Tenace FRAMEWORK and
NIST Cybersecurity
Framework
Block IDENTIFY
Current TENACE framework
Block IDENTIFY
• Traceability matrix between NIST and TENACE deliverables
• Identify – Develop the organizational understanding to
manage cybersecurity risk to systems, assets, data, and
capabilities.
• The activities in the Identify Function are foundational for
effective use of the Framework. Understanding the business
context, the resources that support critical functions, and the
related cybersecurity risks enables an organization to focus
and prioritize its efforts, consistent with its risk management
strategy and business needs. Examples of outcome
Categories within this Function include: Asset Management;
Business Environment; Governance; Risk Assessment; and
Risk Management Strategy.
Amongst asset,
focus (from case
study) is cyberphysical system
(SCADA, sensors,
access control
systems, …)
These can be identified
in the case study – not
directly included in the
current framework
(Deliverable 3)
Not only ICT but also
business related aspects:
should we expand TENACE
scope?
To be decided if we
want to introduce the
“Business
Environment” in the
framework
(this is the
organizational level)
Security
awareness/training
is currently not part
of the framework
(best practises,
regulatory aspects,
etc.
To be decided if we
want to introduce
the “Governance” in
the framework
See Deliverable 1.1
for some generic
discussion on
governance in
protection of critical
infrastructure
NIST considers this as
“static”: should it
operate at runtime (in a
dynamic fashion) within
the TENACE
framework?
See Deliverable 1
(mainly section 2)
others?
Can be applied to the
case study
See Deliverable 1 section 2
See deliverable 2 Section 2
others?
Can be applied to the case
study
?
See Deliverable 2
?
See Deliverable 5
section 2
others?
?
See Deliverable 3
(mitigation)
Others?