GOVERN治理 (GV):
The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored
建立、沟通和监控组织的网络安全风险管理战略、期望和方针
(1)Organizational Context组织语境 (GV.OC):
The circumstances — mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements — surrounding the organization’s cybersecurity risk management decisions are understood
理解与组织网络安全风险管理决策紧密相关的环境——使命、利益相关者期望、依赖关系以及法律、法规和合同要求等
GV.OC-01:
The organizational mission is understood and informs cybersecurity risk management
理解组织使命,并输出到网络安全风险管理
- Ex1: Share the organization’s mission (e.g., through vision and mission statements, marketing, and service strategies) to provide a basis for identifying risks that may impede that mission
分享组织的使命(比如通过愿景和使命陈述、市场营销和服务战略),为识别可能阻碍该使命的风险提供基础
♠检查落实
❈文件和台账
- 使命和愿景
- 网络安全会议纪要
- 网络安全风险评估
- 风险管理计划
❈预期结果
- 组织有使命和愿景的声明,不管什么形式
- 网络安全风险评估和风险管理计划体现了对网络安全风险对组织战略的影响的认知
- 文件或记录如内部沟通、培训记录、会议纪要等,证明员工了解并理解组织的使命和愿景
GV.OC-02:
Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered
理解内部和外部利益相关者,理解和考虑他们对网络安全风险管理的需求和期望
- Ex1: Identify relevant internal stakeholders and their cybersecurity-related expectations (e.g., performance and risk expectations of officers, directors, and advisors; cultural expectations of employees)
识别相关的内部利益相关者及其与网络安全相关的期望(如高级管理人员、董事和顾问对绩效和风险的期望,员工对企业文化的期望等) - Ex2: Identify relevant external stakeholders and their cybersecurity-related expectations (e.g., privacy expectations of customers, business expectations of partnerships, compliance expectations of regulators, ethics expectations of society)
识别相关的外部利益相关者及其与网络安全相关的期望(如客户的隐私期望、合作伙伴的业务期望、监管机构的合规期望、社会的道德期望等)
♠检查落实
❈文件和台账
- 组织结构图
- 网络安全职务说明
- 网络安全战略
- 合同和协议
❈预期结果
- 网络安全战略考虑了内部和外部反馈
- 内部岗位描述定义了网络安全绩效和风险预期
- 与外部各方的协议(例如合同、服务水平协议SLA、用户协议)定义了与隐私、合规、伦理和业务要求相关的网络安全要求
GV.OC-03:
Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed
理解和管理有关网络安全的法律、法规和合同要求,包括隐私和公民自由义务
- Ex1: Determine a process to track and manage legal and regulatory requirements regarding protection of individuals’ information (e.g., Health Insurance Portability and Accountability Act, California Consumer Privacy Act, General Data Protection Regulation)
确立一个过程,跟踪和管理有关个人信息保护的法律和法规要求(如HIPAA、CCPA、GDPR) - Ex2: Determine a process to track and manage contractual requirements for cybersecurity management of supplier, customer, and partner information
确立一个过程,跟踪和管理针对供应商、客户和合作伙伴信息的网络安全管理的合同要求 - Ex3: Align the organization’s cybersecurity strategy with legal, regulatory, and contractual requirements
使组织的网络安全战略符合法律、法规和合同要求
♠检查落实
❈文件和台账
- 合规管理计划
- 保证和测试结果
- 供应商管理计划
- 网络安全战略
- 合同和协议
- 网络安全职务说明
❈预期结果
- 定义了网络安全相关法律和合规职能部门的角色和职责
- 相关的法律和法规要求被映射为网络安全计划的元素
- 合同经法律顾问审查后执行
- 建立了正式的过程来监控和审查网络安全法律法规的变化
- 建立了正式的过程来跟踪和管理网络安全合同要求
- 网络安全战略与法律、法规和合同要求匹配,无矛盾
- 审计或检查中发现的与法律、法规和合同相关的异常都得到了解决
GV.OC-04:
Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are understood and communicated
利益相关者所依赖或期望的组织的关键目标、能力和服务得到理解和沟通
- Ex1: Establish criteria for determining the criticality of capabilities and services as viewed by internal and external stakeholders
建立标准,以内部和外部利益相关者的视角确定功能和服务的重要性 - Ex2: Determine (e.g., from a business impact analysis) assets and business operations that are vital to achieving mission objectives and the potential impact of a loss (or partial loss) of such operations
确定(如通过业务影响分析)对实现任务目标至关重要的资产和业务操作,以及此类操作损失(或部分损失)的潜在影响 - Ex3: Establish and communicate resilience objectives (e.g., recovery time objectives) for delivering critical capabilities and services in various operating states (e.g., under attack, during recovery, normal operation)
建立和沟通韧性[可复原性,resilience]目标(如RTO),以便在各种操作状态(如受到攻击、恢复期间、正常操作)下交付关键功能和服务。
♠检查落实
❈文件和台账
- 业务影响分析(BIA)
- 业务连续性计划
- 合同和协议
- 测试、演练的规划和记录
❈预期结果
- 关键业务功能已识别并文件化记录
- 信息系统和软件识别和设定了关键指标(SLA、MTD、RTO、RPO)
- 识别了支持关键运营的第三方并确定了优先级
- 业务连续性和灾难恢复计划已设定并运行
- 业务连续性和灾难恢复计划得到验证
GV.OC-05:
Outcomes, capabilities, and services that the organization depends on are understood and communicated
组织所依赖的产出、能力和服务得到理解和沟通
- Ex1: Create an inventory of the organization’s dependencies on external resources (e.g., facilities, cloud-based hosting providers) and their relationships to organizational assets and business functions
创建清单,理清组织对外部资源(如支持性设施、基于云的托管提供商)的依赖以及它们与组织资产和业务功能的关系 - Ex2: Identify and document external dependencies that are potential points of failure for the organization’s critical capabilities and services, and share that information with appropriate personnel
识别并正式记录那些可能成为组织关键能力和服务的潜在故障点的外部依赖关系,并与适当的人员共享该信息
♠检查落实
❈文件和台账
- 业务连续性计划
- 供应商管理计划
- 事件响应计划
- 网络安全性能指标
❈预期结果
- 识别和文件化记录了关键资源和第三方的主要依赖关系
- 关键第三方是基于业务连续性计划(BCP)和BIA确定的,并指派了合适的指标(SLA、KPI等)
- 业务连续性计划(BCP)、事件响应计划(IRP)和供应商管理计划中,考虑第三方各级别各种类中断因素,并设定了减轻影响的方法
- 对关键第三方实施了必要的监控和审计