Tenace FRAMEWORK and NIST Cybersecurity Framework Block IDENTIFY Current TENACE framework Block IDENTIFY • Traceability matrix between NIST and TENACE deliverables • Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. • The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy. Amongst asset, focus (from case study) is cyberphysical system (SCADA, sensors, access control systems, …) These can be identified in the case study – not directly included in the current framework (Deliverable 3) Not only ICT but also business related aspects: should we expand TENACE scope? To be decided if we want to introduce the “Business Environment” in the framework (this is the organizational level) Security awareness/training is currently not part of the framework (best practises, regulatory aspects, etc. To be decided if we want to introduce the “Governance” in the framework See Deliverable 1.1 for some generic discussion on governance in protection of critical infrastructure NIST considers this as “static”: should it operate at runtime (in a dynamic fashion) within the TENACE framework? See Deliverable 1 (mainly section 2) others? Can be applied to the case study See Deliverable 1 section 2 See deliverable 2 Section 2 others? Can be applied to the case study ? See Deliverable 2 ? See Deliverable 5 section 2 others? ? See Deliverable 3 (mitigation) Others?