: Remote
performed maintenance of · COBIT 5 DSS05.04
consistent with organizational assets · ISA 62443-2-1:2009 4.3.3.6.5, 4.3.3.6.6,
policies and is approved, logged, 4.3.3.6.7, 4.3.3.6.8
procedures. and performed in a · ISO/IEC 27001:2013 A.11.2.4, A.15.1.1,
manner that prevents A.15.2.1
unauthorized access
· NIST SP 800-53 Rev. 4 MA-4
· CIS CSC 1, 3, 5, 6, 14, 15, 16
PR.PT-1: Audit/log · COBIT 5 APO11.04, BAI03.05,
records are DSS05.04, DSS05.07, MEA02.01
determined, · ISA 62443-2-1:2009 4.3.3.3.9, 4.3.3.5.8,
documented, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
Protective implemented, and · ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR
Technology reviewed in 2.10, SR 2.11, SR 2.12
(PR.PT): Technical accordance with · ISO/IEC 27001:2013 A.12.4.1, A.12.4.2,
security solutions policy A.12.4.3, A.12.4.4, A.12.7.1
are managed to · NIST SP 800-53 Rev. 4 AU Family
ensure the security
· CIS CSC 8, 13
and resilience of
systems and assets, · COBIT 5 APO13.01, DSS05.02,
PR.PT-2: DSS05.06
consistent with Removable media is
related policies, protected and its use · ISA 62443-3-3:2013 SR 2.3
procedures, and restricted according · ISO/IEC 27001:2013 A.8.2.1, A.8.2.2,
agreements. to policy A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.9
· NIST SP 800-53 Rev. 4 MP-2, MP-3,
MP-4, MP-5, MP-7, MP-8
PR.PT-3: The · CIS CSC 3, 11, 14
principle of least · COBIT 5 DSS05.02, DSS05.05,
functionality is DSS06.06

16

GC Proposals | Confidintial
incorporated by · ISA 62443-2-1:2009 4.3.3.5.1, 4.3.3.5.2,
configuring systems 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6,
to provide only 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2,
essential capabilities 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6,
4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1,
4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4
· ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR
1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR
1.9, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR
2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR
2.7
· ISO/IEC 27001:2013 A.9.1.2
· NIST SP 800-53 Rev. 4 AC-3, CM-7
· CIS CSC 8, 12, 15
· COBIT 5 DSS05.02, APO13.01
· ISA 62443-3-3:2013 SR 3.1, SR 3.5, SR
PR.PT-4: 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR
Communications 7.1, SR 7.6
and control networks · ISO/IEC 27001:2013 A.13.1.1, A.13.2.1,
are protected A.14.1.3
· NIST SP 800-53 Rev. 4 AC-4, AC-17,
AC-18, CP-8, SC-7, SC-19, SC-20, SC-21, SC-
22, SC-23, SC-24, SC-25, SC-29, SC-32, SC-
36, SC-37, SC-38, SC-39, SC-40, SC-41, SC-43
PR.PT-5: · COBIT 5 BAI04.01, BAI04.02,
Mechanisms (e.g., BAI04.03, BAI04.04, BAI04.05, DSS01.05
failsafe, load · ISA 62443-2-1:2009 4.3.2.5.2
balancing, hot swap)
are implemented to · ISA 62443-3-3:2013 SR 7.1, SR 7.2
achieve resilience · ISO/IEC 27001:2013 A.17.1.2, A.17.2.1
requirements in
normal and adverse · NIST SP 800-53 Rev. 4 CP-7, CP-8, CP-
situations 11, CP-13, PL-8, SA-14, SC-6
DE.AE-1: A · CIS CSC 1, 4, 6, 12, 13, 15, 16
baseline of network · COBIT 5 DSS03.01
operations and
expected data flows · ISA 62443-2-1:2009 4.4.3.3
for users and · ISO/IEC 27001:2013 A.12.1.1, A.12.1.2,
systems is A.13.1.1, A.13.1.2
established and · NIST SP 800-53 Rev. 4 AC-4, CA-3,
managed CM-2, SI-4
· CIS CSC 3, 6, 13, 15
Anomalies and
Events (DE.AE): · COBIT 5 DSS05.07
Anomalous activity · ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7,
DE.AE-2: Detected 4.3.4.5.8
DETECT (DE) is detected and the
events are analyzed · ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR
potential impact of
to understand attack 2.10, SR 2.11, SR 2.12, SR 3.9, SR 6.1, SR 6.2
events is
targets and methods
understood. · ISO/IEC 27001:2013 A.12.4.1, A.16.1.1,
A.16.1.4
· NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-
4, SI-4
· CIS CSC 1, 3, 4, 5, 6, 7, 8, 11, 12, 13, 14,
DE.AE-3: Event 15, 16
data are collected
and correlated from · COBIT 5 BAI08.02
multiple sources and · ISA 62443-3-3:2013 SR 6.1
sensors
· ISO/IEC 27001:2013 A.12.4.1, A.16.1.7

17

GC Proposals | Confidintial
· NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-
4, IR-5, IR-8, SI-4
· CIS CSC 4, 6
· COBIT 5 APO12.06, DSS03.01
DE.AE-4: Impact of
events is determined · ISO/IEC 27001:2013 A.16.1.4
· NIST SP 800-53 Rev. 4 CP-2, IR-4, RA-
3, SI-4
· CIS CSC 6, 19
· COBIT 5 APO12.06, DSS03.01
DE.AE-5: Incident
alert thresholds are · ISA 62443-2-1:2009 4.2.3.10
established
· ISO/IEC 27001:2013 A.16.1.4
· NIST SP 800-53 Rev. 4 IR-4, IR-5, IR-8
· CIS CSC 1, 7, 8, 12, 13, 15, 16
DE.CM-1: The
· COBIT 5 DSS01.03, DSS03.05,
network is
DSS05.07
monitored to detect
potential · ISA 62443-3-3:2013 SR 6.2
cybersecurity events · NIST SP 800-53 Rev. 4 AC-2, AU-12,
CA-7, CM-3, SC-5, SC-7, SI-4
DE.CM-2: The · COBIT 5 DSS01.04, DSS01.05
physical
· ISA 62443-2-1:2009 4.3.3.3.8
environment is
monitored to detect · ISO/IEC 27001:2013 A.11.1.1, A.11.1.2
potential · NIST SP 800-53 Rev. 4 CA-7, PE-3, PE-
cybersecurity events 6, PE-20
· CIS CSC 5, 7, 14, 16
DE.CM-3: · COBIT 5 DSS05.07
Personnel activity is
Security · ISA 62443-3-3:2013 SR 6.2
monitored to detect
Continuous
potential · ISO/IEC 27001:2013 A.12.4.1, A.12.4.3
Monitoring
cybersecurity events · NIST SP 800-53 Rev. 4 AC-2, AU-12,
(DE.CM): The
information system AU-13, CA-7, CM-10, CM-11
and assets are · CIS CSC 4, 7, 8, 12
monitored to
identify · COBIT 5 DSS05.01
cybersecurity DE.CM-4: · ISA 62443-2-1:2009 4.3.4.3.8
events and verify Malicious code is
detected · ISA 62443-3-3:2013 SR 3.2
the effectiveness of
protective · ISO/IEC 27001:2013 A.12.2.1
measures. · NIST SP 800-53 Rev. 4 SI-3, SI-8
· CIS CSC 7, 8
· COBIT 5 DSS05.01
DE.CM-5:
Unauthorized mobile · ISA 62443-3-3:2013 SR 2.4
code is detected · ISO/IEC 27001:2013 A.12.5.1, A.12.6.2
· NIST SP 800-53 Rev. 4 SC-18, SI-4, SC-
44
DE.CM-6: External · COBIT 5 APO07.06, APO10.05
service provider
activity is monitored · ISO/IEC 27001:2013 A.14.2.7, A.15.2.1
to detect potential · NIST SP 800-53 Rev. 4 CA-7, PS-7, SA-
cybersecurity events 4, SA-9, SI-4
DE.CM-7: · CIS CSC 1, 2, 3, 5, 9, 12, 13, 15, 16
Monitoring for · COBIT 5 DSS05.02, DSS05.05

18

GC Proposals | Confidintial
unauthorized · ISO/IEC 27001:2013 A.12.4.1, A.14.2.7,
personnel, A.15.2.1
connections,
devices, and · NIST SP 800-53 Rev. 4 AU-12, CA-7,
software is CM-3, CM-8, PE-3, PE-6, PE-20, SI-4
performed
· CIS CSC 4, 20
· COBIT 5 BAI03.10, DSS05.01
DE.CM-8:
Vulnerability scans · ISA 62443-2-1:2009 4.2.3.1, 4.2.3.7
are performed
· ISO/IEC 27001:2013 A.12.6.1
· NIST SP 800-53 Rev. 4 RA-5
· CIS CSC 19
DE.DP-1: Roles and · COBIT 5 APO01.02, DSS05.01,
responsibilities for DSS06.03
detection are well · ISA 62443-2-1:2009 4.4.3.1
defined to ensure
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2
accountability
· NIST SP 800-53 Rev. 4 CA-2, CA-7, PM-
14
· COBIT 5 DSS06.01, MEA03.03,
MEA03.04
DE.DP-2: Detection
· ISA 62443-2-1:2009 4.4.3.2
activities comply
with all applicable · ISO/IEC 27001:2013 A.18.1.4, A.18.2.2,
requirements A.18.2.3
· NIST SP 800-53 Rev. 4 AC-25, CA-2,
CA-7, SA-18, SI-4, PM-14
Detection · COBIT 5 APO13.02, DSS05.02
Processes
(DE.DP): Detection · ISA 62443-2-1:2009 4.4.3.2
processes and DE.DP-3: Detection · ISA 62443-3-3:2013 SR 3.3
procedures are processes are tested
maintained and · ISO/IEC 27001:2013 A.14.2.8
tested to ensure · NIST SP 800-53 Rev. 4 CA-2, CA-7, PE-
awareness of 3, SI-3, SI-4, PM-14
anomalous events. · CIS CSC 19
· COBIT 5 APO08.04, APO12.06,
DSS02.05
DE.DP-4: Event
detection · ISA 62443-2-1:2009 4.3.4.5.9
information is · ISA 62443-3-3:2013 SR 6.1
communicated
· ISO/IEC 27001:2013 A.16.1.2, A.16.1.3
· NIST SP 800-53 Rev. 4 AU-6, CA-2, CA-
7, RA-5, SI-4
· COBIT 5 APO11.06, APO12.06,
DSS04.05
DE.DP-5: Detection
processes are · ISA 62443-2-1:2009 4.4.3.4
continuously · ISO/IEC 27001:2013 A.16.1.6
improved
· NIST SP 800-53 Rev. 4, CA-2, CA-7, PL-
2, RA-5, SI-4, PM-14
Response Planning · CIS CSC 19
(RS.RP): Response
processes and RS.RP-1: Response · COBIT 5 APO12.06, BAI01.10
procedures are plan is executed · ISA 62443-2-1:2009 4.3.4.5.1
RESPOND (RS)
executed and during or after an
· ISO/IEC 27001:2013 A.16.1.5
maintained, to incident
ensure response to · NIST SP 800-53 Rev. 4 CP-2, CP-10, IR-
detected 4, IR-8
19

GC Proposals | Confidintial
cybersecurity
incidents.
· CIS CSC 19
· COBIT 5 EDM03.02, APO01.02,
RS.CO-1: Personnel APO12.03
know their roles and · ISA 62443-2-1:2009 4.3.4.5.2, 4.3.4.5.3,
order of operations 4.3.4.5.4
when a response is · ISO/IEC 27001:2013 A.6.1.1, A.7.2.2,
needed A.16.1.1
· NIST SP 800-53 Rev. 4 CP-2, CP-3, IR-3,
IR-8
· CIS CSC 19
RS.CO-2: Incidents · COBIT 5 DSS01.03
are reported
· ISA 62443-2-1:2009 4.3.4.5.5
consistent with
established criteria · ISO/IEC 27001:2013 A.6.1.3, A.16.1.2
Communications
(RS.CO): Response · NIST SP 800-53 Rev. 4 AU-6, IR-6, IR-8
activities are · CIS CSC 19
coordinated with
internal and · COBIT 5 DSS03.04
RS.CO-3:
external Information is · ISA 62443-2-1:2009 4.3.4.5.2
stakeholders (e.g. shared consistent · ISO/IEC 27001:2013 A.16.1.2, Clause
external support with response plans 7.4, Clause 16.1.2
from law
· NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-
enforcement
2, IR-4, IR-8, PE-6, RA-5, SI-4
agencies).
· CIS CSC 19
RS.CO-4:
· COBIT 5 DSS03.04
Coordination with
stakeholders occurs · ISA 62443-2-1:2009 4.3.4.5.5
consistent with
· ISO/IEC 27001:2013 Clause 7.4
response plans
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
RS.CO-5: Voluntary · CIS CSC 19
information sharing
occurs with external · COBIT 5 BAI08.04
stakeholders to · ISO/IEC 27001:2013 A.6.1.4
achieve broader
cybersecurity
situational · NIST SP 800-53 Rev. 4 SI-5, PM-15
awareness
· CIS CSC 4, 6, 8, 19
· COBIT 5 DSS02.04, DSS02.07
RS.AN-1: · ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7,
Notifications from 4.3.4.5.8
detection systems · ISA 62443-3-3:2013 SR 6.1
Analysis (RS.AN): are investigated · ISO/IEC 27001:2013 A.12.4.1, A.12.4.3,
Analysis is A.16.1.5
conducted to ensure · NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-
effective response 4, IR-5, PE-6, SI-4
and support · COBIT 5 DSS02.02
recovery activities. RS.AN-2: The · ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7,
impact of the 4.3.4.5.8
incident is
· ISO/IEC 27001:2013 A.16.1.4, A.16.1.6
understood
· NIST SP 800-53 Rev. 4 CP-2, IR-4
RS.AN-3: Forensics · COBIT 5 APO12.06, DSS03.02,
are performed DSS05.07
20

GC Proposals | Confidintial
· ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR
2.10, SR 2.11, SR 2.12, SR 3.9, SR 6.1
· ISO/IEC 27001:2013 A.16.1.7
· NIST SP 800-53 Rev. 4 AU-7, IR-4
· CIS CSC 19
RS.AN-4: Incidents · COBIT 5 DSS02.02
are categorized · ISA 62443-2-1:2009 4.3.4.5.6
consistent with
response plans · ISO/IEC 27001:2013 A.16.1.4
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-5,
IR-8
RS.AN-5: Processes · CIS CSC 4, 19
are established to
receive, analyze and · COBIT 5 EDM03.02, DSS05.07
respond to
vulnerabilities
disclosed to the
organization from
internal and external · NIST SP 800-53 Rev. 4 SI-5, PM-15
sources (e.g. internal
testing, security
bulletins, or security
researchers)
· CIS CSC 19
· COBIT 5 APO12.06
· ISA 62443-2-1:2009 4.3.4.5.6
RS.MI-1: Incidents
are contained · ISA 62443-3-3:2013 SR 5.1, SR 5.2, SR
5.4
· ISO/IEC 27001:2013 A.12.2.1, A.16.1.5
Mitigation
(RS.MI): Activities · NIST SP 800-53 Rev. 4 IR-4
are performed to · CIS CSC 4, 19
prevent expansion
· COBIT 5 APO12.06
of an event,
RS.MI-2: Incidents
mitigate its effects, · ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.10
are mitigated
and resolve the · ISO/IEC 27001:2013 A.12.2.1, A.16.1.5
incident.
· NIST SP 800-53 Rev. 4 IR-4
RS.MI-3: Newly · CIS CSC 4
identified
· COBIT 5 APO12.06
vulnerabilities are
mitigated or · ISO/IEC 27001:2013 A.12.6.1
documented as · NIST SP 800-53 Rev. 4 CA-7, RA-3, RA-
accepted risks 5
Improvements · COBIT 5 BAI01.13
(RS.IM): RS.IM-1: Response
Organizational · ISA 62443-2-1:2009 4.3.4.5.10, 4.4.3.4
plans incorporate
response activities lessons learned · ISO/IEC 27001:2013 A.16.1.6, Clause 10
are improved by
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
incorporating
lessons learned · COBIT 5 BAI01.13, DSS04.08
from current and RS.IM-2: Response
· ISO/IEC 27001:2013 A.16.1.6, Clause 10
previous strategies are
detection/response updated
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
activities.
Recovery Planning RC.RP-1: Recovery · CIS CSC 10
RECOVER (RC) (RC.RP): Recovery plan is executed · COBIT 5 APO12.06, DSS02.05,
processes and during or after a DSS03.04
21

GC Proposals | Confidintial
procedures are cybersecurity · ISO/IEC 27001:2013 A.16.1.5
executed and incident
maintained to
ensure restoration
of systems or assets · NIST SP 800-53 Rev. 4 CP-10, IR-4, IR-8
affected by
cybersecurity
incidents.
· COBIT 5 APO12.06, BAI05.07,
Improvements DSS04.08
RC.IM-1: Recovery
(RC.IM): Recovery plans incorporate · ISA 62443-2-1:2009 4.4.3.4
planning and lessons learned · ISO/IEC 27001:2013 A.16.1.6, Clause 10
processes are
improved by · NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
incorporating · COBIT 5 APO12.06, BAI07.08
lessons learned into RC.IM-2: Recovery
future activities. strategies are · ISO/IEC 27001:2013 A.16.1.6, Clause 10
updated
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
Communications RC.CO-1: Public · COBIT 5 EDM03.02
(RC.CO): relations are
Restoration managed · ISO/IEC 27001:2013 A.6.1.4, Clause 7.4
activities are RC.CO-2: · COBIT 5 MEA03.02
coordinated with Reputation is
internal and repaired after an · ISO/IEC 27001:2013 Clause 7.4
external parties incident
(e.g. coordinating RC.CO-3: Recovery · COBIT 5 APO12.06
centers, Internet activities are
Service Providers, communicated to · ISO/IEC 27001:2013 Clause 7.4
owners of attacking internal and external
systems, victims, stakeholders as well
· NIST SP 800-53 Rev. 4 CP-2, IR-4
other CSIRTs, and as executive and
vendors). management teams

22

GC Proposals | Confidintial
2. Offered Service and Solutions

2.1 Advanced Security Operation Center Services

The modern cybersecurity threat landscape is constantly evolving. New vulnerabilities and zero-day
attacks are discovered every day, we are using an integrated approach with advanced knowledge
building capabilities and advanced attacks analysis with sophisticated prediction techniques built with
AI and DL.
Mitigating modern cyber threats require solutions for continuous training, monitoring, correlation, and
behavior analysis that are expensive and require significant amount of time to be implemented.
Moreover, many organizations struggle to hire and retain the expensive security experts needed to
operate those solutions and provide value by defending the organizations.

A. Security Analytics

Green Circle Security Analytics service is used to collect, aggregate, index and analyze security data,
helping organizations detect intrusions, threats and behavioral anomalies.
As cyber threats are becoming more sophisticated, real-time monitoring and security analysis are
needed for fast threat detection and remediation. That is why our light-weight agent provides the
necessary monitoring and response capabilities, while our server component provides the security
intelligence and performs data analysis.

B. Intrusion Detection

Green Circle agents scan the monitored systems looking for malware, rootkits and suspicious
anomalies. They can detect hidden files, cloaked processes or unregistered network listeners, as
well as inconsistencies in system call responses.
In addition to agent capabilities, the server component uses a signature-based approach to intrusion
detection, using its regular expression engine to analyze collected log data and look for indicators
of compromise.

C. SIEM & Log Data Analysis

Green Circle agents read operating system and application logs, and securely forward them to a
central manager for rule-based analysis and storage.
Our rules help make you aware of application or system errors, misconfigurations, attempted
and/or successful malicious activities, policy violations and a variety of other security and
operational issues.

D. File Integrity Monitoring

We monitor the file system, identifying changes in content, permissions, ownership, and attributes
of files that you need to keep an eye on. In addition, it natively identifies users and applications
used to create or modify files.
23

GC Proposals | Confidintial
File integrity monitoring capabilities can be used in combination with threat intelligence to
identify threats or compromised hosts. In addition, several regulatory compliance standards, such
as ISO 27001, PCI DSS, NIST, SOC2, etc. require it.

E. Vulnerability & Penetration Testing

Our VAPT Service is display an Infrastructure Vulnerability assessment and penetration test aiming
to identify security issues resulting from insecure development practices in the design, coding,
Configuration and publishing of software or websites.
In addition to, our agents pull software inventory data and send this information to the server,
where it is correlated with continuously updated CVE (Common Vulnerabilities and Exposure)
databases, in order to identify well-known vulnerable software.
Automated vulnerability assessment helps you find the weak spots in your critical assets and take
corrective action before attackers exploit them to sabotage your business or steal confidential data.

F. Configuration Assessment and Hardening

We monitor system and application configuration settings to ensure they are compliant with your
security policies, standards and/or hardening guides. Agents perform periodic scans to detect
applications that are known to be vulnerable, unpatched, or insecurely configured.
Additionally, configuration checks can be customized, tailoring them to properly align with your
organization. Alerts include recommendations for better configuration, references and mapping
with regulatory compliance.

G. Endpoint Detection and Response

We provide a full Endpoint Detection and Response solution on the targeted IT infrastructure, for
identification of anomalous behavior, identification of breaches, risk assessment, and further forensic
investigation that features response capabilities to mitigate the discovered threats. Then Green Circle
Will Managed and Monitor the solution and send a weekly monitoring report.

H. Email Security

Email security refers to the collective measures used to secure the access and content of an email
account or service. It allows an individual or organization to protect the overall access to one or more
email addresses/accounts.
Green Circle implements email security to secure customer email accounts and data from hackers - at
rest and in transit.

I. Incident Response

We provide out-of-the-box active responses to perform various countermeasures to address active


threats, such as blocking access to a system from the threat source when certain criteria are met.
In addition, we can be used to remotely run commands or system queries, identifying indicators of
compromise (IOCs) and helping perform other live forensics or incident response tasks.

J. Threat Intelligence

Green Circle will deliver a system that will aid government agencies and other organizations in the
prediction and attribution of cyber-attack infrastructure.
Therefore, the system will:

24

GC Proposals | Confidintial
▪ Enable government agencies, financial institutions, ISPs, and the enterprise to understand
how the adversary acquires infrastructure and prepares networks to launch.
▪ Protect the aforementioned entities months before the actual cyber-attack is launched.
▪ Attribute these attacks to the groups behind them. This can be done by tracking the patterns
that these groups follow in acquiring infrastructure and launching attacks.
▪ Aid law enforcement in identifying and taking down these threat actors.

K. Awareness Service

Security Training and Awareness service provides employees at all levels with relevant security
information and training to lessen the number of security incidents. Green Circle can provide
training and support in the following areas:
▪ Generalized Security and Awareness
▪ Customized Security Awareness and Training for unique requirements
▪ Our Awareness Service: Phishing, Smishing, and Vishing

2.2 Advanced Green Circle Services

A. Cyber Testing

1. Penetration Testing (Web, Network, Apps, and Code security review).

Green Circle offers complete penetration testing designed to identify system vulnerabilities, validate
existing security measures and provide a detailed remediation roadmap.
Our team, equipped with the latest tools and industry-specific test scenarios, is ready to deliver a
thorough checkup to pinpoint system vulnerabilities, as well as flaws in application, service and OS,
loopholes in configurations, and potentially dangerous non-compliance with security policies.

Grcico performs the following types of a penetration test:

▪ Network services test.


▪ Web application security test.
▪ Client-side security test.
▪ Remote access security test.
▪ Social engineering test.
▪ Physical security test.

We apply 3 recognized penetration testing methods:

▪ Black Box testing (external testing).


▪ White Box testing (internal testing).
▪ Grey Box testing (combination of both above-mentioned types).

2. Vulnerability Management

Grcico allows you to identify and manage both internal and external threats, report risks, and be
compliant with current and future regulations. It gives you visibility into shadow IT - to map your full
attack surface and respond to critical vulnerabilities associated with cyber threats.

3. RED Team

25

GC Proposals | Confidintial
Don’t wait until a real-world cybercriminal attacks to find the gaps in your security controls. Grcico’s
Red Team services let you perform a “live fire” Red Team cyber security test to identify (and fix) holes
in your defense—before malicious actors expose them for you.
Grcico’s Red Team security services will execute and/or simulate an attack against your Organization,
showing you exactly how your people and security team will perform under pressure when it comes to
protecting your organization’s data.

B. Cyber Consulting

1. Risk Assessment

Putting cyber security measures in place without understanding or testing their efficacy immediately
undermines the strength of your security. Performing a complete technology assessment that is tried
and true involves Infrastructure Penetration Testing, Social Engineering reviews & Compliance
assessments. Grcico’s Risk Assessment provides a systematic method for testing risks and uncovering
vulnerabilities, approaching each level of the system from software to hardware to personnel to
management. This can include:
▪ Business process mapping
▪ Information classification policy assessment
▪ Data protection & retention strategy assessment
▪ Incident response process assessment
▪ Business continuity strategy assessment
▪ HR processes assessment
▪ Change management process assessment
▪ Training & development plan assessment

2. SOC Architecture

Grcico’s’ SOC Architecture team is ready to provide their expertise from years of designing mobile,
automotive, networking, and IoT SOCs to your unique design.

3. Threat Modeling

Our threat modeling service will build full capabilities matrix for identifying Risk categories and impact
with detailed steps on how to increase your ability to identify and mitigate risk, also we are providing
Risk scoring cloud tool to keep you updated with continuous risk score.

4. Security Maturity Model and Risk scoring

To ensure security, we identified four domains that affect security at an organization namely,
organization governance, organizational culture, the architecture of the systems, and service
management. This model is proposed as an information security maturity model (ISMM) and it is
intended as a tool to evaluate the ability of organizations to meet the objectives of security.

C. Cyber Compliance Services

1. GRC Architecture

We help simplify your Governance, Risk and Compliance matters with providing expert people, proven
processes, to build your GRC framework and architecture.

2. ISO 27001 – 27701

26

GC Proposals | Confidintial
Information security management does not stop at certification. ISO/IEC 27001 can grow with your
business, providing a proven framework for any business, regardless of industry, making sure your
information stays secure no matter how much it changes and as new security threats emerge.
Grcico's solutions enable organizations to continually improve ISO/IEC 27001 management system to
stay ahead.

3. General Data Protection Regulations - GDPR

Organizations need to prove they are secure to compete within the global marketplace. In today’s world,
it’s not enough to just claim you are secure; potential clients, business partners and board rooms want
proof. With Grcico Security as your trusted partner, achieving and maintaining GDPR certification year
over year is a guaranteed reality. Clients who work with us benefit from significantly enhanced security
postures and an ability to demonstrate the same to their key stakeholders, including business-critical
customers.

4. PCI-DSS, PCI-PA
Grcico provides PCI-DSS compliance assessment for your organization, starting from the initial PCI DSS
readiness assessments to the issuance of final PCI compliance report by a Qualified Security Assessor
(QSA).

We provide below services under our PCI-DSS assessment,

▪ PCI-DSS Scoping and Gap Assessment


▪ Risk Assessment and Policies and Procedures Review
▪ Advisory services and guidance on implementing recommendations
▪ ASV Scans
▪ Advisory services and guidance on solution implementation
▪ Final Review and Certification Audit
▪ Post-implementation support in maintaining the PCI-DSS certification

Alongside with PCI-DSS, Grcico will assist organizations to obtain the PA-DSS compliance for their
payment applications.

5. NIST and Saudi ECC standards

As the largest pure-play cyber security solutions provider, Grcico offers the most comprehensive suite
of security services and solutions in the market. To improve compliance with NIST risk management
recommendations, we employ a business-aligned approach to compliance, risk and security that helps
organizations streamline efforts and get more from their compliance programs.

We offer comprehensive services to plan, build and run successful NIST security programs.

▪ Plan. Our services include information security risk management, security risk assessments
and risk controls gap assessments that provide greater visibility into the strengths and
weaknesses of existing systems and approaches.
▪ Build. We help organizations build stronger compliance programs by providing security
maturity assessments, assessing and developing policies, and implementing technology to
automate management of enterprise governance, risk and compliance (GRC) programs.
▪ Run. We provide third-party risk management consulting, data-centric risk consulting and IT
staffing services to assist with day-to-day execution of compliance programs.
27

GC Proposals | Confidintial
2.3 Green Circle Security Packages

To deliver Security in Easy way with integrated solutions and services to achieve compliance with
minimum time, budget and operations, we Grcico developed our new approach to easily manage your
security, apply policies and procedures, have 24/7 visibility without having to deal with 10’s of vendors.

Green Apple Green Grape Green Kiwi


Monitored Package Managed Package Advanced Managed Package

2.4 Green Circle Packages Prices for Partners

Secure Workplace for secure remote working solution offered for COVID-19 Special work requirements
This solution provides your users with a simple and secure digital working environment. Automated
processes such as software distribution or license allocation will make your IT faster. A user-friendly
service catalog and end-to-end service processes make your users more productive.

Today's location-independent workers want future-ready, self-service digital workspaces. Therefore,


they need authenticated access to workspaces across the world. May they be physical, virtual or mobile.

28

GC Proposals | Confidintial
Green Circle delivers to these needs by deploying and managing workspaces through a holistic,
integrated, and automated solution. Customers worldwide thus benefit from a noticeably less burdened
IT, cost savings and significantly more productive users.

You will gain out through this package the following points:
▪ Enhance your employee productivity.
▪ Improve the employee working experience.
▪ Reduce the burden of your IT team.

Contact: info@grcico.com

29

GC Proposals | Confidintial

You might also like