Review of the Victoria Police Security Incident Management ... · information security incident...
Transcript of Review of the Victoria Police Security Incident Management ... · information security incident...
Review of the Victoria Police Security Incident Management Framework and Practices
Report of findings and recommendations
Issued January 2017
2
Unclassified
Unclassified
This page is intentionally left blank.
3
Unclassified
Unclassified
Review of the Victoria Police Security Incident Management Framework and Practices
Report of findings and recommendations
Issued January 2017
4
Unclassified
Unclassified
Published by the Commissioner for Privacy and Data Protection PO Box 24014 Melbourne Victoria 3001
January 2017
Also published on: http://www.cpdp.vic.gov.au
5
Unclassified
Unclassified
DOCUMENT DETAILS
Security Classification UNCLASSIFIED
Dissemination Limiting Marker
Nil
Dissemination Instructions
For public release
Issue Date January 2017
Document Status Final
Authority Office of the Commissioner for Privacy and Data Protection
Author Projects and Operations
6
Unclassified
Unclassified
This page is intentionally left blank.
7
Unclassified
Unclassified
Contents
1 Introduction .............................................................................................................................................................9
2 Review purpose and methodology ...................................................................................................................10
2.1 Review purpose ................................................................................................................................................. 10
2.2 Review methodology ........................................................................................................................................11
3 Findings ..................................................................................................................................................................12
3.1 Fragmented documentation exists for security incident management and practices .......................12
3.2 Security incident awareness and reporting is inconsistent and ineffective .......................................... 14
3.3 Limited visibility, and definition, of the link between security incidents and risks .............................. 16
3.4 Security incident roles and responsibilities are not well defined or understood ................................ 18
3.5 Victoria Police does not have an effective or authorised SIMF in place ................................................ 19
4 Recommendations .............................................................................................................................................. 20
5 Management Action Plan ....................................................................................................................................21
6 Appendices ........................................................................................................................................................... 22
Appendix A – Security Incident Management Framework .............................................................................. 22
Appendix B – Capability Maturity Model ............................................................................................................. 47
8
Unclassified
Unclassified
This page is intentionally left blank.
9
Unclassified
Unclassified
The Office of the Commissioner for Privacy and Data Protection (CPDP) engaged KPMG to conduct a review of the Victoria Police Security Incident Management Framework for the protection of law enforcement data, including a critical assessment of organisational security incident management practices.1
Security Incident Management is a process ‘aimed at minimising the immediate and long-term business impact of incidents’2. Victoria Police faces a broad range of security threats and vulnerabilities requiring constant identification, assessment and management – and a response proportionate to the risk.
An adequate response will take into account the nature, scope and severity of an incident, and will be, importantly, dependent on an organisation’s risk appetite. The ability to implement pre-planned, comprehensive, well-rehearsed, and repeatable security incident management practices proportionate to this risk appetite is key.
With this in mind, the review identified a ‘consistent set of factors to be considered by [Victoria Police] when determining its approach to the management of security incidents’3 – a framework for best practice security incident management.
1 Reviews of Victoria Police Security Incident Management have previously been conducted by CPDP in November 2008 and December 2010.
2 Security Incident Management: Good Practice Guide (2015). Centre for the Protection of National Infrastructure, National Technical Authority for Information Assurance. p.1. Document accessed from https://www.ncsc.gov.uk/content/files/guidance_files/Security%20Incident%20Management%20(Good%20Practice%20Guide%2024)_1.2_0.pdf. Site accessed 2 December 2016.
3 Security Incident Management (2015). p.4.
1 Introduction
10
Unclassified
Unclassified
2.1 Review purpose
The review aimed to determine the extent to which Victoria Police has implemented an effective Security Incident Management Framework.
A Security Incident Management Framework (SIMF) (Appendix A) has been developed by CPDP as both an operational and strategic platform to support and underpin the objectives of an effective incident management framework in general, with the document having the capability to be tailored as required to individual needs of an organisation. The SIMF is expected to be a primary control reference within the Victorian Protective Data Security Standards (VPDSS).4
KPMG was also tasked with validating the SIMF against benchmark national and international standards. CPDP considered that a validated SIMF would provide a sound basis for assessing current Victoria Police security incident management and practices.
The SIMF models controls, and control objectives, across the four phases of the security incident lifecycle being:
• Preparation – effective incident response capability through planning and preparation
• Detection – capability to assess events and identify incidents
• Handling – capability to respond to identified incidents in a timely manner
• Prevention – capability to reduce the business impact of a security incident and to prevent incidents from re-occurring.
Victoria Police have obligations regarding effective security incident management under the Standards for Law Enforcement Data Security (SLEDS), specifically Standards 32 and 33, Security Incident Management. Effective security incident management objectives are explicitly stated, being:
• Standard 32 objective - To allow timely and corrective action to be taken in the event of an information security incident in order to protect law enforcement data and reduce the impact and likelihood of damage caused by the failure of information security controls, and;
• Standard 33 objective - To ensure feedback on incidents and that information security incident management procedures can be continually improved so that future incidents are better managed.5
The SLEDS are authorised under the Privacy and Data Protection Act 2014 and are binding on Victoria Police.
4 Victorian Protective Data Security Standards. Standard Seven – Security Incident Management. Accessed from www.cpdp.vic.gov.au.
5 Standards for Law Enforcement Data Security (SLEDS) 2014. Security Incident Management, Standards 32 and 33. Accessed from www.cpdp.vic.gov.au.
2 Review purpose and methodology
11
Unclassified
Unclassified
2.2 Review methodology
The review undertook an assessment of the following components impacting on, or influencing, security incident management and practices within Victoria Police. These components included:
• all relevant Victoria Police security incident management policies and guidelines
• overarching governing legislation and standards (eg. SLEDS and the Australian Government Protective Security Policy Framework)
• current Victoria Police governance arrangements and statements of strategic direction
• Victoria Police security incident subject matter expertise
• current Victoria Police security incident lifecycle across preparation, detection, handling and prevention within all security domains (physical, personnel, information and ICT).
The review included:
• stakeholder consultations within Victoria Police
• consultations with and document review of other jurisdictions (United Kingdom, New Zealand and South Australia).
• a sample assessment of Victoria Police security incidents
• attendance at a Victoria Police i-SAG6 meeting
• a high-level review of the SIMF against national and international benchmark standards
• a capability maturity assessment (Appendix B) of Victoria Police’s information security management and practices against the security incident lifecycle phases.
6 Information Security Assessment Group.
12
Unclassified
Unclassified
3 Findings
Overall, KPMG provided a maturity assessment of Victoria Police information security incident management and practices as ‘Repeatable’, meaning that the process is documented sufficiently such that repeating the same steps may be attempted.7
The assessment by KPMG also delivered a series of detailed observations and findings. CPDP and Victoria Police evaluated KPMG’s assessment, and identified and agreed upon five high-level findings fundamental to improving security incident management and practices within Victoria Police.
These findings form the basis of the recommendations made in this report.
For the sake of completeness, the report also recommends that Victoria Police adopt and implement the SIMF in order that Victoria Police’s security incident management and practices be aligned with those of the wider Victorian public sector as implementation of the VPDSS takes place.
To further support this recommendation, the review has linked each finding to the relevant Standard for Law Enforcement Data Security, and also mapped against the corresponding Standard/s within the Victorian Protective Data Security Framework (VPDSF).8 The mapping highlights the relevance of the findings against what is currently expected under the SLEDS, and their ongoing applicability to information security incident management under the VPDSF.
3.1 Fragmented documentation exists for security incident management and practices
SLEDS – Std 1VPDSF – Std 3, 7
Good security incident management documentation underpins an organisation’s ability to safeguard its assets through supporting and maintaining the development of:
• strong governance arrangements
• effective risk management processes
• a positive security culture amongst staff
• business objectives including business continuity
• opportunities for continuous improvement.
Without comprehensive and effective documentation, these capabilities can become eroded and ineffectual.
Documentation should be concise and aim to provide clear direction. It should also provide a basis for training in security awareness and for reinforcing and measuring compliance with policy and legislation. Furthermore, new or altered policies and procedures need to be communicated to all employees to ensure they are properly implemented.
The review identified fragmented information security documentation across organisational and station-level policy and process, with no single document providing a comprehensive overview of the Victoria Police information security incident management process. The review also highlighted complex, lengthy, and often duplicated, documentation, with different documents seeking to establish different security incident management roles and responsibilities. The result is that the primary source
7 It is characteristic of processes at this level that some processes are repeatable, possibly with consistent results. Process discipline is unlikely to be rigorous, but where it exists it may help to ensure that existing processes are maintained in times of stress.
8 This mapping is one way (SLEDS to VPDSF) as the SLEDS are the current regulatory requirement for Victoria Police pending their transition to the VPDSF in 2017.
13
Unclassified
Unclassified
of advice and guidance is often obfuscated. This finding is supported by site inspections of Victoria Police facilities undertaken by CPDP where employees frequently reported that it is difficult to ‘see the wood from the trees’ with regards to policy and process documentation.
The review reinforced that fragmentation of documents presents a significant risk to effective communication of, and compliance with, information security management processes and obligations. For example, discussion of reporting processes and associated roles (see Finding 3.2) is duplicated across several organisational policy documents. In addition, many documents reviewed have not been updated for several years, with a number dating back to 2011.
Multiple contesting documents also create the potential for issues with consistency when roles and responsibilities are changed (refer to Finding 3.4).
CPDP notes the advice from Victoria Police that organisational policy (the Victoria Police Manual or VPM) is currently undergoing significant review, including restructure, driven by employee confusion around the application of, and adherence to, Policy (VPM-P) and Guidance (VPM-G) material. It is also relevant to highlight that the Information Management, Standards and Security Division (IMSSD), the primary specialist information security capability within Victoria Police, does not drive the layout of the VPM. As such, the review observed that IMSSD change-management around information security policy and operating procedure functions in a difficult environment driven by organisational bureaucracy (including difficulty in influencing decision-making), and resource constraints (time, personnel and financial).
Through the review process, Victoria Police advised that organisational policy is both slow to change and to implement. Whilst recognising these difficulties, Victoria Police need to develop a more agile and responsive approach to security incident management. However, IMSSD have the potential to drive change at the frontline through the provision of primary, authoritative, and easily accessible guidance documentation.
Recommendation One
That Victoria Police review, validate, and update security incident management policies ensuring they are simplified, integrated and communicated to all stakeholders.
14
Unclassified
Unclassified
3.2 Security incident awareness and reporting is inconsistent and ineffective
SLEDS – Std 7VPDSF – Std 6, 7
Promoting a strong security awareness and learning culture is essential to supporting and encouraging the reporting of security incidents. This, in turn, facilitates the capture of sufficient and robust data and the identification of root causes of problems. Aligning closely with other key findings of this report, effective security incident awareness is linked to the need for good documentation, clear and defined roles and responsibilities, and effective risk management – as well as the crucial role of training and education. The central outcome from improved awareness and reporting is the ability to feed ‘lessons learnt’ back into the prevention phase / focus of the security incident lifecycle, and promote continuous improvement.
The review highlights low organisational awareness around information security incident detection and reporting, whilst noting positive signs of progress. Pivotal to opportunities for improvement is a communication strategy focussed on simple messaging and engagement across:
• information security risks (refer to Finding 3.3)
• security incident management reporting obligations, and
• the security incident notification process.
The review found that IMSSD require access to a specialist communications and organisational change capability to support the Division’s wider educative function. Analysis of the CPDP longitudinal survey9 data against the Victoria Police Cultural Change project highlighted an inability to correlate positive change markers within the data to tangible programs and projects.
This finding is consistent with CPDP site inspections and the data from the CPDP longitudinal survey. Victoria Police employees indicate confusion around what constitutes an information security incident (such as the potential for incidents to occur, as distinct from, actual incidents having occurred), with the threshold for reporting being unclear due to the self-assessment of intent (intentional or unintentional, indications of malfeasance of criminality etc.). If there is any confusion around reporting, employees are less likely to appreciate risk; and with no appreciation of risk, it is likely that less reporting will be initiated (see Finding 3.3).
Force-wide information security training programs and awareness campaigns are undertaken by IMSSD, however are dependant on resource capacity and also any incident catalyst (ie. a primary focus resulting from a serious incident, or an identified thematic pattern or incident trend). CPDP notes that the Victoria Police Security Incident Registry (SIR) undertakes reactive / remediation training after an incident has occurred. These activities are an integral part of a Plan, Do, Check, Act continuous improvement lifecycle model.
However, security incident training programs only form part of a wider and diverse organisational training schedule attempting to manage competing demands, expectations and deliverables. With Information Management and Information Security (IM&IS) now forming part of the Victoria Police ‘CompStat’ process, requirements for Stations, Police Service Areas (PSAs) and Regions to report against and meet IM&IS expectations appear to be increasing faster than organisational awareness and acceptance of best-practice information security.
However improvements to organisational awareness are being attempted. IMSSD are currently undertaking an ongoing project around cultural change that includes program initiatives such as the roll-out of the IM&IS portfolio holders, and dedicated, mandatory online information security training. The review highlights that the active promotion of a culture of incident reporting is contributing positively to overall levels of information security awareness, including a growing trend of incident
9 CPDP longitudinal survey of Victoria Police information security culture and practices 2012-2016
15
Unclassified
Unclassified
reporting by members. However, there is scope for Victoria Police to continue to strengthen awareness across the organisation, as consultation participants commonly considered that it was the lack of awareness, rather than a cultural reluctance to report, that constituted the primary barrier to more effective incident identification and reporting.
The review emphasises the importance of a strong, centralised approach to information security awareness training to ensure consistency in content and delivery. While IMSSD have developed, and continue to develop, a number of tools to support information security incident management, there is a requirement to maintain the focus on training including the development of a comprehensive, varied, and innovative suite of initiatives.
Recommendation Two
That Victoria Police undertake force-wide Security Incident Management training focusing on:
• what constitutes a security incident
• what are members’ reporting obligations
• the reporting process.
16
Unclassified
Unclassified
3.3 Limited visibility, and definition, of the link between security incidents and risks
SLEDS – Std 31, 33VPDSF – Std 2, 7
Risk management is ‘a logical and systematic process of identifying, prioritising, treating, communicating and monitoring events that may prohibit an organisation from achieving its objectives […]’.10 A comprehensive and effective risk management process is important to enable and enhance the identification and appropriate treatment of risks through:
• the development, documentation, implementation and regular review of risk management policy and process
• ensuring the successful application of the risk management policy through communication in a form and manner that is relevant, accessible and understandable
• the maintenance of ‘line of sight’ between risk managers and risk (at both the frontline and organisational level).
The review underscores a need for Victoria Police to strengthen the link between security incidents and risk. Limited security incident awareness (see Finding 3.2) and the corresponding failure to report security incidents severely limits Victoria Police’s ability to conduct an adequate risk assessment. Therefore Victoria Police’s risk posture remains undefined. This has direct consequences for training and resourcing in security incident management.
Consultations identified a separation and isolation of organisational risk assessment, governance, management, and capacity across various roles and functions responsible for managing security incidents.
To highlight the importance of integrated security incident risk management, the Chief Risk Officer (CRO), as an Executive position, has oversight of three enterprise risks relating to information security. Visibility of information security management across Victoria Police is essential to the function of the CRO. The CRO sits on the Security Committee (focusing on information, physical and personnel security). Additionally, the CRO reports to Executive Command and has recently established regular meetings with the Agency Security Executive (ASE) in order to build a shared understanding of security risks and the work being undertaken to mitigate them.
The Chief Information Officer (who also holds the position ASE) maintains oversight of all security incidents within Victoria Police. The engagement of the role and function of the ASE at Executive Command level helps both maintain Organisational awareness and drive Executive endorsement of security incident management, and any relevant Organisational cultural change initiatives (See Finding 3.2).
IMSSD, as the central point for security incident management in Victoria Police, has developed the capability to liaise with other risk and planning units within Victoria Police about the progress of information security related risks, and the implications of incidents across all four security domains, from a holistic enterprise risk perspective. (Also refer to Finding 3.4)
Frontline members indicated to the review that current processes for making resourcing decisions about identified enterprise information security risks appears to be not as effective as it could be. Again, this observation is supported by findings from the CPDP site inspections and the longitudinal survey - that organisational issues often play out at, and impact on, the local level – with the review underscoring the requirement, organisationally, for more sophisticated incident analysis to predict and guard against future risk.
10 Standards for Law Enforcement Data Security (2014). Chapter Eleven – Risk Management. p.67.
17
Unclassified
Unclassified
Recommendation Three
That Victoria Police align and integrate security incident management and practice with the organisational risk management framework.
18
Unclassified
Unclassified
3.4 Security incident roles and responsibilities are not well defined or understood
SLEDS – Std 3VPDSF – Std 3, 5, 7
The security incident management environment can be a complex, and often changing, landscape. Sound governance involves, in part, clear direction and the assignment and acknowledgement of responsibilities in security incident management and practice. Clearly detailing SIM roles and responsibilities is important as it:
• provides clear direction and visible support for security incident management initiatives, including identifying SIM goals (tailored to organisational requirements)
• ensures SIM policy is developed, approved and reviewed
• ensures the availability of required SIM resources
• assigns specific roles and responsibilities for SIM and practices
• initiates plans and programs to maintain SIM and practices
• ensures that the implementation of SIM controls is coordinated.
Review observations highlight three distinct tiers of stakeholders engaged within the Victoria Police security incident management landscape. These tiers are:
1. Internal Victoria Police stakeholders
2. External stakeholders responsible for regulating protective data security and having a primary focus on (Victorian) law enforcement agencies – CPDP
3. Other oversight, regulatory, and specialist bodies.11
The review underlines that security incident management functions, activities, objectives and expectations of respective organisations are not well defined. Furthermore, there was confusion around the implementation and management of stakeholder relationships, including lines of communication, communication content, and the level of collaboration and cooperation required between internal and external stakeholders.
This lack of clear, defined SIM roles and responsibilities is also impacting negatively on the development and maintenance of future or existing protocols (such as the Escalated Reporting Protocol12 currently in place between IMSSD and CPDP).
Victoria Police are actively working to strengthen both engagement and understanding across the organisation, recognising that this is pivotal to supporting the implementation of a holistic enterprise-wide approach to information security incident management – with the primary activities being SIM role identification, definition and promotion.
It is a certainty that ongoing and dedicated organisational support towards SIM capacity building is fundamental to enabling Victoria Police SIM capabilities. Building, and maintaining, capability around security incident management functions, activities, objectives and expectations is imperative to not only address organisational accountabilities, but also those of oversight and regulatory bodies like CPDP.
Recommendation Four
That Victoria Police identify, define and document all security incident management roles and responsibilities (such as within a RACI model).
11 For example IBAC, VAGO, PROV, VMIA etc
12 The Protocol aids the reporting of information security incidents by Victoria Police to CPDP
19
Unclassified
Unclassified
3.5 Victoria Police does not have an effective or authorised SIMF in place
SLEDS – Std 32VPDSF – Std 7
An effective and robust SIMF details and ensures a consistent approach to the management of security incidents by supporting the Plan, Do, Check, Act model of continuous improvement lifecycle. Importantly, a SIMF enables the systematic identification of opportunities to mature protective data security practices by providing organisational focus on, and impetus for, increasing security incident management capacity, capability and flexibility.
The review finds that Victoria Police’s security incident management is not optimised towards best practice, including by not currently having an adequate, robust SIMF. The key findings in this report indicate ongoing and elevated risks around current security incident management and practice including:
• the loss of confidentiality, integrity and availability of systems of data
• a loss of reputation / credibility with stakeholders
• disorganisation and inefficiency driven by protracted and/or poorly coordinated incident management activity
• security incident management communication that is not relevant, accurate or timely
• incidents reoccurring through not understanding risk, or applying lessons learnt.
As part of the wider review expectations, KPMG validated the attached SIMF against national and international benchmark standards and therefore it is ready for broader implementation. The validated SIMF forms a consistent, and best practice, model that Victoria Police should adopt and deploy.
Recommendation Five
That Victoria Police agree to adopt the SIMF and develop a roadmap for its implementation, including milestones and timelines.
20
Unclassified
Unclassified
Recommendation One
That Victoria Police review, validate and update security incident management policies ensuring they are simplified, integrated and communicated to all stakeholders.
Recommendation Two
That Victoria Police undertake force-wide security incident management training focussing on:
• what constitutes a security incident
• what are members’ reporting obligations
• the reporting process.
Recommendation Three
That Victoria Police align and integrate security incident management and practice with the organisational risk management framework.
Recommendation Four
That Victoria Police identify, define and document all security incident management roles and responsibilities (such as within a RACI model).
Recommendation Five
That Victoria Police agree to adopt the SIMF and develop a roadmap for its implementation, including milestones and timelines.
4 Recommendations
21
Unclassified
Unclassified
5
Man
age
me
nt
Act
ion
Pla
n
CP
DP
REC
NU
MB
ER
RE
PO
RT
REC
N
UM
BE
RA
CC
OU
NTA
BLE
RE
SPO
NSI
BLE
DAT
EC
OM
ME
NT
26
21
Dir
ec
tor,
Info
rmat
ion
Man
age
me
nt
and
Ass
ura
nc
e
• D
ire
cto
r, In
form
atio
n
Man
age
me
nt
and
Ass
ura
nc
e
30
Ju
ne
20
17A
gre
ed
– D
raft
to P
LO p
roc
ess
by
dat
e
26
32
Dir
ec
tor,
Info
rmat
ion
Man
age
me
nt
and
Ass
ura
nc
e
• In
spe
cto
r, S
ec
uri
ty In
cid
en
t
Re
gis
try
30
De
ce
mb
er
20
17A
gre
ed
26
43
Dir
ec
tor,
Info
rmat
ion
Man
age
me
nt
and
Ass
ura
nc
e
• In
spe
cto
r, S
ec
uri
ty In
cid
en
t
Re
gis
try
• C
hie
f R
isk
Offi
ce
r
30
De
ce
mb
er
20
17A
gre
ed
26
54
Dir
ec
tor,
Info
rmat
ion
Man
age
me
nt
and
Ass
ura
nc
e
• P
roje
ct
Dir
ec
tor,
ICT
Op
era
tin
g
Mo
de
l Re
vie
w
30
De
ce
mb
er
20
17A
gre
ed
26
65
Dir
ec
tor,
Info
rmat
ion
Man
age
me
nt
and
Ass
ura
nc
e
• In
spe
cto
r, S
ec
uri
ty In
cid
en
t
Re
gis
try
30
Ju
ne
20
17A
gre
ed
22
Unclassified
Unclassified
6
Ap
pe
nd
ice
s
Ap
pen
dix
A –
Sec
uri
ty I
nci
den
t M
anag
emen
t Fr
amew
ork
PH
ASE
C
ON
TR
OL
CO
NT
RO
L O
BJE
CT
IVE
E
XP
ECT
ED
E
LEM
EN
TD
ESC
RIP
TIO
NE
XA
MP
LES/
AR
TE
FAC
TS
A)
Pre
par
atio
nO
rgan
isin
g
an e
ffe
cti
ve
sec
uri
ty in
cid
en
t
man
age
me
nt
cap
abili
ty r
eq
uir
es
pla
nn
ing
an
d
pre
par
atio
n
A.1
De
fin
itio
ns
Hav
ing
cle
ar
de
fin
itio
ns
in t
he
org
anis
atio
nal
co
nte
xt f
or
a
sec
uri
ty e
ven
t
and
inc
ide
nt
A1.
1E
ven
ts &
Inc
ide
nts
Sec
uri
ty e
ven
ts a
nd
inc
ide
nts
hav
e b
ee
n
we
ll d
efi
ne
d a
nd
th
e
diff
ere
nc
es
cle
arly
arti
cu
late
d
A d
oc
um
en
t
de
fin
ing
wh
at
co
nst
itu
tes
a
sec
uri
ty e
ven
t an
d
an in
cid
en
t
A1.
2T
hre
sho
lds
Th
resh
old
s h
ave
be
en
de
fin
ed
fo
r
wh
en
a s
ec
uri
ty
eve
nt
be
co
me
s an
inc
ide
nt
A d
oc
um
en
t
pro
vid
ing
th
e
cri
teri
a w
he
n a
sec
uri
ty e
ven
t
be
co
me
s an
inc
ide
nt
A.1
.3C
ate
go
risa
tio
nC
rite
ria
to
cat
eg
ori
se s
ec
uri
ty
inc
ide
nts
hav
e b
ee
n
de
fin
ed
A d
oc
um
en
t
de
fin
ing
th
e c
rite
ria
and
cat
eg
ori
es
for
sec
uri
ty in
cid
en
ts
A
.2R
eq
uir
em
en
tsO
rgan
isat
ion
al
co
nte
xt a
nd
req
uir
em
en
ts
mu
st b
e
un
de
rsto
od
an
d
de
fin
ed
A2
.1O
blig
atio
ns
reg
iste
rR
eg
ula
tory
, le
gal
and
ad
min
istr
ativ
e
ob
ligat
ion
s h
ave
be
en
re
gis
tere
d
A r
eg
iste
r sh
ow
ing
all o
blig
atio
ns
23
Unclassified
Unclassified
PH
ASE
C
ON
TR
OL
CO
NT
RO
L O
BJE
CT
IVE
E
XP
ECT
ED
E
LEM
EN
TD
ESC
RIP
TIO
NE
XA
MP
LES/
AR
TE
FAC
TS
A2
.2R
efe
ren
ce
sC
on
trac
tual
req
uir
em
en
ts a
nd
oth
er
agre
em
en
ts
hav
e b
ee
n
refe
ren
ce
d
A r
eg
iste
r sh
ow
ing
co
ntr
actu
al o
r o
the
r
req
uir
em
en
ts
A
.3P
olic
yTo
sta
te t
he
org
anis
atio
nal
inte
nt,
ob
jec
tive
and
to
pro
vid
e
dir
ec
tio
n f
or
the
eff
ec
tive
imp
lem
en
tati
on
of
a Se
cu
rity
Inc
ide
nt
Man
age
me
nt
Fram
ew
ork
A.3
.1P
olic
y -
Stat
em
en
t
of
man
age
me
nt
co
mm
itm
en
t
Sen
ior
man
age
me
nt
hav
e d
em
on
stra
ted
the
ir c
om
mit
me
nt
and
su
pp
ort
to
en
suri
ng
th
e
eff
ec
tive
ne
ss o
f th
e
Sec
uri
ty In
cid
en
t
Man
age
me
nt
Fram
ew
ork
Exe
cu
tive
spo
nso
rsh
ip a
nd
bu
y-in
fo
r th
e
est
ablis
hm
en
t o
f a
Sec
uri
ty In
cid
en
t
Man
age
me
nt
Fram
ew
ork
Em
be
dd
ing
po
licy
acro
ss t
he
org
anis
atio
n
Man
age
me
nt
en
do
rse
me
nt
on
Po
licy.
(Lo
ok
for
me
eti
ng
min
ute
s
wh
ere
po
licy
en
do
rse
me
nt
was
tab
led
. Sta
ff
co
mm
un
icat
ion
s
fro
m s
en
ior
man
age
me
nt
in
rela
tio
n t
o p
olic
y,
etc
.)
24
Unclassified
Unclassified
PH
ASE
C
ON
TR
OL
CO
NT
RO
L O
BJE
CT
IVE
E
XP
ECT
ED
E
LEM
EN
TD
ESC
RIP
TIO
NE
XA
MP
LES/
AR
TE
FAC
TS
A.3
.2P
olic
y D
ire
cti
on
&
Ob
jec
tive
Th
e p
urp
ose
an
d
the
ob
jec
tive
s o
f th
e
po
licy
hav
e b
ee
n
cle
arly
art
icu
late
d
Pu
rpo
se a
nd
ob
jec
tive
s ar
e
arti
cu
late
d in
a
po
licy
do
cu
me
nt
A.3
.3O
wn
ers
hip
Ow
ne
rsh
ip f
or
po
licy
has
be
en
assi
gn
ed
Stat
em
en
t o
f
ow
ne
rsh
ip in
th
e
po
licy
A.3
.4P
olic
y R
evi
ew
Th
e p
olic
y h
as b
ee
n
revi
ew
ed
in li
ne
wit
h
the
org
anis
atio
ns
po
licy
go
vern
anc
e
fram
ew
ork
. In
abse
nc
e o
f su
ch
a fr
ame
wo
rk, t
he
revi
ew
is d
on
e a
t
leas
t an
nu
ally
A d
oc
um
en
t tr
ail f
or
po
licy
revi
ew
(c
an
be
em
ail,
age
nd
a
ite
m(s
) o
r an
y o
the
r
evi
de
nc
e o
f re
vie
w
acti
vity
)
A.3
.5C
om
mu
nic
atio
nT
he
po
licy
has
be
en
co
mm
un
icat
ed
to
all r
ele
van
t in
tern
al
and
ext
ern
al p
arti
es
Spe
cifi
c
co
mm
un
iqu
és
to
inte
rnal
an
d e
xte
rnal
par
tie
s ab
ou
t p
olic
y
A.3
.6In
terd
ep
en
de
nc
ies
Re
lati
on
ship
s an
d
de
pe
nd
en
cie
s to
oth
er
po
licie
s an
d
pro
ce
du
res
hav
e
be
en
do
cu
me
nte
d
A d
oc
um
en
t
sho
win
g t
he
rela
tio
nsh
ips
acro
ss
the
org
anis
atio
n
25
Unclassified
Unclassified
PH
ASE
C
ON
TR
OL
CO
NT
RO
L O
BJE
CT
IVE
E
XP
ECT
ED
E
LEM
EN
TD
ESC
RIP
TIO
NE
XA
MP
LES/
AR
TE
FAC
TS
A
.4P
lan
To p
rovi
de
th
e
reso
urc
es
and
a
road
map
fo
r th
e
imp
lem
en
tati
on
of
the
Se
cu
rity
Inc
ide
nt
Man
age
me
nt
Fram
ew
ork
A.4
.1R
oad
map
A r
oad
map
for
mat
uri
ng
sec
uri
ty in
cid
en
t
man
age
me
nt
cap
abili
ty
A d
oc
um
en
t
sho
win
g t
he
pla
nn
ed
ac
tivi
tie
s
ove
r ti
me
to
mat
ure
sec
uri
ty in
cid
en
t
man
age
me
nt
cap
abili
tie
s.
Re
qu
ire
s th
e
org
anis
atio
n t
o
un
de
rsta
nd
th
e
ne
ed
an
d a
reas
for
cap
abili
ty
imp
rove
me
nts
A.4
.2P
erf
orm
anc
e
me
asu
res
Th
e e
ffe
cti
ven
ess
of
the
Se
cu
rity
Inc
ide
nt
Man
age
me
nt
Fram
ew
ork
has
be
en
mo
nit
ore
d
thro
ug
h d
efi
ne
d
pe
rfo
rman
ce
me
asu
res
De
fin
ed
pe
rfo
rman
ce
me
asu
res
and
evi
de
nc
e o
f ac
tual
dat
a c
olle
cti
on
and
re
spo
nse
to
co
llec
ted
dat
a
A.4
.3E
xec
uti
ve a
pp
rova
lE
xec
uti
ve h
ave
app
rove
d t
he
ele
me
nts
of
the
pla
n
Me
eti
ng
min
ute
s o
r
any
oth
er
evi
de
nc
e
sho
win
g d
ire
ct
(no
t
imp
licit
) ap
pro
val o
f
imp
rove
me
nt
pla
n
26
Unclassified
Unclassified
PH
ASE
C
ON
TR
OL
CO
NT
RO
L O
BJE
CT
IVE
E
XP
ECT
ED
E
LEM
EN
TD
ESC
RIP
TIO
NE
XA
MP
LES/
AR
TE
FAC
TS
A
.5In
tern
al S
tan
dar
ds
To s
up
po
rt
the
po
licy
ob
jec
tive
s
A.5
.1In
tern
al s
tan
dar
d
set
A s
et
of
sup
po
rtin
g
inte
rnal
sta
nd
ard
s
hav
e b
ee
n
do
cu
me
nte
d in
sup
po
rt o
f th
e
po
licy
ob
jec
tive
s
spe
cifi
yin
g b
ase
line
exp
ec
tati
on
s o
f
wh
at m
ust
be
do
ne
Do
cu
me
nte
d
inte
rnal
sta
nd
ard
s
de
taili
ng
wh
at
mu
st b
e d
on
e t
o
ach
ieve
th
e p
olic
y
ob
jec
tive
s
A.5
.2C
ove
rag
eIn
tern
al s
tan
dar
ds
co
ver
the
Sec
uri
ty In
cid
en
t
Man
age
me
nt
Life
cyc
le
Ele
me
nts
of
inte
rnal
sta
nd
ard
s
are
de
fin
ed
ac
ross
the
life
cyc
le (
i.e.
Pre
par
atio
n,
De
tec
tio
n, H
and
ling
and
Pre
ven
tio
n)
A.5
.3P
rio
riti
sati
on
In
tern
al s
tan
dar
ds
that
de
fin
e h
ow
to
pri
ori
tise
sp
ec
ific
sec
uri
ty in
cid
en
t
cat
eg
ori
es
An
inte
rnal
sta
nd
ard
that
art
icu
late
s
ho
w in
cid
en
ts a
re
pri
ori
tise
d
27
Unclassified
Unclassified
PH
ASE
C
ON
TR
OL
CO
NT
RO
L O
BJE
CT
IVE
E
XP
ECT
ED
E
LEM
EN
TD
ESC
RIP
TIO
NE
XA
MP
LES/
AR
TE
FAC
TS
A.5
.4C
om
mu
nic
atio
nIn
tern
al s
tan
dar
ds
that
de
fin
e h
ow
and
wh
en
to
co
mm
un
icat
e w
ith
inte
rnal
an
d e
xte
rnal
par
tie
s –
e.g
.
ove
rsig
ht
bo
die
s,
reg
ula
tors
, Me
dia
,
Serv
ice
Pro
vid
ers
,
Oth
er
Ag
en
cie
s
A s
pe
cifi
c in
tern
al
stan
dar
d t
hat
de
tails
co
mm
un
icat
ion
pro
toc
ols
A.5
.5R
isk
alig
nm
en
tT
he
inte
rnal
stan
dar
ds
link
to
the
org
anis
atio
nal
risk
man
age
me
nt
fram
ew
ork
Evi
de
nc
e t
hat
th
e
sec
uri
ty in
cid
en
t
man
age
me
nt
fram
ew
ork
has
be
en
inte
gra
ted
wit
h
the
org
anis
atio
nal
risk
man
age
me
nt
fram
ew
ork
(inc
lud
ing
inte
rnal
stan
dar
ds)
A.5
.6O
wn
ers
hip
Ow
ne
rsh
ip f
or
inte
rnal
sta
nd
ard
s
has
be
en
ass
ign
ed
Stat
em
en
t o
f
ow
ne
rsh
ip in
th
e
inte
rnal
sta
nd
ard
28
Unclassified
Unclassified
PH
ASE
C
ON
TR
OL
CO
NT
RO
L O
BJE
CT
IVE
E
XP
ECT
ED
E
LEM
EN
TD
ESC
RIP
TIO
NE
XA
MP
LES/
AR
TE
FAC
TS
A.5
.7R
evi
ew
Th
e in
tern
al
stan
dar
ds
are
revi
ew
ed
on
a
reg
ula
r b
asis
or
if
sig
nifi
can
t e
ven
ts
hav
e o
cc
urr
ed
(e.g
. in
cid
en
ts o
r
ch
ang
es
to t
he
org
anis
atio
n)
Evi
de
nc
e o
f re
vie
w
acti
viti
es,
e.g
. em
ail
trai
ls, r
evi
sio
n
his
tory
A
.6P
roc
ess
es
To p
rovi
de
de
taile
d a
nd
pre
-de
fin
ed
gu
idan
ce
on
inte
rnal
stan
dar
ds
A.6
.1C
ove
rag
eP
roc
ess
es
sup
po
rtin
g t
he
acti
viti
es
of
all
sec
uri
ty in
cid
en
t
man
age
me
nt
life
cyc
le p
has
es
Pro
ce
sse
s
sup
po
rtin
g
stan
dar
ds
acro
ss
all s
ec
uri
ty in
cid
en
t
man
age
me
nt
life
cyc
le p
has
es
(Pre
par
atio
n,
De
tec
tio
n,
Han
dlin
g,
Pre
ven
tio
n)
Pro
ce
sse
s ad
dre
ss
co
vera
ge
ac
ross
th
e
org
anis
atio
n
A.6
.2P
rio
riti
sati
on
P
roc
ess
es
hav
e
be
en
de
fin
ed
to s
up
po
rt t
he
pri
ori
tisa
tio
n o
f
spe
cifi
c s
ec
uri
ty
inc
ide
nt
cat
eg
ori
es
De
taile
d in
stru
cti
on
s
exi
st a
rou
nd
th
e
pri
ori
tisa
tio
n o
f
inc
ide
nts
29
Unclassified
Unclassified
PH
ASE
C
ON
TR
OL
CO
NT
RO
L O
BJE
CT
IVE
E
XP
ECT
ED
E
LEM
EN
TD
ESC
RIP
TIO
NE
XA
MP
LES/
AR
TE
FAC
TS
A.6
.3C
om
mu
nic
atio
nP
roc
ess
es
that
ou
tlin
e t
he
co
mm
un
icat
ion
pro
toc
ol i
n
acc
ord
anc
e w
ith
the
inte
rnal
se
cu
rity
stan
dar
ds
De
taile
d
co
mm
un
icat
ion
s
pro
toc
ols
, sh
ow
ing
wh
o c
an s
ay w
hat
and
wh
en
A.6
.4O
wn
ers
hip
Ow
ne
rsh
ip o
f e
ach
pro
ce
ss h
as b
ee
n
assi
gn
ed
Stat
em
en
t o
f
ow
ne
rsh
ip
in in
tern
al
do
cu
me
nta
tio
n
A.6
.5R
evi
ew
Th
e p
roc
ess
es
are
re
vie
we
d o
n a
reg
ula
r b
asis
alo
ng
wit
h t
he
inte
rnal
stan
dar
ds
the
y
sup
po
rt
Evi
de
nc
e o
f re
vie
w
acti
viti
es,
e.g
. em
ail
trai
ls, r
evi
sio
n
his
tory
A
.7R
eso
urc
es
To p
rovi
de
th
e
req
uir
ed
to
ols
thro
ug
ho
ut
the
Se
cu
rity
Inc
ide
nt
Man
age
me
nt
Life
cyc
le
A.7
.1Te
mp
late
sTe
mp
late
s h
ave
be
en
de
fin
ed
su
ch
as e
.g. I
nc
ide
nt
Fac
t
She
et,
Po
st In
cid
en
t
Re
po
rts
Pre
par
ed
te
mp
late
s
suc
h a
s Fa
ct
She
ets
,
Po
st In
cid
en
t
Re
po
rts,
etc
.
30
Unclassified
Unclassified
PH
ASE
C
ON
TR
OL
CO
NT
RO
L O
BJE
CT
IVE
E
XP
ECT
ED
E
LEM
EN
TD
ESC
RIP
TIO
NE
XA
MP
LES/
AR
TE
FAC
TS
A.7
.2To
olk
its
Re
qu
ire
d t
oo
ls
to m
anag
e t
he
Inc
ide
nt
hav
e b
ee
n
ide
nti
fie
d, e
.g.
fac
iliti
es,
sys
tem
s,
pe
op
le
Evi
de
nc
e o
f to
ols
to s
up
po
rt t
he
sec
uri
ty in
cid
en
t
man
age
me
nt
pro
ce
sse
s
A.7
.3C
on
tac
t Li
sts
Co
nta
ct
lists
hav
e
be
en
pre
-co
mp
iled
for
all r
ele
van
t
inte
rnal
an
d e
xte
rnal
stak
eh
old
ers
Co
nta
ct
lists
sho
win
g d
eta
ils
of
eve
ry k
ey
stak
eh
old
er
and
sec
on
dar
y c
on
tac
ts
allo
win
g 2
4/7
acc
ess
to
ind
ivid
ual
s
and
se
rvic
es
A
.8R
ole
s &
Re
spo
nsi
bili
tie
s
To e
nsu
re t
hat
all i
nte
rnal
an
d
ext
ern
al p
arti
es
un
de
rsta
nd
role
s an
d
resp
on
sib
iliti
es
A.8
.1Te
am M
od
el
Th
e s
ec
uri
ty
inc
ide
nt
man
age
me
nt
team
mo
de
l has
be
en
de
fin
ed
(e.g
., C
en
tral
ise
d,
Dis
trib
ute
d)
add
ress
ing
bo
th o
vers
igh
t /
man
age
me
nt
and
resp
on
se
Do
cu
me
nte
d
de
tails
of
the
sec
uri
ty in
cid
en
t
man
age
me
nt
team
mo
de
l(s),
inc
lud
ing
sec
uri
ty in
cid
en
t
man
age
me
nt
resp
on
se
31
Unclassified
Unclassified
PH
ASE
C
ON
TR
OL
CO
NT
RO
L O
BJE
CT
IVE
E
XP
ECT
ED
E
LEM
EN
TD
ESC
RIP
TIO
NE
XA
MP
LES/
AR
TE
FAC
TS
A.8
.2R
ole
s &
Fu
nc
tio
ns
Eac
h p
arti
cip
ant
has
a d
efi
ne
d r
ole
an
d
fun
cti
on
Eve
ry r
ole
/ f
un
cti
on
is s
up
po
rte
d b
y
a d
efi
ne
d a
nd
do
cu
me
nte
d R
AC
I
mo
de
l
A.8
.3A
uth
ori
tyT
he
au
tho
riti
es
for
de
cis
ion
mak
ing
hav
e b
ee
n d
efi
ne
d
A d
oc
um
en
t th
at
stat
es
the
au
tho
rity
for
de
cis
ion
mak
ing
for
any
fin
anc
ial,
rep
uta
tio
nal
,
op
era
tio
nal
, le
gal
& r
eg
ula
tory
imp
licat
ion
s
A.8
.4E
xte
rnal
Par
tie
sT
he
ro
les
and
resp
on
sib
iliti
es
of
ext
ern
al p
arti
es
hav
e b
ee
n d
efi
ne
d
A d
oc
um
en
t
sho
win
g t
he
ro
les
and
re
spo
nsi
bili
tie
s
of
ext
ern
al p
arti
es
A.8
.5C
on
sum
ers
Th
e n
ee
ds
of
co
nsu
me
rs in
th
e
co
nte
xt o
f in
cid
en
t
man
age
me
nt
hav
e
be
en
de
fin
ed
an
d
are
un
de
rsto
od
A d
oc
um
en
t
sho
win
g t
he
ne
ed
(info
rmat
ion
/ d
ata)
for
co
nsu
me
rs
(cu
sto
me
rs)
du
rin
g
a se
cu
rity
inc
ide
nt
–
e.g
. bo
th s
up
plie
rs
and
re
cip
ien
ts
32
Unclassified
Unclassified
PH
ASE
C
ON
TR
OL
CO
NT
RO
L O
BJE
CT
IVE
E
XP
ECT
ED
E
LEM
EN
TD
ESC
RIP
TIO
NE
XA
MP
LES/
AR
TE
FAC
TS
A.8
.6D
ep
en
de
nc
ies
De
pe
nd
en
cie
s
on
se
rvic
es
and
reso
urc
es
(bo
th
wit
hin
an
d b
eyo
nd
the
org
anis
atio
n)
hav
e b
ee
n d
efi
ne
d
- e
.g. L
eg
al, I
T
Sup
po
rt, R
eg
ula
tory
,
Fac
iliti
es,
etc
.
A d
oc
um
en
t
sho
win
g t
he
de
pe
nd
en
cie
s
on
an
d b
y o
the
r
par
tie
s/se
rvic
es
A
.9Sk
ills,
tra
inin
g a
nd
awar
en
ess
En
sure
th
at a
ll
rele
van
t p
arti
es
are
aw
are
,
we
ll p
rep
are
d
and
ski
lled
in S
ec
uri
ty
Inc
ide
nt
Man
age
me
nt
A.9
.1Sk
ills
and
co
mp
ete
nc
ies
Stak
eh
old
ers
hav
e
be
en
se
lec
ted
wit
h s
uit
able
ski
lls,
mat
ch
ing
th
eir
ro
les
and
re
spo
nsi
bili
tie
s
in t
he
Se
cu
rity
Inc
ide
nt
Man
age
me
nt
Fram
ew
ork
an
d
bri
ng
a c
ross
-
sec
tio
n o
f b
usi
ne
ss
kno
wle
dg
e t
o t
he
team
Co
mp
osi
tio
n o
f th
e
sec
uri
ty in
cid
en
t
man
age
me
nt
team
re
fle
cts
ke
y
wo
rkg
rou
ps
acro
ss
the
org
anis
atio
n
(e.g
. co
rpo
rate
co
mm
un
icat
ion
s,
HR
, Fin
anc
ial,
Fac
iliti
es,
Exe
cu
tive
s, R
ec
ord
s
Man
age
me
nt,
ICT
)
Staff
hav
e
co
mp
lete
d r
ele
van
t
sec
uri
ty in
cid
en
t
trai
nin
g
33
Unclassified
Unclassified
PH
ASE
C
ON
TR
OL
CO
NT
RO
L O
BJE
CT
IVE
E
XP
ECT
ED
E
LEM
EN
TD
ESC
RIP
TIO
NE
XA
MP
LES/
AR
TE
FAC
TS
A.9
.2Tr
ain
ing
A t
rain
ing
pla
n h
as
be
en
do
cu
me
nte
d
add
ress
ing
th
e
on
go
ing
tra
inin
g
ne
ed
s o
f th
e
sec
uri
ty in
cid
en
t
man
age
me
nt
team
(s)
A t
rain
ing
pla
n
de
taili
ng
th
e
acti
on
s, a
cti
viti
es
and
fo
cu
s ar
eas
of
tho
se in
volv
ed
in
sec
uri
ty in
cid
en
t
man
age
me
nt
A.9
.3A
war
en
ess
A s
ec
uri
ty in
cid
en
t
awar
en
ess
pro
gra
m
has
be
en
de
fin
ed
and
imp
lem
en
ted
en
suri
ng
all
inte
rnal
and
ext
ern
al
stak
eh
old
ers
are
aw
are
of
the
Sec
uri
ty In
cid
en
t
Man
age
me
nt
Fram
ew
ork
Evi
de
nc
e o
f
co
mm
un
icat
ion
s to
inte
rnal
an
d e
xte
rnal
stak
eh
old
ers
Spo
t-c
he
ck
of
actu
al a
war
en
ess
of
the
se
cu
rity
inc
ide
nt
man
age
me
nt
fram
ew
ork
B)
De
tec
tio
nT
he
cap
abili
ty t
o
asse
ss e
ven
ts a
nd
ide
nti
fy s
ec
uri
ty
inc
ide
nts
B.1
Th
reat
Inte
llig
en
ce
Pro
acti
vely
de
tec
t an
y
thre
ats
and
vuln
era
bili
tie
s
B.1
.1T
hre
at A
nal
ysis
Ext
ern
al/I
nte
rnal
thre
at a
nal
ysis
is p
erf
orm
ed
to e
stab
lish
an
un
de
rsta
nd
ing
of
the
th
reat
en
viro
nm
en
t an
d in
turn
de
tec
t c
han
ge
s
Evi
de
nc
e o
f T
hre
at
An
alys
is, e
.g. T
hre
at
Re
po
rts,
Th
reat
&
Ris
k W
ork
sho
ps
34
Unclassified
Unclassified
PH
ASE
C
ON
TR
OL
CO
NT
RO
L O
BJE
CT
IVE
E
XP
ECT
ED
E
LEM
EN
TD
ESC
RIP
TIO
NE
XA
MP
LES/
AR
TE
FAC
TS
B.1
.2Fr
eq
ue
nc
yT
hre
at A
nal
ysis
has
be
en
fre
qu
en
tly
pe
rfo
rme
d.
Th
e
sch
ed
ule
mu
st
be
de
fin
ed
by
the
bu
sin
ess
bas
ed
on
the
org
anis
atio
nal
co
nte
xt. C
rite
ria
has
be
en
de
fin
ed
for
un
sch
ed
ule
d
anal
ysis
ac
tivi
tie
s
Do
cu
me
nt
de
taili
ng
the
fre
qu
en
cy
of
Th
reat
An
alys
is
inc
lud
ing
cri
teri
a
for
un
sch
ed
ule
d
revi
ew
s b
ase
d o
n
ch
ang
es
to t
he
thre
at e
nvi
ron
me
nt
B.1
.3Q
ual
ity/
Re
liab
ility
Th
reat
ass
ess
me
nts
hav
e d
ete
rmin
ed
the
re
liab
ility
an
d
qu
alit
y o
f th
e
info
rmat
ion
be
ing
anal
yse
d. T
his
info
rmat
ion
has
be
en
pro
vid
ed
wit
h
the
th
reat
re
po
rt
Qu
alit
y/R
elia
bili
ty
stat
em
en
t o
f th
e
thre
at in
telli
ge
nc
e
is a
rtic
ula
ted
in a
ny
thre
at r
ep
ort
ing
B
.2V
uln
era
bili
ty
An
alys
is /
Att
ack
Ve
cto
rs
Vu
lne
rab
iliti
es
and
att
ack
vec
tors
are
un
de
rsto
od
in
the
co
nte
xt o
f
exi
stin
g a
nd
po
ten
tial
th
reat
s
B.2
.1V
uln
era
bili
ty S
can
sP
erf
orm
re
gu
lar
anal
ysis
fo
r
vuln
era
bili
tie
s an
d
atta
ck
vec
tors
,
bas
ed
on
th
e
exi
stin
g a
nd
po
ten
tial
th
reat
s
Vu
lne
rab
ility
asse
ssm
en
t re
po
rts
35
Unclassified
Unclassified
PH
ASE
C
ON
TR
OL
CO
NT
RO
L O
BJE
CT
IVE
E
XP
ECT
ED
E
LEM
EN
TD
ESC
RIP
TIO
NE
XA
MP
LES/
AR
TE
FAC
TS
B
.3Se
cu
rity
Mo
nit
ori
ng
Tim
ely
de
tec
tio
n
of
eve
nts
and
se
cu
rity
inc
ide
nts
B.3
.1In
dic
ato
rsSe
cu
rity
inc
ide
nt
ind
icat
ors
an
d
pre
cu
rso
rs h
ave
be
en
de
fin
ed
A d
oc
um
en
t st
atin
g
the
pre
cu
rso
rs a
nd
sec
uri
ty in
cid
en
t
ind
icat
ors
B.3
.2E
ven
t M
on
ito
rin
gE
ven
ts a
re a
sse
sse
d
/ m
on
ito
red
fo
r
de
fin
ed
ind
icat
ors
and
pre
cu
rso
rs
Evi
de
nc
e t
hat
eve
nts
are
ass
ess
ed
/ m
on
ito
red
usi
ng
th
e d
efi
ne
d
ind
icat
ors
/
pre
cu
rso
rs
B.3
.3Te
stin
gA
ny
ne
w d
efi
ne
d
sec
uri
ty in
cid
en
t
ind
icat
ors
or
pre
cu
rso
rs h
ave
be
en
te
ste
d a
gai
nst
the
exi
stin
g s
ec
uri
ty
eve
nts
Evi
de
nc
e t
hat
retr
osp
ec
tive
re
vie
w
of
sec
uri
ty e
ven
ts
was
pe
rfo
rme
d
wh
en
se
cu
rity
inc
ide
nt
ind
icat
ors
or
pre
cu
rso
rs h
ave
ch
ang
ed
36
Unclassified
Unclassified
PH
ASE
C
ON
TR
OL
CO
NT
RO
L O
BJE
CT
IVE
E
XP
ECT
ED
E
LEM
EN
TD
ESC
RIP
TIO
NE
XA
MP
LES/
AR
TE
FAC
TS
B.3
.4A
lert
ing
Ale
rt t
hre
sho
lds
for
sec
uri
ty in
cid
en
ts
are
do
cu
me
nte
d
(bo
th a
uto
mat
ed
and
via
use
r
rep
ort
ing
)
Exa
mp
les
may
inc
lud
e:
• A
sys
tem
wh
ich
inc
lud
es
an
auto
mat
ed
to
ol
wit
h a
bu
ilt in
ale
rt f
un
cti
on
• Si
gn
ific
ant
ch
ang
es
to a
‘fac
tor
are
a’
for
a se
cu
rity
cle
aran
ce
ho
lde
rs
C)
Han
dlin
gT
he
cap
abili
ty
to r
esp
on
d t
o
sec
uri
ty in
cid
en
ts
in a
tim
ely
man
ne
r
C.1
Tria
ge
Ass
ess
th
e
sec
uri
ty in
cid
en
t
ele
me
nts
to
de
term
ine
ho
w t
o b
est
man
age
it
C.1
.1Te
am M
od
el
Uti
lisin
g t
he
pre
-
de
fin
ed
te
am
mo
de
l, to
tri
age
th
e
sec
uri
ty in
cid
en
t
Evi
de
nc
e in
fo
rm
of
co
rpo
rate
co
mm
un
icat
ion
s
(e.g
. in
tern
al
and
ext
ern
al
em
ails
, In
tran
et
co
mm
un
icat
ion
s,
etc
.)
C.1
.2P
roc
ess
Co
nsi
de
r th
e
ele
me
nts
/
ch
arac
teri
stic
s o
f
the
se
cu
rity
inc
ide
nt
and
fo
llow
pre
-
de
fin
ed
re
spo
nse
and
man
age
me
nt
pro
ce
sse
s
Follo
w p
roc
ess
do
cu
me
nts
th
at
ou
tlin
e w
hat
to
do
in t
he
cas
e o
f
par
tic
ula
r se
cu
rity
inc
ide
nts
37
Unclassified
Unclassified
PH
ASE
C
ON
TR
OL
CO
NT
RO
L O
BJE
CT
IVE
E
XP
ECT
ED
E
LEM
EN
TD
ESC
RIP
TIO
NE
XA
MP
LES/
AR
TE
FAC
TS
C.1
.3T
ime
line
ssA
sse
ss s
ec
uri
ty
inc
ide
nts
in a
tim
ely
man
ne
r (e
nsu
rin
g
24/7
re
spo
nse
wh
ere
re
qu
ire
d)
Pro
ce
ss r
evi
ew
sho
win
g t
hat
rep
ort
ed
se
cu
rity
inc
ide
nts
are
add
ress
ed
wit
hin
a re
aso
nab
le
tim
efr
ame
C.1
.4P
aram
ete
rs /
Sc
op
eE
stab
lish
a t
erm
s
of
refe
ren
ce
for
par
tic
ula
r
sec
uri
ty in
cid
en
ts
inc
lud
ing
re
spo
nse
par
ame
ters
(w
he
re
req
uir
ed
)
E.g
. 'Te
rms
of
refe
ren
ce
'
do
cu
me
nt
for
a
par
tic
ula
r se
cu
rity
inc
ide
nt
C.1
.5R
eg
iste
rA
ll re
po
rte
d
sec
uri
ty in
cid
en
ts
are
re
co
rde
d w
ith
an a
sse
ssm
en
t
ou
tco
me
A r
eg
iste
r sh
ow
ing
rec
ord
ed
an
d
acc
om
pan
yin
g
asse
ssm
en
t
ou
tco
me
s
C.1
.6P
rio
riti
sati
on
A
ll se
cu
rity
inc
ide
nts
hav
e
be
en
pri
ori
tise
d
acc
ord
ing
to
rele
van
t in
tern
al
stan
dar
ds
A r
ec
ord
of
the
pri
ori
ty a
sse
ssm
en
t
is c
aptu
red
in t
he
Sec
uri
ty In
cid
en
t
Re
gis
ter
38
Unclassified
Unclassified
PH
ASE
C
ON
TR
OL
CO
NT
RO
L O
BJE
CT
IVE
E
XP
ECT
ED
E
LEM
EN
TD
ESC
RIP
TIO
NE
XA
MP
LES/
AR
TE
FAC
TS
C.1
.7C
ate
go
risa
tio
nA
ll re
co
rde
d
sec
uri
ty in
cid
en
ts
are
cat
eg
ori
sed
A r
ec
ord
of
the
cat
eg
ory
is c
aptu
red
in t
he
Se
cu
rity
Inc
ide
nt
Re
gis
ter
C.1
.8A
sse
t o
wn
ers
Ass
et
ow
ne
rs a
re
ide
nti
fie
d d
uri
ng
th
e
tria
ge
ass
ess
me
nt
(if
app
licab
le)
A r
ec
ord
of
the
asse
t o
wn
er
is
cap
ture
d in
th
e
Sec
uri
ty In
cid
en
t
Re
gis
ter
C
.2A
nal
ysis
To e
nsu
re
sec
uri
ty
inc
ide
nts
are
anal
yse
d a
s
info
rmat
ion
be
co
me
s
avai
lab
le
C.2
.1SM
E E
ng
age
me
nt
En
gag
e s
uit
able
sub
jec
t m
atte
r
exp
ert
s (S
ME
s) f
rom
rele
van
t ar
eas
an
d
bri
ng
th
ese
SM
Es
into
th
e s
ec
uri
ty
inc
ide
nt
resp
on
se
pro
ce
ss
A p
roc
ess
do
cu
me
nt
sho
win
g
ho
w S
ME
s ar
e
en
gag
ed
C.2
.2B
usi
ne
ss Im
pac
ts
Bu
sin
ess
imp
acts
resu
ltin
g f
rom
th
e
sec
uri
ty in
cid
en
t ar
e
asse
sse
d
A p
roc
ess
do
cu
me
nt
sho
win
g
that
bu
sin
ess
imp
acts
are
asse
sse
d
Fac
t sh
ee
ts f
rom
pas
t e
ven
ts s
ho
win
g
bu
sin
ess
imp
act
asse
ssm
en
ts
39
Unclassified
Unclassified
PH
ASE
C
ON
TR
OL
CO
NT
RO
L O
BJE
CT
IVE
E
XP
ECT
ED
E
LEM
EN
TD
ESC
RIP
TIO
NE
XA
MP
LES/
AR
TE
FAC
TS
C.2
.3O
ng
oin
g a
nal
ysis
As
add
itio
nal
info
rmat
ion
be
co
me
s av
aila
ble
,
the
ori
gin
al
asse
ssm
en
t is
re-c
on
sid
ere
d t
o
ide
nti
fy w
he
the
r
the
se
cu
rity
inc
ide
nt
ne
ed
s to
be
pri
ori
tise
d o
r
resp
on
se a
cti
viti
es
adju
ste
d
Do
cu
me
nta
tio
n
fro
m p
ast
inc
ide
nts
sho
win
g r
isk
co
nsi
de
rati
on
s o
f
ne
w in
form
atio
n
– e
.g. r
isk
asse
ssm
en
ts
thro
ug
ho
ut
the
inc
ide
nt
life
cyc
le
Re
qu
est
s fo
r
info
rmat
ion
to
sup
po
rt a
nal
ysis
C.2
.4P
roc
ess
Follo
w p
re-d
efi
ne
d
co
mm
un
icat
ion
pro
toc
ol a
cc
ord
ing
to t
he
se
cu
rity
inc
ide
nt
ele
me
nts
/
ch
arac
teri
stic
s
Info
rmat
ion
flo
ws
hav
e b
ee
n
co
ntr
olle
d a
nd
pre
-
de
fin
ed
(i.e
. wh
o
can
tal
k to
wh
om
and
wh
en
) d
uri
ng
the
han
dlin
g p
has
e
40
Unclassified
Unclassified
PH
ASE
C
ON
TR
OL
CO
NT
RO
L O
BJE
CT
IVE
E
XP
ECT
ED
E
LEM
EN
TD
ESC
RIP
TIO
NE
XA
MP
LES/
AR
TE
FAC
TS
C
.3C
on
tain
me
nt
Pre
ven
t fu
rth
er
dam
age
s fr
om
the
se
cu
rity
inc
ide
nt
in
a c
on
tro
lled
fash
ion
C.3
.1C
on
tain
me
nt
Stra
teg
ies
Follo
w p
re-d
efi
ne
d
co
nta
inm
en
t
stra
teg
ies
set
ou
t
un
de
r in
tern
al
stan
dar
ds
/
pro
ce
sse
s
Evi
de
nc
e t
hat
th
e
do
cu
me
nt
ou
tlin
ing
the
co
nta
inm
en
t
stra
teg
ies
has
be
en
follo
we
d (
e.g
. wip
e
& r
est
ore
, mo
nit
or
and
ob
serv
e, e
tc.)
Evi
de
nc
e o
f
co
nsi
de
rati
on
giv
en
to
issu
es
suc
h a
s Fo
ren
sic
s,
Pe
rso
nn
el S
ec
uri
ty,
Dis
aste
r R
ec
ove
ry,
Bu
sin
ess
Co
nti
nu
ity
Man
age
me
nt
C.3
.2A
uth
ori
tyFo
llow
pre
-de
fin
ed
de
cis
ion
au
tho
riti
es
for
the
co
nta
inm
en
t
of
the
se
cu
rity
inc
ide
nt
Evi
de
nc
e t
hat
th
e
do
cu
me
nt
ou
tlin
ing
the
de
cis
ion
auth
ori
tie
s fo
r
the
co
nta
inm
en
t
stra
teg
y h
as b
ee
n
follo
we
d
C
.4R
ec
tifi
cat
ion
Ad
dre
ss is
sue
s
lead
ing
to
th
e
sec
uri
ty in
cid
en
t
C.4
.1C
on
tro
lsA
pro
ce
ss h
as
be
en
de
fin
ed
to
rec
tify
an
y is
sue
s o
r
rem
ed
iate
co
ntr
ols
that
fai
led
to
pre
ven
t th
e s
ec
uri
ty
inc
ide
nt
fro
m
oc
cu
rrin
g
A p
roc
ess
do
cu
me
nt
that
sho
ws
ho
w t
o fi
x/
rec
tify
co
ntr
ol
failu
res
for
the
sec
uri
ty in
cid
en
t
41
Unclassified
Unclassified
PH
ASE
C
ON
TR
OL
CO
NT
RO
L O
BJE
CT
IVE
E
XP
ECT
ED
E
LEM
EN
TD
ESC
RIP
TIO
NE
XA
MP
LES/
AR
TE
FAC
TS
C.4
.2Sc
op
eR
ec
tifi
cat
ion
has
co
nsi
de
red
are
as t
hat
are
no
t im
pac
ted
bu
t
rely
on
th
e s
ame
co
ntr
ols
A p
roc
ess
sh
ow
ing
that
aft
er
co
ntr
ols
failu
res,
sim
ilar
co
ntr
ols
or
co
ntr
ols
in o
the
r ar
eas
are
revi
ew
ed
Evi
de
nc
e f
rom
pas
t
eve
nts
sh
ow
ing
th
at
suc
h r
evi
ew
are
pe
rfo
rme
d
C
.5R
ec
ove
ryR
ec
ove
r fr
om
the
se
cu
rity
inc
ide
nt
and
resu
me
no
rmal
bu
sin
ess
op
era
tio
ns
C.5
.1B
usi
ne
ss C
on
tin
uit
yIn
itia
te B
usi
ne
ss
Co
nti
nu
ity
Pla
n
Evi
de
nc
e o
f
linka
ge
to
Bu
sin
ess
Co
nti
nu
ity
Man
age
me
nt
C.5
.2R
ec
ove
ry S
trat
eg
ies
Follo
w p
re-d
efi
ne
d
rest
ore
str
ate
gie
s
ou
tlin
ed
in in
tern
al
stan
dar
ds
/
pro
ce
sse
s
Evi
de
nc
e t
hat
th
e
do
cu
me
nt
ou
tlin
ing
rec
ove
ry s
trat
eg
ies
has
be
en
fo
llow
ed
42
Unclassified
Unclassified
PH
ASE
C
ON
TR
OL
CO
NT
RO
L O
BJE
CT
IVE
E
XP
ECT
ED
E
LEM
EN
TD
ESC
RIP
TIO
NE
XA
MP
LES/
AR
TE
FAC
TS
C
.6
Co
mm
un
icat
ion
/
En
gag
em
en
t
To p
rovi
de
acc
ura
te, f
actu
al
and
tim
ely
info
rmat
ion
to
stak
eh
old
ers
C.6
.1C
om
mu
nic
atio
n /
En
gag
em
en
t P
lan
Follo
w p
re-d
efi
ne
d
en
gag
em
en
t p
lan
Evi
de
nc
e t
hat
the
do
cu
me
nte
d
en
gag
em
en
t p
lan
inc
lud
ing
:
• lis
tin
g a
ll
rele
van
t
stak
eh
old
ers
and
th
eir
info
rmat
ion
req
uir
em
en
ts
• c
om
mu
nic
atio
n
ch
ann
els
(e
.g.
em
ail,
ph
on
e,
Intr
ane
t, e
tc.)
has
be
en
fo
llow
ed
C.6
.2Fr
eq
ue
nc
yE
nsu
re f
req
ue
nt
stat
us
up
dat
es
are
pro
vid
ed
to
ke
y
stak
eh
old
ers
Evi
de
nc
e t
hat
ke
y
stak
eh
old
ers
hav
e
be
en
up
dat
ed
on
th
e s
tatu
s o
f
sec
uri
ty in
cid
en
ts
C.6
.3A
uth
ori
tyFo
llow
th
e
pre
-de
fin
ed
co
mm
un
icat
ion
s
pla
n t
hat
ide
nti
fie
s
wh
o h
as t
he
auth
ori
ty t
o
co
mm
un
icat
e
to d
iffe
ren
t
stak
eh
old
ers
A s
tate
me
nt
of
auth
ori
ty c
ove
rin
g
all i
de
nti
fie
d
rec
ipie
nts
of
co
mm
un
icat
ion
43
Unclassified
Unclassified
PH
ASE
C
ON
TR
OL
CO
NT
RO
L O
BJE
CT
IVE
E
XP
ECT
ED
E
LEM
EN
TD
ESC
RIP
TIO
NE
XA
MP
LES/
AR
TE
FAC
TS
D)
Pre
ven
tio
nT
he
cap
abili
ty
to r
ed
uc
e t
he
bu
sin
ess
imp
act
of
a se
cu
rity
inc
ide
nt
and
to
pre
ven
t in
cid
en
ts
fro
m r
e-o
cc
urr
ing
D.1
Po
st In
cid
en
t
Re
vie
w
To p
rovi
de
dir
ec
t fe
ed
bac
k
on
th
e
eff
ec
tive
ne
ss o
f
sec
uri
ty in
cid
en
t
man
age
me
nt
D.1
.1R
evi
ew
A p
roc
ess
has
be
en
de
fin
ed
to
pe
rfo
rm
a su
bje
cti
ve
and
ob
jec
tive
asse
ssm
en
t o
f
sec
uri
ty in
cid
en
t
man
age
me
nt
Evi
de
nc
e t
hat
a
revi
ew
has
oc
cu
rre
d
afte
r a
sec
uri
ty
inc
ide
nt
D
.2C
olle
cti
ng
Inc
ide
nt
Dat
a
To s
up
po
rt
the
on
go
ing
imp
rove
me
nt
of
the
se
cu
rity
inc
ide
nt
resp
on
se
cap
abili
ty
D.2
.1In
cid
en
t R
eg
iste
rD
eta
ils a
bo
ut
the
sec
uri
ty in
cid
en
t
hav
e b
ee
n r
ec
ord
ed
in a
re
gis
ter
A s
ec
uri
ty in
cid
en
t
reg
iste
r c
on
tain
ing
pe
rfo
rman
ce
me
tric
s su
ch
as
cat
eg
ori
sati
on
,
bu
sin
ess
imp
act,
tim
e p
er
inc
ide
nt,
re
vie
w
ou
tco
me
s an
d
rec
om
me
nd
atio
ns
D
.3A
war
en
ess
To e
nsu
re t
hat
all r
ele
van
t
stak
eh
old
ers
are
aw
are
of
any
up
dat
es
to t
he
Se
cu
rity
Inc
ide
nt
Man
age
me
nt
Fram
ew
ork
D3
.1C
om
mu
nic
atio
ns
All
stak
eh
old
ers
wit
h a
n id
en
tifi
ed
role
in t
he
SIM
F
hav
e b
ee
n m
ade
awar
e o
f an
y
ch
ang
es
or
up
dat
es
to it
Evi
de
nc
e o
f
co
mm
un
icat
ion
s
abo
ut
ch
ang
es
to
staff
wh
en
aft
er
the
last
re
visi
on
of
stan
dar
ds/
pro
ce
sse
s
44
Unclassified
Unclassified
PH
ASE
C
ON
TR
OL
CO
NT
RO
L O
BJE
CT
IVE
E
XP
ECT
ED
E
LEM
EN
TD
ESC
RIP
TIO
NE
XA
MP
LES/
AR
TE
FAC
TS
D
.4In
form
atio
n S
har
ing
To e
nsu
re
rele
van
t
stak
eh
old
ers
are
pro
vid
ed
rele
van
t
info
rmat
ion
abo
ut
the
sec
uri
ty in
cid
en
t
D.4
.1In
form
atio
n
Exc
han
ge
Follo
w t
he
pre
-
de
fin
ed
pro
ce
ss
that
ide
nti
fie
s an
y
stak
eh
old
ers
wh
o
may
no
t h
ave
be
en
dir
ec
tly
invo
lve
d
du
rin
g t
he
han
dlin
g
ph
ase
A d
oc
um
en
t
sho
win
g n
on
-
invo
lve
d p
arti
es
and
the
ir in
form
atio
n
ne
ed
s -
e.g
. CP
DP,
DP
C (
ESB
), D
SD,
AFP
, Au
sCE
RT,
oth
er
linke
d a
ge
nc
ies
Th
is p
roc
ess
re
lies
up
on
pre
-de
fin
ed
do
cu
me
nte
d
info
rmat
ion
sh
arin
g
arra
ng
em
en
ts w
ith
suc
h a
ge
nc
ies
D
.5E
vid
en
ce
Re
ten
tio
nTo
en
sure
evi
de
nc
e
rela
tin
g t
o t
he
sec
uri
ty in
cid
en
t
is r
eta
ine
d in
a
suit
able
man
ne
r
(if r
eq
uir
ed
)
D.5
.1R
ete
nti
on
&
Pre
serv
atio
n
Re
ten
tio
n a
nd
pre
serv
atio
n o
f
evi
de
nc
e r
ela
tin
g t
o
the
se
cu
rity
inc
ide
nt
has
be
en
de
fin
ed
in a
cc
ord
anc
e
to o
rgan
isat
ion
al
inte
rnal
sta
nd
ard
s
/ p
roc
ess
es
as w
ell
as a
ny
oth
er
leg
al
and
re
gu
lato
ry
req
uir
em
en
ts
Cle
ar a
rtic
ula
tio
n
of
rete
nti
on
/
pre
serv
atio
n
req
uir
em
en
ts o
f
evi
de
nc
e o
bta
ine
d
du
rin
g t
he
se
cu
rity
inc
ide
nt
45
Unclassified
Unclassified
PH
ASE
C
ON
TR
OL
CO
NT
RO
L O
BJE
CT
IVE
E
XP
ECT
ED
E
LEM
EN
TD
ESC
RIP
TIO
NE
XA
MP
LES/
AR
TE
FAC
TS
D.6
Less
on
s Le
arn
tTo
en
sure
sec
uri
ty in
cid
en
t
resp
on
se
acti
viti
es
are
revi
ew
ed
fo
r
less
on
s le
arn
t
D.6
.1In
cid
en
t R
evi
ew
A p
roc
ess
has
be
en
do
cu
me
nte
d t
o
en
sure
th
at t
he
sec
uri
ty in
cid
en
t is
revi
ew
ed
fo
r le
sso
ns
lear
nt
Evi
de
nc
e o
f re
vie
w
acti
viti
es
sin
ce
the
last
re
co
rde
d
sec
uri
ty in
cid
en
t
D.7
Au
dit
& R
evi
ew
sTo
en
sure
the
on
go
ing
eff
ec
tive
ne
ss o
f
the
SIM
F
D.7
.1Sc
op
eT
he
sc
op
e f
or
aud
its
and
re
vie
ws
of
the
sec
uri
ty in
cid
en
t
man
age
me
nt
fram
ew
ork
is c
lear
ly
de
fin
ed
A c
lear
de
fin
itio
n o
f
sco
pe
D.7
.2C
ove
rag
eA
ud
it a
nd
revi
ew
s c
ove
r al
l
co
mp
on
en
ts o
f th
e
Sec
uri
ty In
cid
en
t
Man
age
me
nt
Fram
ew
ork
Evi
de
nc
e o
f au
dit
acti
viti
es
acro
ss
co
mp
on
en
ts o
f th
e
Sec
uri
ty In
cid
en
t
Man
age
me
nt
Fram
ew
ork
D.7
.3Li
nka
ge
to
Th
reat
/
Ris
ks
Au
dit
an
d r
evi
ew
s o
f
the
Se
cu
rity
Inc
ide
nt
Man
age
me
nt
Fram
ew
ork
tak
e in
to
acc
ou
nt
exi
stin
g
risk
s an
d t
hre
ats
Au
dit
pla
nn
ing
co
nsi
de
rs r
ec
en
t
eve
nts
, cu
rre
nt
ide
nti
fie
d t
hre
ats
and
ris
ks
46
Unclassified
Unclassified
PH
ASE
C
ON
TR
OL
CO
NT
RO
L O
BJE
CT
IVE
E
XP
ECT
ED
E
LEM
EN
TD
ESC
RIP
TIO
NE
XA
MP
LES/
AR
TE
FAC
TS
D.7
.4Fr
eq
ue
nc
yT
he
fre
qu
en
cy
for
aud
it a
nd
revi
ew
s o
f th
e
sec
uri
ty in
cid
en
t
man
age
me
nt
fram
ew
ork
hav
e
be
en
de
fin
ed
(i.e
.
co
nd
uc
ted
on
a
reg
ula
r b
asis
or
if
sig
nifi
can
t e
ven
ts
hav
e o
cc
urr
ed
)
A d
oc
um
en
t
stat
ing
th
e
fre
qu
en
cy
for
aud
it/r
evi
ew
s,
taki
ng
into
acc
ou
nt
the
ne
ed
for
un
sch
ed
ule
d
revi
ew
s to
resp
on
d t
o
sig
nifi
can
t e
ven
ts
/ in
cid
en
ts
47
Unclassified
Unclassified
Ap
pen
dix
B –
Cap
abil
ity
Mat
uri
ty M
od
el