Guía sobre Ciberseguridad y Protección de Datos (Borrador en revisión de la INTOSAI)


Manual o Guía

07th Sep 2022

Descargar Ver documento


Cybersecurity and Data Protection
1. Introduction ………………………………………………………………………………………………………………. 2
1.1 Background …………………………………………………………………………………………………………. 3
1.2 Structure of this Guideline Document ……………………………………………………………………… 3
1.3 Key Concepts and Definitions ………………………………………………………………………………… 4
1.4 Key Cybersecurity and Data Protection Standards and Frameworks ……………………………. 5
1.5 Cybersecurity and Data Protection Best Practices and Key Methodologies ………………….. 7
2. Guidance during audit phases ………………………………………………………………………………………… 7
2.1 Planning and designing an audit …………………………………………………………………………………… 7
2.1.1 Defining the terms of the engagement ……………………………………………………………………. 7
2.1.2 Defining the scope ……………………………………………………………………………………………….. 8
2.1.3 Audit Skill Requirements ……………………………………………………………………………………. 11
2.2 Conducting ……………………………………………………………………………………………………………… 12
2.2.1 General Audit Process ………………………………………………………………………………………… 12
2.2.2 Principles for specific audit areas …………………………………………………………………………. 16
2.2.3 Considerations …………………………………………………………………………………………………… 19
2.2.4 Penetration Testing …………………………………………………………………………………………….. 21
2.3 Reporting ………………………………………………………………………………………………………………… 21
2.3.1 Principles ………………………………………………………………………………………………………….. 21
3. Auditing National Cybersecurity and Data Protection …………………………………………………… 22
3.1 National Cybersecurity Strategy and Governance ………………………………………………………… 22
3.1.1 Cybersecurity and data protection legislation ……………………………………………………….. 22
3.1.2 Regulations by country ……………………………………………………………………………………….. 24
3.2 Cybersecurity strategy and program evaluation …………………………………………………………… 26
3.3 Cybersecurity and data protection governance and oversight ……………………………………….. 31
3.4 Critical National Infrastructures (CNI) ……………………………………………………………………….. 33
3.5 Critical Information Infrastructures (CII) …………………………………………………………………….. 33
3.6 Common Factors to Consider while Preparing for Conducting CNI/CII Assessments. ……… 33

3.7 CNI / CII Policy Guidance ………………………………………………………………………………………… 34
3.8 General Auditing of Critical National Infrastructure ……………………………………………………… 35
3.8.1 Canada ……………………………………………………………………………………………………………… 36
3.8.2 Turkey ……………………………………………………………………………………………………………… 38
3.8.3 Korea ……………………………………………………………………………………………………………….. 39
3.8.4 Australia …………………………………………………………………………………………………………… 41
3.8.5 Brazil ……………………………………………………………………………………………………………….. 43
3.9 Semi-Specific Auditing of Critical National Infrastructure ……………………………………………. 45
3.9.1 United Kingdom ………………………………………………………………………………………………… 45
3.10 Specific Auditing of Critical National Infrastructure by Sectors …………………………………… 46
3.10.1 United States of America ………………………………………………………………………………….. 46
3.11 Factors to Consider for Specific Auditing of Critical National Infrastructure by Sectors … 52
3.12 Coordination for the definition and management of Critical Infrastructures. ………………….. 53
3.13 National Resilience / Disaster Recovery ……………………………………………………………………. 53
3.14 General Disaster Recovery ………………………………………………………………………………………. 53
3.14.1 Australia …………………………………………………………………………………………………………. 53
3.15 Disaster Recovery by Functions ……………………………………………………………………………….. 57
3.15.1 United States of America ………………………………………………………………………………….. 57
3.16 Factors to Consider for Disaster Recovery by Functions audits. …………………………………… 60
3.17 Coordination for the activation of the Disaster Recovery Plan by Functions. …………………. 61
3.18 National Agencies / government entities Cybersecurity Assessment ……………………………. 61
3.19 Entities Responsible of the National Cybersecurity. ……………………………………………………. 61
3.20 CERT/CSIRT functions ……………………………………………………………………………………………… 63
3.21 Guide for cybersecurity CSIRT ………………………………………………………………………………….. 64
4. Considerations of cybersecurity and data protection by sector ………………………………………..…….73
4.1 Key cybersecurity guidance and criteria for critical infrastructure sectors……………..…………..74
4.2 Challenges, risks, and threats for critical infrastructure sectors ………………………..……………….75
4.3 Considerations for auditing critical infrastructure sectors ………………………………………..………. 80
4.4 Example reports on critical infrastructure sectors ………………………………………………………………85

1. Introduction

1.1 Background

Government agencies and critical infrastructures—such as energy, transportation systems,
communications, and financial services—are dependent on information technology (IT)
systems and electronic data to carry out operations and to process, maintain, and report
essential information. The security of these systems and data is vital to public confidence and
security, prosperity, and well-being. In addition, many of these systems contain vast amounts
of personally identifiable information (PII), thus making it imperative to protect the
confidentiality, integrity, and availability of this information and effectively respond to data
breaches and security incidents, when they occur.

However, IT systems supporting governments and critical infrastructures are inherently at
risk. These systems are highly complex and dynamic, technologically diverse, and often
geographically dispersed. This complexity increases the difficulty in identifying, managing,
and protecting the numerous operating systems, applications, and devices comprising the
systems and networks. Compounding the risk, systems and networks used by government
agencies and critical infrastructure are also often interconnected with other internal and
external systems and networks, including the internet.

1.2 Structure of this Guideline Document

The purpose of this guideline document is to integrate and facilitate access to useful
information and guidance pertaining to cybersecurity and data protection. This guideline is
not meant to be an exhaustive guide for auditors but could be used as a starting point to assist
auditors in identifying criteria for further review.

This document includes four additional chapters to assist auditors in planning, executing,
and reporting on audits related to cybersecurity and data protection. These chapters include

Chapter Description
2. Guidance during audit phases
Includes audit guidance, how to start audits on
cybersecurity and data protection (planning,
execution, reporting, follow-up, termination, file and
3. National Cybersecurity and Data
Provides highlights on a) national and regional
cybersecurity benchmark studies from global and
regional organizations and b) national cybersecurity
considerations in terms of disaster recovery,
infrastructure protection and open data, among
4. Considerations of cybersecurity
and data protection by sectors
Cybersecurity audits require SAIs to consider the
different economic sectors governments are
involved in. Some examples include cybersecurity
and data protection in the financial, energy, health
care, telecommunications and e-commerce sectors.

5. Cybersecurity implications in
relevant and emerging technologies
Some of the emerging technologies that will be
touched upon include: Government Resource
Planning (GRP), Data Base Management System
(DBMS), Blockchain, Big data and analytics and
Internet of Things (IoT).

1.3 Key Concepts and Definitions

 Information Security: The protection of information and information systems from
unauthorized access, use, disclosure, disruption, modification, or destruction in order
to provide confidentiality, integrity, and availability.
 Cybersecurity: The ability to protect or defend the use of cyberspace from cyber-
 Privacy: Assurance that the confidentiality of, and access to, certain information
about an entity is protected.
 Confidentiality: preserving authorized restrictions on access and disclosure, including
means for protecting personal privacy and proprietary information.
 Integrity: guarding against improper information modification or destruction and
includes ensuring information nonrepudiation and authenticity.
 Availability: ensuring timely and reliable access to and use of information.
 Critical infrastructure: refers to systems and assets, whether physical or virtual, so
vital to a country or organization that their incapacity or destruction would have a
debilitating impact on security, national economic security, national public health or
safety, or any combination of these.
 Personally, identifiable information: any information that can be used to distinguish
or trace an individual’s identity, such as name, date and place of birth, or
identification number, and other types of personal information that can be linked to
an individual, such as medical, educational, financial, and employment information.
 Procedural controls: These controls prevent, detect, or minimize security risks to any
physical assets such as computer systems, data centers, and even filing cabinets.
These can include security awareness education, security framework, compliance
training, and incident response plans and procedures.
 Access controls: These controls dictate who is allowed to access and use company
information and the company network. These controls establish restrictions on
physical access to building entrances and virtual access, such as privileged access
 Technical controls: These controls involve using multi-factor user authentication at
login, firewalls, and antivirus software.
 Compliance controls: These controls deal with privacy laws and cybersecurity
standards designed to minimize security threats. They require an information security
risk assessment and enforce information security requirements.
 Network security: A practice of securing networks against unauthorized access,
misuse, interference, or interruption of service.

 Application security: A process that involves detecting, fixing, and enhancing the
security of applications to prevent data or code within the applications from being
 Cloud security: A combination of policies, controls, procedures, and technologies that
work together to protect cloud-based infrastructures and systems.

1.4 Key Cybersecurity and Data Protection Standards and

This section provides a description of relevant best practices across all of the chapters of the
guide. This section is not meant to be an exhaustive list of best practices, but can help serve
as an audit starting point.

Criteria (with link) Description
ISO/IEC 27000:2018
Information technology
security techniques
The ISO Information Security Management system (ISMS)
includes standards that, among other things, provide direct
support, detailed guidance and/or interpretation for the
overall process to establish, implement, maintain, and
improve an ISMS; and address sector-specific guidelines for
National Institute of
Standards and Technology
(NIST) Framework for
Improving Critical
Cybersecurity, Version 1.1

This publication describes a voluntary risk management
framework that consists of standards, guidelines, and best
practices to manage cybersecurity-related risk.
NIST Privacy Framework
This framework is intended to help organizations identify
and manage privacy risk to build innovative products and
services while protecting individuals’ privacy.
NIST Special Publication
800-34: Revision 1,
Contingency Planning
Guide for Federal
Information Systems
This document provides instructions, recommendations, and
considerations for federal information system contingency
NIST Special Publication
(SP) 800-37, Rev. 2: Risk
Management Framework
for Information Systems
and Organizations: A
System Life Cycle
Approach for Security and
This document describes a Risk Management Framework,
that provides a structured and flexible process for managing
security and privacy risk that includes information security
categorization; control selection, implementation, and
assessment; system and common control authorizations; and
continuous monitoring.
NIST SP 800-39:
Managing Information
This document provides guidance for an integrated,
organization-wide program for managing information security

Security Risk:
Organization, Mission, and
Information System View
risk to organizational operations resulting from the operation
and use of federal information systems.
NIST SP 800-53A Rev 4:
Assessing Security and
Privacy Controls in Federal
Information Systems and
This document provides guidelines for building effective
security and privacy assessment plans and procedures for
assessing the effectiveness of security controls and privacy.
NIST SP 800-53B: Control
Baselines for Information
Systems and Organizations
This provides suggested security and privacy control baselines
for each system impact level—low-impact, moderate-impact,
and high-impact—as well as a privacy baseline.

NIST SP 800-53 Rev 5:
Security and Privacy
Controls for Information
Systems and Organizations
This document provides a catalog of security and privacy
controls for information systems and organizations to protect
organizational operations and assets from a set of threats and
risks, including hostile attacks, human errors, natural
disasters, and privacy risks.

NIST SP 800-55 Rev. 1:
Performance Measurement
Guide for Information
This document provides guidance on how an organization,
through the use of metrics, identifies the adequacy of in-place
security controls, policies, and procedures. It provides an
approach to help management decide where to invest in
additional security protection resources or identify and
evaluate nonproductive controls.

NIST SP 800-61, Revision
2, Computer Security
Incident Handling Guide
This publication provides guidelines for incident handling,
particularly for analyzing incident-related data and
determining the appropriate response to each incident.
NIST 800-82 Rev. 2:
Guide to Industrial Control
Systems (ICS) Security

This document provides guidance on how to secure Industrial
Control Systems (ICS), including Supervisory Control and
Data Acquisition (SCADA) systems, Distributed Control
Systems (DCS), and other control system configurations such
as Programmable Logic Controllers (PLC), while addressing
their unique performance, reliability, and safety requirements.
The document provides an overview of ICS and typical
system topologies, identifies typical threats and vulnerabilities
to these systems, and provides recommended security
countermeasures to mitigate the associated risks.

NIST SP 800-137:
Information Security
Continuous Monitoring
(ISCM) for Federal
Information Systems and
This special publication was developed to assist organizations
in the development of a continuous monitoring strategy and
the implementation of a continuous monitoring program
providing visibility into organizational assets, awareness of
threats and vulnerabilities, and visibility into the effectiveness
of deployed security controls

NIST SP 800-161, Rev 1
(Draft): Supply Chain Risk
Management Practices for
Federal Information
Systems and Organizations

This document provides guidance to organizations on
identifying, assessing, and mitigating cyber supply chain

1.5 Cybersecurity and Data Protection Best Practices and Key

The methodologies listed below may be more prescriptive and assist an auditor in completing
audits in a repeatable manner. These may include steps to be taken in an audit, explain why
the steps are important, and how an auditor should complete each step.

Methodology (with link) Description
NIST SP 800-53A Rev 4:
Assessing Security and
Privacy Controls in Federal
Information Systems and
This document provides guidelines for building effective
security and privacy assessment plans and procedures for
assessing the effectiveness of security controls and privacy.
2. Guidance during audit phases

2.1 Planning and designing an audit

This section will define high-level principles for planning and designing of cyber security
audits. The principles will provide guidelines on:
– Defining the terms of the engagement; and
– Defining the scope.
2.1.1 Defining the terms of the engagement

The audit should consider the cyber security requirements and goals of an organization.
Understanding the organization’s cyber security requirements and goals will help with
identify risks to the organization and define the audit objective. The following are examples
of cyber security goals 1.
 Emerging risk is reliably identified, appropriately evaluated and adequately treated.
 Cyber security policies, standards and procedures are adequate, effective and
comply with regulations.
 Cyber security transformation processes are defined, deployed and measured.

1 Source:

 Attacks and breaches are identified and treated in a timely and appropriate manner.
The organization’s cyber security requirements and goals can be identified from the
following sources:
 Government regulations and policies;
 Frameworks, policies and procedures;
 Organization charts;
 Terms of reference;
 Minutes of meetings;
 Internal reports;
 External reports; and
 Intranet Site.
The audit objective should provide management with an assessment of the effectiveness of
cyber security processes, policies, procedures, governance and controls. The assessment
should focus on:
 the use of cyber security frameworks, standards, guidelines;
 design of processes, procedures and controls; and
 implementation of relevant controls.
The following provides examples of audit objectives 2:
 Provide management with an assessment of their cybersecurity policies and
procedures and their operating effectiveness.
 Confirm the systems in place meet minimum compliance requirements.
 Identify security control concerns that could affect the reliability, accuracy and
security of the enterprise data due to weaknesses in security controls.
 Evaluate the effectiveness of response and recovery programs.
2.1.2 Defining the scope

The audit scope should be based on the audit objectives. The audit objectives should be used
to define the areas and aspects of cyber security to be covered. The following should be
considered when defining the audit scope:
 Organization’s systems, IT architecture and information assets;
 organization’s risk management and cyber security frameworks;
 Government and regulatory security frameworks; and
 Baseline cyber security framework. Risk-based Approach to Cyber Security

2 Source: ISACA, IS Audit/Assurance Program, Cybersecurity: Based on the NIST Cybersecurity Framework

The above factors will assist with understanding the organization’s approach to cyber
security. The following provides a model for implementing cyber security using a risk-based
approach 3.
Risk-based Approach to Cyber Security
Steps Description
1. Define the system Determine the type, value and security
objectives for the system based on an assessment
of the impact if it were to be compromised.
2. Select controls Select controls for the system and tailor them to
achieve desired security objectives.
3. Implement controls Implement controls for the system and its
operating environment.
4. Assess controls Assess controls for the system and its operating
environment to determine if they have been
implemented correctly and are operating as
5. Authorize the
Authorize the system to operate based on the
acceptance of the security risks associated with
its operation.
6. Monitor the system Monitor the system, and associated cyber
threats, security risks and controls, on an
ongoing basis.

Understanding the organization’s approach to cyber security supports a risk-based approach
to the audit. It allows the audit to focus on important areas that are valuable to the
organization. The audit can focus on systems and information assets that the organization
should protect, and the level of protection the organization should be implementing. The
following considerations can assist with further enhancing the audit scope.

– The prioritization of the defined systems can assist with targeting important systems.
Organizations would typically implement security controls for higher priority
systems as opposed to those of less importance to the organization.
– The selected controls forms the security baseline for specific systems and, in some
cases, for all systems. The security baseline can be used as the basis for compliance
audits if a legal and regulatory security baseline does not exist.
– The organization’s mechanisms for assessing, authorizing and monitoring security
controls can provide an early indication of the cyber security maturity of the
organization. An organization with overarching framework supporting the

3 Source:

assessment, authorization and monitoring of security controls is likely to be more
mature than those that do not have such a framework.
– A risk and threat assessment can provide an understanding of specific risks the
organization is aiming to mitigate. The risk and threat assessments should provide
information on the intrusion process for particular systems. Adversaries execute a
series of steps or stages within the intrusion process to execute a cyber-attack. The
high-level stages of targeted cyber intrusions are malicious software delivery and
execution, network propagation, and data exfiltration. The audit scope should include
an assessment of controls related to the intrusion process. This will help assess the
organization’s ability to mitigate cyber security incidents. Risk Management and Security Frameworks

The following organizations and frameworks provide examples of risk management and
cyber security practices that could be used to assist with scoping the audit.

 US National Institute of Standards and Technology Cybersecurity Framework
 Systems and Organizational Controls (SOC)
 The US Sarbanes-Oxley Act of 2002 (SOX)
 International Organization for Standardization (ISO)/International Electrotechnical
Commission (IEC)
 EU General Data Protection Regulation (GDPR)
 Center for Internet Security (CIS) Controls
 Committee of Sponsoring Organizations of the Treadway Commission (COSO)
 Australian Government Protective Security Policy Framework (PSPF)
 Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) Audit Program Development

The following aspects should be considered when developing the audit program.

 A security baseline should be identified to allow for assessing a minimum level of
protection against in-scope systems and information assets.
 A scoring methodology should be defined to allow for a systematic approach to
assessing the performance of cyber security controls. The scoring methodology will
be dependent on the audit objective and scope of the audit. The scoring methodology
should consider the following components:
o weighted scores based on the priority or importance of the security control,
such as mandatory versus desired controls;
o level of security control implementation, such as operation versus
documented; and

o strength of audit evidence to support the score, such as inquiry would result
in a lower score and reperformance would result in a higher score.
The following provides resources that could assist with defining the security baseline.
o Australian Government’s Protective Security Policy Framework 5
o Australian Government’s Information Security Manual 6
o UK Security Policy Framework 7
2.1.3 Audit Skill Requirements

The audit scope and program will determine the security knowledge and expertise required
to execute the audit program. The following factors should be considered when determining
the audit team members.

– Specialized areas and technologies being audited, such as blockchain, artificial
intelligence, encryption, and cloud-computing.
– Tools and technology used to support cyber security management within the
– Tools and technology used by the organization to manage its IT environment.
The following provides a list of areas that audit team members should have skills, expertise
and knowledge that would assist with performing an assessment of cyber security.

– Cyber and security management governance frameworks, specifically across
recognized standards, such as NIST, ISO, PSPF and the ISM.
– Cyber and security legal and regulatory environments, specifically understanding the
government’s security criteria (requirements, policies, standards and procedures).
– Cyber and information security risk management, specifically performing risk
– System design and development lifecycles, including agile approaches.
– Security operations management, specifically the management of vulnerabilities and
– Common hacking toolkits such as nmap, Metasploit and Kali.
Security expertise may be required to be included in the audit team depending on the areas
being reviewed and the type of approach to testing. The following provides a list of security
certifications that may assist with addressing the resource requirements.

4 Source:
5 Source:
6 Source:
7 Source:

Certification Description
Certified Information Systems
Security Professional (CISSP)
Experience and skills for designing, implementing, and
monitoring a cybersecurity program.
Certified Information Systems
Auditor (CISA)
Experience and skills for assessing, designing and
implementing security controls.
Certified Information Security
Manager (CISM)
Experience and skills for managing information security,
including in governance, program development, incident and
risk management.
CompTIA Security+ Experience and skills for assessing and monitoring security
management across an organization.
GIAC Security Essentials
Certification (GSEC)
Experience and skills in security operations, such as cyber
offense and defense, network security, and incident response.

2.2 Conducting

This section will define principles for conducting the following types of audits:

– Cyber security capability/maturity
– Cyber resilience maturity
– Data Privacy
– Data Protection
– Technical Configuration
2.2.1 General Audit Process

Cyber security audits can cover several areas within an organization. The execution of cyber
security audits can be modelled on the following audit process.

1. Define the security baseline
2. Define the method of scoring against the selected framework, including the audit
evidence required to support the scores
3. Define the audit procedures to support the collection of audit evidence, including
the use of cyber security tools
4. Perform audit procedures
5. Assess the audit evidence and apply a score to the areas audited
6. Assess the risks and impact associated with exceptions
The principles associated with each audit process is described in the following subsections. Define the security baseline

The security baseline will provide the basis for assessing the entities performance. The
security baseline should be based on the following:

 security frameworks and standards used by the organization to develop and manage
its security management and controls; and
 security legal and regulatory requirements that govern the organization’s business
If the organization has not defined this security baseline, then the security baseline should
can be selected using the following considerations:

 security frameworks and standards used in the organization’s industry and
 security frameworks and standards used in a similar industry and jurisdiction; or
 internationally recognized frameworks and standards.
The use of international frameworks and standards is suggested as these are likely to have
been developed by a wider community of professional associations and experts. A list of
example security frameworks and standards has been provided in Planning and designing an
audit section. Define the method of scoring against the selected framework

Similar to the security baseline, the scoring methodology should be based on the following:

 security frameworks and standards used by the organization to assess the performance
of its security controls; and
 security legal and regulatory requirements that govern the organization’s business
If the organization has not defined this security baseline, then the security baseline should be
based on the following:

 security frameworks and standards used in the organization’s industry and
 security frameworks and standards used in a similar industry and jurisdiction; or
 internationally recognized frameworks and standards.
The use of international frameworks and standards is suggested as these are likely to have
been developed by a wider community of professional associations and experts. The
following provides examples of security frameworks and standards. A list of example
security frameworks and standards has been provided in Planning and designing an audit

If the security frameworks and standards do not provide a scoring methodology, the audit
team may want to define a scoring methodology based on the selected security frameworks
and standards. The following principles may assist with defining a scoring methodology.

 Prioritization of requirement: each framework and standard requirement should be
given a priority. This can be determined by the importance of the requirement, where
mandatory (must) requirements have a greater score associated and desirable (should)
requirements have a lesser score.
 Level of implementation: scores can be allocated to the level of implementation for a
requirement or control. Example implementation levels could be based on:
documented or designed; implemented or exists; and operational. Operational levels
has a higher score than documented controls.
 Impact on identified risks: scores can be allocated based on the impact a requirement
may have on mitigating the risks. This may be necessary as the type of control may
have less impact on mitigating the identified cyber security risk/threat (i.e.,
documentation and plans may be unlikely to stop an actual malware attack as opposed
to implementing a security configuration within the required system).
The scoring methodology should include the definition of the audit evidence required to
support the assessment and score. The audit evidence should support the type of scoring
attributes used. The following provides examples of audit evidence and potential score

Audit Evidence
Example Score
Inquiry Interviews Low
Observation Walkthroughs Low/Moderate
Inspection Review security configurations Moderate/High
Reperformance Executing a system test High

The audit team may choose to apply several factors and methods that contribute to an overall
score. For example, the following calculation could be applied.

Requirement Score = (Level of Implementation) X (Prioritization) X (Impact on identified

A range of scores should be defined to allow for reporting of performance, specifically
against the baseline security requirements. This can provide an indication of the gap against
required security control implementation, capability or maturity. Define the audit procedures to support the collection of audit evidence

The audit procedures will be dependent on the areas being reviewed. The following
principles should be considered when designing audit procedures.

 Audit procedures should be based on the framework and standards. This will ensure
that the audit evidence will support the assessment against the applicable
 Audit procedures should be developed with the support from policy and operational
specialists. This will ensure that the methods used for assessing against frameworks
are likely to align to expectations of policy and operational specialists.
 Audit procedures should be aligned to the scoring methodology. If a score is based
on the specific configuration of a security control, then audit procedures need to be
developed to inspect security configurations against the required standard (e.g.,
password configurations).
 Audit procedures should consider the use of security tools, especially those within
the organization. The use of security tools could increase the effectiveness and
efficiency of audit procedures. For example, the use of a vulnerability scanning tool
may reduce the need to source security data from systems through scripts and
programs. Vulnerability scanning and Security Information and Even Management
(SIEM) tools are useful tools to incorporate into audit procedures. If the security tools
are in-house developed or highly-customized, then procedures may need to be
performed to assess the integrity of the security tool and the reports being generated.
The following provides sources of audit programs that may assist with designing audit

 NIST, Technical Guide to Information Security Testing and Assessment,
 ACSC, Cloud Assessment and Authorization – Frequently Asked Questions,
 ISACA, Auditing Cybersecurity,
 ACSC, Information Security Manual,
 ISACA, IS Audit Basics: Audit Program,
journal/issues/2017/volume-4/is-audit-basics-audit-programs Perform audit procedures

The audit procedures should be performed as planned and managed as per the relevant
auditing standards and quality management processes within the audit team’s organization.
The following principles should be considered when performing audit procedures.

 Requirements that deviate from the requirements should be supported by a risk
assessment. Organizations may choose to deviate from a security requirement based
on their specific circumstances. This deviation should at least be supported by a
robust assessment of associated risks and this should be managed through the
organization’s security governance processes. Assess the audit evidence and apply a score to the areas audited

The audit evidence should be assessed using the planned scoring methodology. The scores
may need to be adjusted depending on the type of audit being performed. For example, if the
audit is assessing compliance, then the scores could be quite strict as a deviation is seen as
non-compliance or an exception. However, a performance audit focused on assessing the
management of cyber risks may include the evidence of risk assessments as a factor into the
performance score. It is best to determine this when defining the scoring methodology. Assess the risks and impact associated with exceptions

An assessment of the risks associated with exceptions would be applicable to any audit
engagement. This assessment should reflect back to the audit objective and the information
gathered during the planning stage of the audit. Further, the auditor is required to report its
findings to those charged with governing the organization. This assessment can provide:

 insights into what risks could impact an organization to achieving business
 information to support decision making on security initiatives and projects; and
 support for adjusting the financial statement audit program to ensure appropriate
assurance is obtained.
2.2.2 Principles for specific audit areas Cyber security capability/maturity

An audit of cyber security capability/maturity should include a review across the following

 Cyber security strategy
 Cyber security risk management
 Program management and governance
 Regulatory and legal requirements
 Threat and vulnerability management
 Security incident management
 Security Monitoring

 Workforce management
 Third-party management
 Data protection
The following provides references to guidance to assist with auditing cyber security

 NIST, Cybersecurity Framework,
 Office of Cybersecurity, Energy Security, and Emergency Response, Cybersecurity
Capability Maturity Model (C2M2),
 Office of the Under Secretary of Defense, Cybersecurity Maturity Model
Certification (CMMC),
 ACSC, Essential Eight Maturity Model,
content/publications/essential-eight-maturity-model Cyber resilience maturity

An audit of cyber resilience maturity should include a review across the following areas.

 Business impact analysis
 Business continuity planning
 Disaster recovery planning
 Security incident management
 Threat and vulnerability management
 Security Monitoring
 Third-party management
 Workforce management

The following provides references to guidance to assist with auditing cyber resilience

 MITRE, Cyber Resiliency Engineering Framework,
 MITRE, Cyber Resiliency Metrics, Measures of Effectiveness, and Scoring,
metrics-measures-of-effectiveness-and-scoring.pdf Data Protection

An audit of data protection should include a review across the following areas.

 Data governance
 Regulatory and legal requirements
 Data classification
 Data security
 Data quality management
 Information records management
 Data loss prevention
The following provides references to guidance to assist with auditing data protection.

 NIST, Security and Privacy Controls for Information Systems and Organizations,
 Information Commissioner’s Office (ICO), Auditing data protection: a guide to ICO
data protection audits,
 Information Commissioner’s Office (ICO), Data Protection Impact Assessments,
 ISACA, Best Practices for Privacy Audits,
and-trends/newsletters/atisaca/2020/volume-6/best-practices-for-privacy-audits Technical Configuration

An audit of technical configurations should include a review across the following areas.

 Hardening standards
 Configuration management
 Security build and testing
 Development lifecycles
 Patch management
 Vulnerability management
The following provides references to guidance to assist with auditing the above areas.

 ACSC, Guidelines for System Hardening,
 ACSC, Hardening Linux Workstations and Servers,
 ACSC, Hardening Microsoft Windows 10 version Workstations,

 ACSC, Web Hardening Guidance,
 ACSC, Securing PowerShell in the Enterprise,
2.2.3 Considerations

This section will outline the considerations of IT risk and complexity, and integration/use in
Compliance, Performance and Financial Audits. IT Risk and Complexity

Cyber security is important for any organization and the cyber security audit should consider
the organization’s cyber security risks. A good indicator of cyber security risks is an
organization’s attack surface. The attack surface is the amount of ICT equipment and
software used by an organization. The greater the attack surface, the greater opportunities for
adversaries in finding vulnerabilities to exploit. An organization with a large attack surface
or high cyber security risk rating should have a greater level of protection measures or should
have a more sophisticated cyber security implementation. The following table provides
examples of small, medium and large organizations.

Attack Surface/Cyber Security Risk Rating
Small/Low Medium/Moderate Large/High
– <10 ICT equipment and
– IT management is managed
by business teams
– All systems are
(COTS) implementations
– No internet-facing systems
– 250 ICT equipment and
– IT management is by a
division/business unit,
with enterprise-wide IT
management processes
– Utilizes a large number
of bespoke systems or
heavily customized
COTS implementations
– Has several internet-
facing systems

The following table outlines a model that could be used to determine the extent of audit
testing required and has suggested areas of focus.

Attack Surface/Cyber Security Risk Rating
Small/Low Medium/Moderate Large/High
Extent of Testing – Inquiry and inspection
– Assess high-level security
documentation, such as
policies, procedures and
work instructions.
– Assess for: automation of
updates, backup and
recovery, multi-factor
– Inquiry, Inspection and
– Assess cyber security strategy,
risk management and
– Assess threat and vulnerability
management, security incident
management, security
monitoring and reporting.
– Inquiry, Inspection,
Observation and
– Assess cyber security
strategy, risk
management and
– Assess threat and

authentication, and cyber
security training.
– Assess assurance
mechanisms, management
reporting and self-
– Conduct interviews of
Executive Boards and Chief
Security Officers.
– Audit procedures should aim to
confirm security control
– Select a sample of internet
facing systems and devices for
– Utilize security monitoring and
management tools, such as
vulnerability scanners and
– Limited software development
management, security
incident management,
security monitoring and
reporting, workforce
management, third-party
management and data
– Audit procedures should
aim to confirm security
control implementation
and operating
– Select a sample of high
priority systems and
devices for testing.
– Perform penetration
testing procedures.
– Utilize security
monitoring and
management tools, such
as vulnerability scanners
and SIEMs.
– Large-scale software
development capability

The following is a list of sources of information that will assist with determining the attack
surface and/or cyber security risk rating.

– Hardware and software asset registers
– Architecture and Network diagrams
– Organizational Structure Diagrams
– Access Control Listings, specifically privileged users with access to administrative
functions on networks, databases and applications Multi-organization Audits

The auditor may need to adjust the approach when auditing of multiple organizations. The
guidance provided is focused on performing an audit of an organization or can be scaled to
include a small number of organizations. The auditor may want to consider the use of surveys,
questionnaires, or self-reporting to support gathering of audit evidence. The following should
be considered when taking this approach.

Survey and questionnaire design should focus on obtaining sufficient and appropriate
evidence to support the assessment against the scoring methodology and audit criteria. The
design should provide details on evidence requirements, especially for supporting the
responses provided by organizations. For example, an organization who states that they have
met regulatory requirements for implementing patch management standards needs to provide
evidence supporting its response. The auditor should provide examples of evidence to assist
the accuracy of survey responses.

2.2.4 Penetration Testing

Penetration testing is an approach that can provide information on the performance of
security controls. The following are some advantages and disadvantages of using penetration
testing to support audit activities. Advantages

 Penetration tests can provide direct evidence of controls operating effectively. It may
provide greater evidence of the impact of control weaknesses as opposed to
highlighting the potential for an incident occurring.
 Penetration tests can be more efficient as some tests can be automated. Disadvantages

 Limiting the scope of penetration testing reduces the attack surface and reduces the
likelihood of identifying gaps in cyber security strategies. Conversely, allowing
greater scope may not directly test the performance of a control, however, it would
provide insights into broader problems within the security architecture.
 Poorly designed penetration tests and processes may result in creating security
vulnerabilities or be used by adversaries to disguise malicious activities. It is
important for audit teams to ensure that vulnerabilities identified and/or created
during and after penetration testing are appropriately managed and rectified. The
audit team needs to restore the organization’s systems back to its original state.
 Auditors need to have the necessary skills and expertise to perform penetration
testing, such as use of tools and restoration of systems.
2.3 Reporting

The audit team will review the audit evidence in order to reach a conclusion or issue an
opinion. The audit should evaluate whether the audit evidence obtained is sufficient and
appropriate so as the audit risk to an acceptably low level. The evaluation should consider
evidence to determine if it supports or contradicts the conclusions, audit report or audit
opinion. The following are principles to consider when reporting cyber security audit results.

2.3.1 Principles

For audit reports that will be published to the public, the following should be considered.

 Information included in the report should be reviewed to determine whether it
increases the cyber security risks to the organization and/or nation. This assessment
is important as information provided, which typically is not available in the public

forum, can assist adversaries in accelerating a cyber-attack. The auditor should
engage the policy and operational cyber security specialists to discuss the associated
risks. The following are strategies for reducing the risks associated.
o Information that is not publicly available should not be included in the
o Names of systems, tools, staff and teams should be removed if possible.
o Security information such as security monitoring processes, security
configurations, and vulnerabilities should not be included in the report, and
more importantly, connected to systems or organizations.
 The materiality of the information can be used to exclude information from the report.
If security related information, such as vulnerabilities, can be excluded without
affecting the conclusions then that information should be removed. The auditor will
need to balance accountability and transparency against security risks.
 The auditor can aim to aggregate and generalize security information to reduce the
risks of security controls being attributed to specific systems.

3. Auditing National Cybersecurity and Data

To develop national cybersecurity and data protection audits, this document provides relevant
information and reference on the following themes:

 National Cybersecurity Strategy and Governance

 Cybersecurity evaluation to critical processes and resources

 National Agencies / government entities Cybersecurity Assessment

3.1 National Cybersecurity Strategy and Governance

3.1.1 Cybersecurity and data protection legislation

According to the established in the North Atlantic Treaty Organization Cooperative Cyber
Defense Centre of Excellence (NATO CCD COE), cybersecurity in a country could be
understood as the following:

Conceptualizing National Cybersecurity

Any overall strategy that seeks to address National Cyber Security (NCS) will most likely
need to orientate itself according to various parameters: what is the purpose of the strategy?
who is the intended audience? These are standard questions for any national security strategy
and are independent of the cyber security domain. But what is inherent to the cyber security
topic are more specific questions: firstly, where is the strategy directed at, what is its actual
purpose, who are the stakeholders? Secondly, how is the cyber security domain segmented,
and how are the different interpretations of NCS understood? And thirdly, how does this all
relate to the wider well-being of the nation?

For these last three questions The NATO Cooperative Cyber Defense Centre of Excellence
suggests three conceptual tools to help focus strategic deliberations: respectively, they are
termed the ‘three dimensions’, the ‘five mandates’, and the ‘five dilemmas’ of national cyber
security. Together they provide for a comprehensive view of the topic. Not all NCSS will
want to provide equal weight to the different aspects of national cyber security described in
their Manual. Therefore, these tools are intended to provide an overview of what aspects can
be considered, rather than a checklist of what should be taken into account. (of what should
be done.)

The Three Dimensions: Governmental, National, and International

Any approach to a NCS strategy needs to consider the ‘three dimensions’ of activity: the
governmental, the national (or societal) social and the international.

The Five Mandates of National Cyber Security

Within the general context of discussing national cyber security, it is important to keep in
mind that this is not one single subject area. Rather, it is possible to split the issue of NCS
into five distinct perspectives or ‘mandates’, each of which could be addressed by different
government departments. This split is not an ideal state, but it is a reality due to the
complexity and depth of cyber security as a whole: Military Cyber, Counter Cyber Crime,
Intelligence and Counter-Intelligence, Critical Infrastructure Protection and National Crisis
Management and Cyber Diplomacy’ and Internet Governance:

The Five Dilemmas of National Cybersecurity

National cyber security is a tool to reach a desired state of affairs (desired situation, not an
end). Most nations define a strategic goal of a safe and secure environment within which they
can achieve full economic potential and protect citizens from various cyber and non-cyber
related risks, both domestic and foreign. To achieve this, NCS must deal with its own,
overarching set of ‘national cyber security dilemmas’. In international relations theory, the

traditional ‘security dilemma’ states that both a country’s security strength and its weakness
can create unfavorable reactions in their adversaries. The NCS Dilemmas are, however,
different: both a strong and a weak NCS posture can have economic and social costs:

1. Stimulate the Economy vs. Improve National Security.
2. Infrastructure Modernization vs. Critical Infrastructure Protection.
3. Private Sector vs. Public Sector.
4. Data Protection vs. Information Sharing.
5. Freedom of Expression vs. Political Stability.

For more information:

Document Link
National Cyber Security Framework
An evaluation framework for Cyber
Security Strategies
A National Cybersecurity Strategy

3.1.2 Regulations by country

Country Legislation, Best Practices and Certifications in Cybersecurity
n Union
in the
Directive NIS
The main standard approved by the EU on cybersecurity is Directive
2016/1148 of security of networks and information systems (NIS
Cybersecurity law (EU Cybersecurity Act)
This Cybersecurity law was approved by the EU in March 2019. It aims to
renew and strengthen the EU Cybersecurity Agency (ENISA) and establish
a cybersecurity certification framework throughout the EU for products,
services, and processes.
The EU General Data Protection Regulation (GDPR) is a regulatory
framework for data protection and privacy that came into force on May 25,
Digital Operational Resilience Act (DORA)
DORA, as an EU regulation, it aims to establish a comprehensive and cross-
sector digital operational resilience framework with rules for all regulated
financial institutions.
It is an important step in creating a harmonized regulatory framework for
the operational resilience of financial services in EU law. For the first time,
it will bring together the rules that address the risk of ICT in finance in a
piece of legislation.
The rules are intended to cover a wide range of financial services entities
and the requirements are applied proportionately based on the size and
business profile of the business.


Country Legislation, Best Practices and Certifications in Cybersecurity
Federal Laws Cyber Security Information Exchange Act (CISA)
Its goal is to improve cybersecurity in the United States through the
enhanced sharing of cybersecurity threat information and for other
The law allows the exchange of Internet traffic information between
the US government and technology and manufacturing companies.
The bill was introduced in the United States Senate on July 10, 2014
and was approved October 27, 2015.
Cybersecurity Enhancement Act of 2014
This law was signed into law on December 18, 2014. It provides an
ongoing, voluntary public-private partnership to improve
cybersecurity and strengthen cybersecurity research and development,
workforce development, and education and public awareness and the
Federal Exchange Data Breach Notification Act of 2015
This law requires a health insurance exchange to notify everyone
whose personal information is known to have been obtained or
accessed because of a breach of the security of any system.
Notification must be made as soon as possible but no later than 60 days
after discovery of the violation.
National Cybersecurity Breakthrough Protection Act of 2015
This act amends the Homeland Security Act of 2002 to allow the
Department of Homeland Security Communications Integration
Center (NCCIC) to include tribal governments, information sharing,
and analysis centers, and private entities among its non-federal
Spain Code of
Law in Spain
In Spain there is a Code of the Cybersecurity Law, published in the
Official State Gazette (BOE), which establishes the main rules to be
considered in terms of cyberspace protection and to guarantee the
China Legislations Chinese Cyber Security Law
It requires network operators to store selected data within China and
allows Chinese authorities to conduct random checks on a company’s
network operations.
Beijing claims the law is intended to bring China in line with global
best practices for cybersecurity.
Russia Cybersecurity
Federal Law N ° 187-FZ on the security of critical information
infrastructure of the Russian Federation
The law, approved in July 2017, establishes the basic principles for
ensuring the security of critical information infrastructure, the related
powers of Russian state bodies, as well as the rights, obligations and
responsibilities of people who own facilities with information
critical information, communication providers and information
systems that provide interaction.
The law requires the implementation of protection measures, assigning
the category of protection (according to the statutes) and then
registering with the Federal Service for Technical and Export Control,
which will oversee supervision in this field.
Federal Law Nº 152-FZ about personal data
The Personal Data Law, passed in July 2006, covers almost all aspects
of data protection.
Unlike European legislation, the Personal Data Law does not
distinguish between data controllers and data processors.
Therefore, any person or entity that works with personal data is
considered an operator of personal data and is governed by the
regulation of the Personal Data Law.

Country Legislation, Best Practices and Certifications in Cybersecurity
Federal Law No. 149-FZ on Information, Information
Technologies, and Information Protection (the Information Law)
This law has been substantially strengthened with some additional
amendments and affects the Russian Internet and telecommunications
Mobile operators will need to store the recordings of all phone calls
and the content of all text messages for a period of six months, which
carries huge costs.

Country Legislation, Best Practices and Certifications in Cybersecurity
New York Cybersecurity Laws
This regulation is designed to promote the protection of customer
information, as well as the information technology systems of
regulated entities.
This regulation requires each company to assess its specific risk profile
and design a program that robustly addresses its risks.
California Consumer Privacy Act
The California Consumer Privacy Act, or CCPA, is a state-level law
that requires, among other things, that companies notify users of the
intent to monetize their data and provide them with a direct means to
opt out of such monetization

3.2 Cybersecurity strategy and program evaluation

Organizational measures examine the governance and coordination mechanisms within
countries that address cybersecurity. Organizational measures include ensuring that
cybersecurity is sustained at the highest level of the executive and assigning relevant roles
and responsibilities to various national entities and making them accountable for the national
cybersecurity posture.

The presence of organizational measures is not always found in countries with strong
telecommunication infrastructure. Comparing the UN E-Government Survey 2020 Digital
Government in the Decade of Action for Sustainable Development Telecommunications
Infrastructure Index, part of the e-Government Readiness Index, against overall scores in
organizational measures, shows that while there is a weak trend, there are many countries
that currently do well in telecommunications infrastructure measures, but do not have the
organizational measures in place to address cybersecurity issues.

The lack of adequate organizational measures can contribute to a lack of clear responsibilities
and accountability in the national cybersecurity governance, and it can prevent effective
intragovernmental and inter-sector coordination.

Importance of Up-To-Date National Cybersecurity Strategies

A national cybersecurity strategy (NCS) is often the key cornerstone of organizational
measures at national cybersecurity level. According to the ITU Guide to developing a

national cybersecurity strategy, an NCS is a comprehensive framework or strategy which
must be developed, implemented, and executed in a multi-stakeholder approach, that tackles
coordinated action for prevention, preparation, response, and incident recovery on the part of
government authorities, the private sector and civil society.

More and more countries are developing national cybersecurity strategies (NCS) to manage
cybersecurity in a more structured way. An NCS can confer several benefits, including
countries convening relevant stakeholders, clarifying national priorities, and planning
cybersecurity capacity development.

National Cybersecurity Maturity Evaluation Models

Overview of analyzed maturity models

Model Name Institution Source Purpose Target Nb of
Nb of
attributes Assessment Method Results
Representation Link
Capacity Maturity
Model for Nations
Global Cybersecurity
Capacity Centre
University of Oxford
Increase the scale and
effectiveness of cybersecurity
Countries 5
Collaboration with local
organization to fine-tune
the model before
applying it to the
national context
2016 Cybersecurity
2020 Cybersecurity
The Global
Cybersecurity Index
Union (ITU)
To review the cybersecurity
commitment and situation and
help countries identify areas
for improvement in the field of
Countries N/A 5
pillars Self-assessment Ranking table
Global Cybersecurity
Index (GCI) 2018:
Global Cybersecurity
Index (GCI) 2020:
The European Union
Agency for
The framework aims at
providing Member States with
a self-assessment of their level
of maturity by assessing their
NCSS objectives, that will
help them enhance and build
Member States 5 4
clusters Self-assessment Ranking table
National Capabilities

Overview of analyzed maturity models

Model Name Institution Source Purpose Target Nb of
Nb of
attributes Assessment Method Results
Representation Link
cybersecurity capabilities both
at strategic and at operational

Comparison of Attributes/ Dimensions

Cybersecurity Capacity Maturity Model for
The Global Cybersecurity Index
National Capabilities Assessment Framework
Five dimensions divided into several factors
themselves including multiple aspects and indicators
(Figure 4)
Five pillars including several indicators The National Capabilities Assessment Framework covers 17
strategic objectives and is structured around four main clusters.
i. Devising cybersecurity policy and strategy;
ii. Encouraging responsible cybersecurity culture
within society.
iii. Developing cybersecurity knowledge;
iv. Creating effective legal and regulatory
frameworks; and
v. Controlling risks through standards, organizations,
and technologies.
i. Legal;
ii. Technical;
iii. Organizational;
iv. Capacity-building;
v. Cooperation.
i. Cybersecurity governance and standards
 Develop a national cyber contingency plan
 Establish baseline security measures
 Secure digital identity and build trust in digital public
ii. Capacity-building and awareness
 Organize cyber security exercises
 Establish an incident response capability
 Raise user awareness
 Strengthen training and educational programs
 Foster R&D
 Provide incentives for the private sector to invest in security
 Improve the cybersecurity of the supply chain
iii. Legal and regulatory
 Protect critical information infrastructure, OES, and DSP
 Address cyber crime
 Establish incident reporting mechanisms
 Reinforce privacy and data protection
iv. Cooperation
 Establish a public-private partnership
 Institutionalize cooperation between public agencies

Comparison of Attributes/ Dimensions

Cybersecurity Capacity Maturity Model for
The Global Cybersecurity Index
National Capabilities Assessment Framework
 Engage in international cooperation

Page 31 of 86

3.3 Cybersecurity and data protection governance and oversight

Organization Country Document Link
United States
Office (GAO)
United States
Cybersecurity Clarity of Leadership
Urgently Needed to Fully Implement the
National Strategy

The GAO reviewed the contents of the National Cyber Strategy and its associated
Implementation Plan dated June 2019. They obtained the Implementation Plan’s contents
through observation at NSC’s request to not submit a copy of the plan. From the observation,
they transcribed, among other things, each activity’s title and the lead and supporting federal
agencies. They also transcribed sections from each element containing data related to the
desirable characteristics of a national strategy developed from our prior GAO work, such as
new resources and authorities, goals and timelines, and tier designation. They did not
transcribe all the information contained within the Implementation Plan.

They then evaluated the National Cyber Strategy and the transcribed elements of the
Implementation Plan to determine whether they collectively possessed the desirable
characteristics of a national strategy developed from their prior work by identifying possible
indicative statements in the documents.


Characteristic Definition Required Information Analysis
Purpose, scope, and
Addresses why the strategy was
produced, the scope of its coverage, and
the process by which it was developed.
Applicable policies, strategies, and
laws to confirm the key federal entities
with roles and responsibilities in
supporting the nation’s cybersecurity.
 “This plan was created
 “Purpose” statement
 Executive summary
Problem definition and
risk assessment
Addresses the national problems and
threats the strategy is directed towards
and entails a risk assessment that
includes an analysis of threats to, and
vulnerabilities of, critical assets and
A risk assessment that includes an
analysis of threats to, and
vulnerabilities of, critical assets and
 Risk assessment,
including an analysis of
threats and vulnerabilities
 Issue areas
Goals, subordinate
objectives, activities,
and performance
Addresses what the strategy is trying to
achieve, steps to achieve those results,
as well as the priorities, milestones, and
performance measures to gauge results.
Priorities, milestones, and performance
measures to gauge results.
 Milestones for achieving
 Performance measures for
tracking progress
 Reporting requirements
 Life cycle/time frames
 Standards
investments, and risk
Addresses what the strategy will cost,
the sources and types of resources and
investments needed, and where
resources and investments should be
targeted based on balancing risk
reductions with costs.
Cost analysis.
Specific risks assessment.

 Analysis of the cost of
planned activities
 Estimates of how activities
will be funded in the future
 Source and type of
resources needed to carry

Page 32 of 86

Characteristic Definition Required Information Analysis
out the goals and
 Assessment of the specific
risks and resources needed
to mitigate them
Organizational roles,
responsibilities, and
Addresses who will be implementing
the strategy, what their roles will be
compared to others, and mechanisms
for them to coordinate their efforts.
Relevant federal officials’ interviews to
confirm the key federal entities.
Cybersecurity-related roles and
responsibilities for each
federal entity.
 Delegation of
 Oversight responsibilities
 Clarity for individual
agencies’ response options
to specific incidents
 Coordination groups
 “XX is responsible for…”/
“XX shall…”
 “XX will do ___ by
Integration and
Addresses how a national strategy
relates to other strategies’ goals,
objectives, and activities, and to
subordinate levels of government and
their plans to implement the strategy.
Applicable policies, strategies, and
 How strategy is linked to
or superseded other
documents and strategies
 Describe progress made
since previous strategy or
 Why activities in this plan
are prioritized differently
than in other plans
 Crosswalk(s)

They conducted this performance audit from November 2018 to September 2020 in
accordance with generally accepted government auditing standards. Those standards require
that they plan and perform the audit to obtain sufficient, appropriate evidence to provide a
reasonable basis for their findings and conclusions based on our audit objectives. They
believe that the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.

Cybersecurity evaluation to critical processes and resources

Techniques assess and perform risk analysis for critical infrastructure and National
Resiliency / Disaster Recovery with reference to SAI audits of critical processes and

Critical Infrastructures

Due that one important activity in the development of a National Cybersecurity Strategy
(NCS) is to identify and classify Critical National Infrastructure (CNI) and Critical
Information Infrastructure.

Page 33 of 86

Nevertheless, nowadays there is no standard methodology to help nations address this
foundational identification task, for that reason we present some examples and guidelines
that are used in auditing of critical national infrastructure.

3.4 Critical National Infrastructures (CNI)

This term describes broadly physical and virtual infrastructure that supports virtual nation
functions as well as national goals and aspirations, so the incapacity or destruction of such
systems and assets would have a debilitating impact on the nation’s security , economic
stability, public health or safety, or any combination of these factors .

3.5 Critical Information Infrastructures (CII)

It is an important component of Critical National Infrastructure, especially to the extent
different national functions rely on information and communications technology (ICT) for
their operation.}

3.6 Common Factors to Consider while Preparing for
Conducting CNI/CII Assessments.

As it has been shown among different countries, identifying CNI/CII is fundamentally a
matter of classifying the risk exposure that information and communications technologies
introduce to assets and functions that are important to national goals, objectives, and
aspirations. The key to determinate risk is designing an effective formal, inclusive, and
rigorous governance structure and process to enumerate, define, and validate important cyber
risk exposures, in particular developing a consensus on the potential harms of critical
infrastructure disruptions to security the economy and citizens.

Most conventional approaches for dealing with cyber risks are focused on cyber-threats,
attack types and vectors rather than on impact (e.g., economic, national security, societal)
caused by cyber means. Nowadays, attempts to identify and measure the harm caused by
inadequate cybersecurity of critical infrastructures have used various means to express the
severity of the attack. However, a threat-based approach too often encompasses a linear,
cause-and-effect analysis of cyber threats. Therefore, a more holistic approach to assessing
the effect of cyber threats and attacks requires the inclusion of the concept of cyber harm,
which describes the negative impact upon an entity, whether individual, organizational, or

Page 34 of 86

Thus, based on the analysis of the different SAI’s audit reports the most important principles
for effectively formalizing and assess a CNI/CII includes:

 To Identify if there is a mandate or policy from national leadership.

 Technical and policy competence and clear and transparent policy development

 Leveraging existing laws and organizations and public-private relationships to
facilitate critical infrastructure identification.

 Developing consensus on CNI/CII identification criteria and policies that are created
by active participation of all partners in whatever mechanisms nations use.

 Considerations of the degree of national harm created by elements of risk – threat,
vulnerability, likelihood, and predictability as well as the potential cascading
consequences of prolonged disruptions.

 Used of international frameworks or standards to assess CNI/CII.

 Assess risks using the method of benchmark, in order to identify certain risk
assessment policy and methodological approaches that other countries have used
successfully, these is focused on nations that have similar national goals and

3.7 CNI / CII Policy Guidance

Based on the foregoing, national strategies may integrate or update existing CNI/CII policy
guidance, legal frameworks, or national programs that address critical infrastructure. When
developing policies and strategies to identify CNI / CII, policymakers may consider the
following perspective.

 Transactional Perspective:

The policymakers should understand related international policies, norms, and best
practices. They also should explore the CNI/CII identification approaches of other
nations to better situate and contextualize the effects of relevant practices, additionally,

Page 35 of 86

they should understand the implications of CNI/CII across sectors and borders
considering dependences and interdependencies.

 Societal Perspective:

A key part is to address the potential societal harms associated with the disruption of
essential functions supported by critical infrastructure (e.g., healthcare, financial services,
food supply). Thinking in terms of how critical service disruptions could impact citizen
may uncover perspectives on risks associated with services that have not traditionally
been prioritized.

Categories for CNI/CII strategies

This document contains a compilation of the audits carried out by different Supreme Audit
Institutions (SAI’s), among which they were classified into three main types as General
Auditing of Critical National Infrastructure, Semi-Specific Auditing of Critical National
Infrastructure and Specific Auditing of Critical National Infrastructure by Sectors, which are
defined as follows:

 General CNI/CII audit with generic procedures, except for Canada, which has a
specialized guideline for critical infrastructures.

 Semi-Specific CNI/CII audit with general guidelines.

 Specific CNI/CII audit with specialized guidelines for critical infrastructures.

3.8 General Auditing of Critical National Infrastructure

As it’s mentioned, nations may apply different frames of references as they work to identify
CNI/CII. Many of them, initially oriented CNI/CII efforts around discrete sectors such as the
financial service, energy, or transportation sectors, to identify and address critical ICT assets.
This approach has been modified over time to focus more on identifying critical national
functions which is intended to facilitate cross-sector views of risk vs. within single sectors
and helps account for the possibilities of cascading effects when critical assets are disrupted.
And that is why, many countries perform a general audit of Critical National Infrastructure,
focused on the impact of cybersecurity attacks in the society.

Therefore, we present the use cases based on different SAIs reports, that perform a general
audit of critical infrastructure, to encourage cybersecurity audits to create an applicable and

Page 36 of 86

locally adoptable guides that helps countries to develop and implement processes for CNI/CII
identification, as follows:

3.8.1 Canada

The goal of the National Strategy for Critical Infrastructure is to build a safer, more secure
and more resilient Canada. To this end, the National Strategy advances more coherent and
complementary actions among federal, provincial, and territorial initiatives and among the
ten critical infrastructures sectors listed below:

 Energy and utilities
 Information and communication technology
 Finance
 Health
 Food
 Water
 Transportation
 Safety
 Government
 Manufacturing

The National Strategy supports the principle that critical infrastructure roles and activities
should be carried out in a responsible manner at all levels of society in Canada.
Responsibilities for critical infrastructure in Canada are shared by federal, provincial, and
territorial governments, local authorities and critical infrastructure owners and operators –
who bear the primary responsibility for protecting their assets and services.
The National Strategy is based on the recognition that enhancing the resiliency of critical
infrastructure can be achieved through the appropriate combination of security measures to
address intentional and accidental incidents, business continuity practices to deal with
disruptions and ensure the continuation of essential services, and emergency management
planning to ensure adequate response procedures are in place to deal with unforeseen
disruptions and natural disasters.


The purpose of the National Strategy for Critical Infrastructure (the Strategy) is to strengthen
the resiliency of critical infrastructure in Canada. The Strategy works toward this goal by
setting the direction for enhancing the resiliency of critical infrastructure against current and
emerging hazards.

Page 37 of 86

Scope and Methodology

To be effective, the National Strategy must be implemented in partnership among all levels
of government and critical infrastructure sectors. Critical infrastructure owners and operators
have the expertise and information that governments need to develop comprehensive
emergency management plans. In turn, governments will share relevant information in a
timely manner, respecting existing federal, provincial, and territorial legislation and policies,
to help owners and operators assess risk and identify best practices. This partnership
approach recognizes that more resilient critical infrastructure helps foster an environment
that stimulates economic growth, attracts, and retains business, and creates employment
opportunities. Governments bring value to the partnership through activities such as:
 providing owners and operators with timely, accurate, and useful information on risks
and threats;
 ensuring industry is engaged as early as possible in the development of risk
management activities and emergency management plans; and
 working with industry to develop and prioritize key activities for each sector.
The National Strategy for Critical Infrastructure represents the first milestone in the road
ahead. It identifies a clear set of goals and objectives and outlines the guiding principles that
will underpin our efforts to strengthen the resiliency of critical infrastructure. The National
Strategy establishes a framework for cooperation in which governments and owners and
operators can work together to prevent, mitigate, prepare for, respond to, and recover from
disruptions of critical infrastructure and thereby safeguard the foundations of our country and
way of life.

Frameworks and Guides

 An Emergency Management Framework for Canada
 National Cross Sector Forum 2021-2023 Action Plan for Critical Infrastructure
 National Cyber Security Strategy


Federal, provincial, and territorial governments will work together to monitor the
implementation of the Strategy and support the assessment of programs and activities

Page 38 of 86

targeted at enhancing the resiliency of critical infrastructure in Canada. It is expected that the
collaborative approach established in the Strategy will remain evergreen and strengthen
coherency of action among all levels of government and critical infrastructure sectors.
The Strategy is to be read in conjunction with the Action Plan for Critical Infrastructure,
which will be reviewed three years after launch and every five years thereafter.
3.8.2 Turkey

With the 2016-2019 National e-Government Strategy and Action Plan, the Turkish Court of
Accounts (TCA) bears responsibility for “Ensuring the Efficiency of Audit for e-Government
Projects in Public Sector”. In this context, the TCA has created an audit model for e-
Government projects and critical infrastructures, prepared a draft audit guideline concordant
with the model and carried out a pilot audit on GocNet e-Government Project, which is
executed by Ministry of Interior, Directorate General of Migration Management.


The objective of the audit is based on the following:
 Examination and evaluation of IT controls, which are set to ensure confidentiality,
integrity, availability, reliability, efficiency, effectiveness, and compliance to
legislation of the project itself and the IT environment in which it is executed.

 Contributing to the Institution by identifying the problems that may prevent the
successful completion of the project and by providing recommendations for taking
the necessary precautions.

 Providing information about the project to its stakeholders through reporting.

Scope and Methodology

In the audit, the methodology determined in the e-Government Projects Audit Guideline
(Draft) was followed. The Guide has been prepared based on COBIT (Control Objectives for
Information and Related Technologies), ITAF (Information Technology Assurance
Framework), PMBOK (Project Management Body of Knowledge).

In this context, the following risk-based audit approach was followed:
1. Identifying the risks related to the Project itself and the IT environment where it is
2. Determination of the controls that can minimize these risks,
3. Examination of whether these controls are established by the Institution, and if so,
whether they are functioning effectively,
4. Evaluation of the control weaknesses identified,
5. Reporting of material control weaknesses to the stakeholders.

Page 39 of 86

Besides the project and the application, itself, the corporate IT environment, and
infrastructure (servers, network, databases) and the web (and mobile) structures where the
application was put into service have been subject to audit and specific audit tests.
The audit team has determined the modules to be tested according to the following (:)criteria:
 Materiality (The impact of the application on the activities of the Institution and —
financial statements, etc.),
 Criticality (Integrity, confidentiality, and availability of corporate information, etc.),
 Complexity (Number of users, transaction volume, etc.),
 Technological Infrastructure (Operating system, software development environment,
database, etc.),
 Control Environment (Support personnel, documentation, errors, etc.),
 Audit Resources (Time and human resources constraints, etc.).

Frameworks and Guides

GocNet e-Government Project Information Systems Audit
Control Objectives for Information and Related Technologies (COBIT)

Project Management Body of Knowledge (PMBOK)


As a result of the audit, detected control weaknesses have been negotiated with the audited
Institution and explained in the Report in such way to include the relevant control area, the
associated audit criteria, the level of risk, the relevant legislation and/or standards, the
possible effects, actions taken by the auditee and the recommendations thereof.

A follow-up audit will be planned and conducted separately.

3.8.3 Korea

Due to the rapid development of Information Communication Technology (ICT), the
dependency on information communication in both the private and public sectors have been

Page 40 of 86

However, instances of cyber terror, such as the paralysis of Nonghyup computer networks
(April 2011) and EBS personal information leakage of near 4 million users (May 2012)
continuously occur, proving that the security of the nation and society are at threat. Based on
the foregoing it is necessary to implement conduct audits in ICT systems including critical


The Board of Audit and Inspection of Korea (BAI) inspected the overall conditions of cyber
safety management of the Ministry of Security and Public Administration (MOSPA) and 35
other organizations, to relieve the societal anxiety and concern derived from cases of
information leakage and cyber terror.

Scope and Methodology

The methodology determined by the group was into two steps.

 Personal Information Protection and Management
One of the significant roles of the MOSPA is to supervise and guide the local autonomous
entities that implement tasks, which also includes the task of the resident registration search.
Regulations state that personal information can only be used within the range of what is
necessary .

 Establishment of Infrastructure for Information Protection
The MOSPA had developed the Disaster Recovery System (DRS) measure against system
breakdowns resulting from natural disaster or acts of cyber terror.
Nevertheless, the MOSPA has not been checking on its regular operations, nor been
performing simulation training, as prescribed by regulation, Military Manpower
Administration’s (MMA) DRS in 2010.

Frameworks and Guides

Audit on Information Security and Cyber Security Management in Public Organizations
IT Application and Improvement focusing on the Government Information Systems Conclusions

Page 41 of 86

The BAI recommended the MOSPA to regularly monitor the implementation of tasks of the
local autonomous entities regarding resident registration and personal information.
According to the BAI, the government officials responsible for perusing resident registration
information for personal use are ordered to receive disciplinary action. Additionally, the
malfunctions detected in the MMA’s DRS should be analyzed and compensated for.
Finally, the BAI has notified six organizations, including the Korean Local Information
Research and Development Institute (KLID), to regularly monitor PCs and to meticulously
secure the management of equipment and labor provided to service companies.

3.8.4 Australia

In June 2014, ANAO Audit Report No. 50 2013–14, Cyber Attacks: 1. Securing Agencies
ICT Systems was tabled in Parliament. The report examined seven Australian Government
entities implementation of the mandatory strategies in the Australian Government
Information Security Manual (Top Four mitigation strategies). The Top Four mitigation
strategies are: application whitelisting, patching applications, patching operating systems and
minimizing administrative privileges.
The audit found that none of the seven entities were compliant with the Top Four mitigation
strategies and none were expected to achieve compliance by the Australian Government’s
target date of 30 June 2014.
In this context, the seven entities were: Australian Bureau of Statistics, Australian Customs
and Border Protection Service, Australian Financial Security Authority, Australian Taxation
Office, Department of Foreign Affairs and Trade, Department of Human Services, and IP


The objective for this audit was to assess whether the Australian Taxation Office, the
Department of Human Services, and the Department of Immigration and Border Protection
are compliant with the Top Four mitigation strategies in the Australian Government
Information Security Manual.

To form a conclusion against the audit objective, the ANAO adopted the following high-
level assessment criteria:

 Do the entities comply with the Top Four mitigation strategies; and
 Are entities cyber resilient?

Page 42 of 86

Scope and Methodology

This audit is a follow-up audit of the ANAO Performance Audit Report No. 50 2013–14 that
was table in June 2014.

The audit objective was to assess whether three of the seven entities assessed in the first audit
had achieved compliance with the Top Four mitigation strategies. The three entities were:

 Australian Taxation Office,
 Department of Human Services; and
 Department of Immigration and Border Protection.
These three major Australian Government entities are significant users of technology:
 The Department of Human Services relies on its ICT systems to process $172 billion
in payments annually;

 Through its electronic lodgment systems, the Australian Taxation Office collects over
$440 billion tax revenue per year; and

 The Department of Immigration and Border Protection electronically processes
around seven million visas annually and inspects and examines over two million air
and sea cargo imports and exports.

All three entities collect, store, and use data, including national security data and personally
identifiable information that can be used to identify, contact, or locate an individual such as
date of birth, bank account details, driver’s license number, tax file number and biometric

The ANAO reviewed records and interviewed relevant personnel from each entity and
conducted assessment and tests of controls that underpin the compliance of the Top Four
mitigation strategies for each entity.

Frameworks and Guides

 Protective Security Policy Framework
 AGD’s PSPF, Security planning and risk management policy,
 ISO 31000:2018, Risk management – Guidelines

Page 43 of 86


Recommendation 1.

The ANAO recommends that entities periodically assess their cybersecurity activities to
provide assurance that: they are accurately aligned with the outcomes of the Top Four
mitigation strategies and entities’ own ICT security objectives; and that they can report on
them accurately. This applies regardless of whether cybersecurity activities are insourced or

 Department of Human Services’ response: Agreed.
 Australian Taxation Office’s response: Agreed.
 Department of Immigration and Border Protection’s response: Agreed.

Recommendation 2.

The ANAO recommends that entities improve their governance arrangements, by:

a) asserting cybersecurity as a priority within the context of their entity-wide strategic

b) ensuring appropriate executive oversight of cybersecurity;

c) implementing a collective approach to cybersecurity risk management; and

d) conducting regular reviews and assessments of their governance arrangements to
ensure its effectiveness.

3.8.5 Brazil


Review the level of awareness and knowledge through the application of surveys and audits,
it’s recommended that the user has a technical profile and ideally, be the manager or be
assigned to a unit responsible for managing the organization’s information technology (IT)
security. As a guideline, it is clarified that the criteria used to support the preparation of this
questionnaire were freely adapted from the professional judgment of the TCU team of
auditors on version 8 of the framework developed by the Center for Internet Security (CIS).
The questionnaire will address four of the eighteen critical cyber controls listed in this version
as followed:

Page 44 of 86

 Inventory and Control of Enterprise Assets

 Inventory and Control of Software Assets

 Continues Vulnerability Management

 Security Awareness and Skills Training

Scope and Methodology

The audit was conducted by the Federal Audit Court, especially at the Information
Technology Infrastructure Secretariat (SETIC), which takes care of IT infrastructure,
customer service and process and project management. The study involved document
analysis, interviews, and researcher observations.
The documental analysis covered the court’s regulations and publications, as well as the
report of an organizational climate survey conducted in 2012. Organizational climate refers
to people’s perception of the work environment. The report provided an overview of the
organizational culture of the IT area of this court but did not identify facilitators and obstacles
to IT governance.

Frameworks and Guides

 CIS Critical Security Controls, version 8.
 ABNT NBR ISO/lEC 20000-22008,
 ABNT NBR ISO/lEC 27002:2013
 Information Technology Infrastructure Library (ITIL) v3
 GSI/PR 3/2021, Chapter 11 (Mapping of information assets)
 Standard 8/IN01/DSIC/GSIPR (Guidelines for managing incidents in computer
networks – TIR management – in the bodies and entities of the Federal Public
Administration (APF)
 Risk Management Manual of the Federal Court of Auditors (TCU, 2018)


It is expected that the researched agencies use the assessment results to boost their risks management
strengthening process. Among the benefits that organizations may acquire, the following stand out:
greater possibility of achieving their goals; improvement of operational effectiveness and efficacy;
governance improvement; greater confidence of the organization´s stakeholders; optimization on loss
and incident management prevention; better information for planning and decision-making process;
complying with the applicable legal and regulatory requirements.

Page 45 of 86

3.9 Semi-Specific Auditing of Critical National Infrastructure
We identified that United Kingdom conducts its critical infrastructure audits specifically,
with general guidelines to examine CNI and CII identification and mitigation programs, as
shown below:

3.9.1 United Kingdom

The future of the UK’s security and prosperity rests on digital foundations. The challenge of
our generation is to build a flourishing digital society that is both resilient to cyber threats
and equipped with the knowledge and capabilities required to maximize opportunities and
manage risks.
We are critically dependent on the Internet. However, it is inherently insecure and there will
always be attempts to exploit weaknesses to launch cyber-attacks. This threat cannot be
eliminated completely, but the risk can be greatly reduced to a level that allows society to
continue to prosper, and benefit from the huge opportunities that digital technology brings.

Our strategy refers to the protection of information systems (hardware, software, and
associated infrastructure), the data on them, and the services they provide, from unauthorized
access, harm, or misuse. This includes harm caused intentionally by the operator of the
system, or accidentally, as a result of failing to follow security procedures .


The objective is intended to shape and assurance the Government’s policy, while also
offering a coherent and compelling vision to share with the public and private sector, civil
society, academia, and the wider population

Scope and Methodology

The audit considered the effectiveness of centre of government in defining government’s
strategic approach to protecting information across critical infrastructure in central
government departments (the departments) (Part One); the centre’s performance in protecting
information, including managing specific projects (Part Two); and departments’ performance
in protecting their information (Part Three).

The center consists of various teams within the Cabinet Office as well as other organizations
such as CESG (see Glossary on page 42) and the National Cyber Security Centre. The central

Page 46 of 86

government departments consist of the 17 largest departments of state, although we have
included other bodies where the evidence allows, as many of these issues are not unique to
central government.7

Frameworks and Guides

National Cyber Security Strategy 2016 to 2021

Cyber Assessment Framework (CAF)


Protecting information while re-designing public services and introducing new technology to support
them is a complex challenge for government. To achieve this, the centre of government requires
departments to risk manage their information, but few departments have the skills and expertise to
achieve this by themselves. How successful government is in dealing with this challenge will
therefore continue to depend on effective support from the Cabinet Office and other bodies at the
center of government.
The Cabinet Office is taking action to improve its support for departments but needs to set out how
this will be delivered in practice. To reach a point where it is clearly and effectively coordinating
activity across government, the Cabinet Office must further streamline the roles and responsibilities
of the organizations involved, deliver its own centrally managed projects cost-effectively and clearly
communicate how its various policy, principles and guidance documents can be of most use to

3.10 Specific Auditing of Critical National Infrastructure by Sectors

On the other hand, we identified that USA conducts its critical infrastructure audits across
specific sectors, and it has developed individual guidelines for each sector, aiming to
understand and examine CNI and CII identification and mitigation programs in every sector,
as shown below:

3.10.1 United States of America

Our nation’s critical infrastructure refers to systems and assets, whether physical or virtual
are so vital to the United States that the incapacity or destruction of such systems and assets
would have a debilitating impact on the nation’s security, economic stability, public health

Page 47 of 86

or safety, or any combination of these factors. Critical infrastructure includes, among other
things, banking and financing institutions, telecommunications networks, and energy
production and transmission facilities, most of which are owned and operated by the private
Threats to the systems supporting critical infrastructures are evolving and growing. These
cyber-based assets are susceptible to unintentional and intentional threats. Unintentional, or
non-adversarial, threat sources include equipment failures, software coding errors, or the
accidental actions of employees. They also include natural disasters and the failure of other
critical infrastructures since due to the sectors are often interdependent.
The framework is to provide a flexible and risk-based approach for entities within the nation’s
sixteen critical infrastructure sectors to protect their vital assets from cyber-based threats.


The objectives of our review are to determine the extent to which the National Institute of
Standards and Technology (NIST) facilitated the development of voluntary standards and
procedures to reduce cyber risks to critical infrastructure, and federal agencies promote the
standards and procedures to reduce cyber risks to critical infrastructure.

Page 48 of 86

Scope and Methodology

To determine how NIST facilitated the development of voluntary standards and procedures
for critical infrastructure, we reviewed and analyzed the actions taken by NIST to develop its
Framework for Improving Critical Infrastructure Cybersecurity. In addition, we analyzed
Executive Order 13636, issued in February 2013, and the Cybersecurity Enhancement Act
of 2014, enacted in December 2014, to identify key NIST responsibilities for developing a
cybersecurity framework. We analyzed documents and performed interviews with NIST
officials to assess its collaborative efforts with industry stakeholders in soliciting input in the
development of the framework, including workshops it hosted and the website it set up to
disseminate updates on the framework. Specifically, we reviewed documentation and videos
of the six workshops hosted by NIST intended to obtain industry, academic, and government
representative feedback in the development of the framework, in addition to NIST’s two
requests for information to the public for input on cybersecurity standards and
methodologies. We also analyzed the resulting framework to assess whether NIST had
fulfilled its responsibilities under law.

Additionally, to address this objective, we conducted a web-based survey of individuals who
provided written comments with contact information in response to a NIST request for
information notice or registered for at least one of the workshops hosted by NIST to develop
the framework. There were 2,082 individuals in the population that we targeted, and to make
the survey as inclusive as possible we sent the survey request to all of them. The questionnaire
included questions about the effectiveness of NIST’s collaborative efforts in fulfilling
requirements to develop the framework using an open and public comment process. To
minimize errors arising from differences in how questions might be interpreted and to reduce
variability in responses that should be qualitatively the same, we conducted pretests with
critical infrastructure representatives over the telephone. Based on feedback from these
pretests, we revised the questionnaire to improve the clarity of the questions. An independent
survey specialist within GAO also reviewed a draft of the questionnaire prior to its

After completing the pretests, we administered the survey to the NIST workshop attendees
and request for information respondents on August 10, 2015, notifying them that our online
questionnaire would be activated within a couple of days. On August 18, 2015, we sent a
second e-mail message to these individuals, informing them that the questionnaire was
available online and providing them with unique passwords and usernames. We collected

Page 49 of 86

responses through August 24, 2015. We were able to obtain 252 completed questionnaires, a
12 percent response rate, in the time available for survey fieldwork. Because we do not know
if the answers that nonrespondents would have given would materially differ from those that
did respond, our results can only represent the views of those who did respond. Their views
are not generalizable to the registrant and respondent population. To address our second
objective, we reviewed and analyzed actions and documentation related to promoting the
framework by the nine sector specific agencies (SSAs) responsible for the 16 critical
infrastructure sectors established in Presidential Policy Directive-21, including the
Department of Homeland Security (DHS), and NIST. For DHS, we analyzed agency
documentation and the website of its Critical Infrastructure Cyber Community (C3)
Voluntary Program to identify the framework promotional guidance and tools provided to
the critical infrastructure sectors. Also, we analyzed the metrics and information being used
by the DHS C3 Voluntary Program to determine if DHS could measure the effectiveness of
its activities and programs to promote the adoption of the framework. We also interviewed
DHS officials on their activities related to the promotion of the framework, including their
current and future promotional efforts. To analyze the promotional efforts by the nine SSAs,
we analyzed relevant documentation and interviewed agency officials representing each of
the SSAs. We specifically asked each of the SSAs whether promoting the framework was a
priority in their draft 2015 sector-specific plans and whether they had decided to develop
framework implementation guidance in accordance with Executive Order 13636. See table 5
for the sectors and SSAs included in our review.

Frameworks and Guides

Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1
National Institute of Standards and Technology, April 16, 2018


Most sectors have taken action to facilitate adoption of the NIST cybersecurity framework
within their respective sectors. By developing implementation guidance and aligning existing
sector information resources with framework principles, most SSAs and SCCs have
established a set of tools that entities could leverage to adopt the framework. However, none
of the SSAs have assessed the extent to which their entities have adopted the framework.
Without an accurate assessment of framework adoption within each sector, federal entities,
SSAs, and SCCs lack a comprehensive understanding of the current adoption level within

Page 50 of 86

critical infrastructure sectors. As such, SSAs are unable to tailor their guidance to effectively
encourage use of the framework to sector stakeholders.


We are making nine recommendations to sector-specific agencies in our review for them to
develop methods to determine the level and type of framework adoption across their
respective sectors. Specifically:
The Secretary of Agriculture, in cooperation with the Secretary of Health and Human
Services, should take steps to consult with respective sector partner(s), such as the SCC, DHS
and NIST, as appropriate, to develop methods for determining the level and type of
framework adoption by entities across their respective sector.

The Secretary of Defense should take steps to consult with respective sector partner(s), such
as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level
and type of framework adoption by entities across their respective sector.

The Secretary of Energy should take steps to consult with respective sector partner(s), such
as the SCC, DHS and NIST, as appropriate, to develop methods for determining the level
and type of framework adoption by entities across their respective sector.

The Administrator of the Environmental Protection Agency should take steps to consult with
respective sector partner(s), such as the SCC, DHS and NIST, as appropriate, to develop
methods for determining the level and type of framework adoption by entities across their
respective sector.

Guidelines by sector


Commercial Facilities Sector

Communications Sector

Page 51 of 86

Critical Manufacturing Sector

Dams Sector

Defense Industrial Sector

Emergency Services Sector

Energy Sector

Financial Services Sector

Healthcare and Public Health Sector

Nuclear Reactors, Materials, and Waste Sector

Transportation Systems Sector

Page 52 of 86

Water and Wastewater Systems Sector

3.11 Factors to Consider for Specific Auditing of Critical National
Infrastructure by Sectors

Based on that analysis of the audits performs by the GAO, we identified that there are some
main principles that help to facilitate and support information sharing efforts for critical
infrastructure audits, these activities are listed below:

 Establish goals and objectives

 Identify existing examples of relevant critical infrastructure security and resilience
plans or programs

 Determine the scope

 Identify the stakeholders

 Document roles and responsibilities

 Establish coordination and information sharing mechanisms

 Set timelines

 Build a risk management framework

 Design and conduct assessments

 Conduct training and education, including exercises

Page 53 of 86

 Establish metrics

 Promote the program through outreach and awareness

3.12 Coordination for the definition and management of Critical
Finally, as a result of the review of the audits reports, we identified that the Cybersecurity
and Infrastructure Security Agency (CISA) leads the national effort to understand, manage,
and reduce risk to the cyber and physical infrastructure. Connecting their stakeholders in
industry and government to each other and to resources, analyses, and tools to help them
build their own cyber, communications, and physical security and resilience, in turn helping
to ensure a secure and resilient infrastructure for the American people.

Therefore, CISA acts as the quarterback for the federal cybersecurity team, protecting and
defending the home front—our federal civilian government networks—in close partnership
with the Office of Management and Budget, which is responsible federal cyber security
overall. CISA also coordinates the execution of our national cyber defense, leading asset
response for significant cyber incidents and ensures that timely and actionable information
is shared across federal and non-federal and private sector partners.

3.13 National Resilience / Disaster Recovery

Organizational resilience is important to assure users and managers that the expected level
of service will be provided. Outages are also often unavoidable driving factors in
organizations; therefore, preparation is key to be able to continue operations while protecting
people, assets, and the organization’s reputation; employing process resiliency tactics helps
organizations to address these issues and limit the impacts. We were classified into two main
 General disaster recovery audit with generic procedures.

 Disaster recovery audit with specialized guidelines by functions.

3.14 General Disaster Recovery

3.14.1 Australia

Page 54 of 86

3.14.2 Objective

Information and communications technology (ICT) systems are critical for the operations of
government agencies. Agencies depend on them to:

 deliver public services—including essential services—to the community
 efficiently and effectively manage operations
 fulfill their statutory obligations.

To make sure their systems remain available and continue to operate reliably, agencies must
be able to recover and restore them in the event of a disruption—such as an event that
interrupts access to premises, to the data that systems rely on, or to the systems themselves.
Further, agencies need to
be able to recover and restore their systems within a time frame that reflects the business-
critical nature of each system.

ICT disaster recovery is the process for recovering systems following a major disruption.
ICT disaster recovery planning forms part of an agency’s wider business continuity strategy.

Managing disaster recovery risk presents special challenges. The likelihood of a major
disaster or significant disruption is generally low, often remote—but the consequences of a
system failure that cannot be restored could be significant or even catastrophic.

Without effective disaster recovery capability, agencies risk:

 extended disruption or inability to deliver public services that depend on systems
 inability to recover systems and restore lost data
 subsequent financial loss to themselves and the Victorian economy
 reputational damage, including loss of community confidence in the effective
delivery of government services.

Agencies can reduce the likelihood of disruption events; however, this approach can require
significant investment compared to the direct costs of responding to a disruption when it
occurs. It can therefore be challenging for agencies to determine the balance between
focusing on preventative actions and planning to manage the consequences of possible

Scope and Methodology

In this audit, we examined disaster recovery at Victoria Police and four departments that
provide essential government services—the Department of Economic Development, Jobs,
Transport and Resources (DEDJTR), the Department of Environment, Land, Water and
Planning (DELWP), the Department of Health and Human Services (DHHS) and the
Department of Justice and Regulation (DJR).

Page 55 of 86

We assessed whether their ICT disaster recovery processes are likely to be effective in the
event of a disruption.

Frameworks and Guides

 Protective Security Policy Framework

 AS/NZS ISO 31000:2009 Risk management – Principles and guidelines

 ISO/IEC 27031:2011 Guidelines for information and communication technology
readiness for business continuity

 ICT Disaster Recovery Planning


At present, none of the agencies we audited have sufficient assurance that they can recover
and restore all their critical systems to meet business requirements in the event of a

They do not have sufficient and necessary processes to identify, plan and recover their
systems following a disruption. Compounding this is the relatively high number of obsolete
ICT systems all agencies are still using to deliver some of their critical business functions.
This both increases the likelihood of disruptions though hardware and software failure or
external attack and makes recovery more difficult and costly. These circumstances place
critical business functions and the continued delivery of public services at an unacceptably
high risk should a disruption occurs.

Agencies are beginning to fully understand the importance of comprehensively identifying
and prioritizing their business functions, maintaining the ICT systems that support these
functions, and establishing recovery arrangements to maintain continuity of service.

They need to significantly improve and develop well-resourced and established processes
that fully account for and can efficiently recover the critical business functions of agencies
following a disruption.

Page 56 of 86


We recommend to the Departments of Economic Development, Jobs, Transport and
Resources, Environment, Land, Water and Planning, Health and Human Services, Justice
and Regulation and Victoria Police to:

1. appoint a team of suitably qualified and experienced professionals to form a collaborative
disaster recovery working group to:

 provide advice and technical support
 share lessons learnt based on disaster recovery tests and exercises
 coordinate disaster recovery requirements for resources shared between agencies
 identify, develop, implement, and manage initiatives that may impact multiple
 coordinate funding requests to ensure critical investments and requirements are

2. perform a gap analysis on their disaster recovery requirements and resource capabilities to
determine the extent of the capability investment that will be required.

3. develop disaster recovery plans for the systems that support critical business functions and
test these plans according to the disaster recovery test program.

4. provide advice and training to staff on:

 newly developed frameworks, policies, standards and procedures to increase
awareness and adoption as needed
 specific disaster recovery systems

5. establish system obsolescence management processes to:

 identify and manage systems at risk of becoming obsolete, those that will soon have
insufficient support or those that will be difficult to manage when they become
 enable strategic planning, life-cycle optimization, and the development of long-term
business cases for system life-cycle support
 provide executive with information to allow risk-based investment decisions to be

Finally, it was not identified that there is an agency that oversees coordination and activation
of the national disaster recovery plan.

Page 57 of 86

3.15 Disaster Recovery by Functions

3.15.1 United States of America

We identified that USA conducts its Disaster Recovery Plans audits across specific sectors,
and it has developed individual guidelines for each sector.
The Department of Homeland Security’s (DHS) Federal Emergency Management Agency
(FEMA) is responsible for implementing the National Disaster Recovery Framework
(NDRF) and working in partnership with states as they play a lead role in the recovery
process. As shown in the figure below, FEMA coordinates federal recovery stakeholders
using six Recovery Support Functions—structures through which federal coordinating
agencies provide assistance to state and local communities, before and after a disaster.
FEMA’s regional offices facilitate pre-disaster recovery planning at the state and local level,
promote state adoption of NDRF principles into state pre-disaster recovery plans, and
coordinate collaboration between federal, state, local, and tribal governments. Under the
NDRF, states have primary responsibility for managing recovery in their communities,
including developing pre-disaster recovery plans based on the principles and structures in the
The National Disaster Recovery Framework (NDRF) enables effective recovery support to
disaster-impacted states, tribes, territorial and local jurisdictions. It provides a flexible
structure that enables disaster recovery managers to operate in a unified and collaborative
manner. The NDRF focuses on how best to restore, redevelop, and revitalize the health,
social, economic, natural, and environmental fabric of the community and build a more
resilient nation.
The NDRF is a first step toward achieving a shared understanding and a common, integrated
perspective in order to achieve unity of effort and to build a more resilient nation.

Page 58 of 86


The objectives of this study were to review the Federal Emergency Management Agency’s
(FEMA) implementation of the National Disaster Recovery Framework (NDRF). This
review assesses the roles and responsibilities of FEMA and state emergency management
offices in implementing the NDRF and the extent to which FEMA has worked with selected
states to implement the NDRF.
Scope and Methodology

To address the first objective, we reviewed relevant federal statutes and program and policy
directives and analyzed components of the NDRF to identify the pre- and post-disaster NDRF
implementation responsibilities of federal and state emergency management offices. We also
interviewed FEMA officials from the Office of Federal Disaster Coordination, National
Disaster Recovery Planning Division within the Department of Homeland Security, and the
other five federal coordinating agencies under the NDRF’s Recovery Support Functions.
Those agencies include the Departments of Commerce, Health and Human Services, Housing
and Urban Development, and the Interior and the Army Corps of Engineers.
To address the second objective, we administered a semi-structured interview to state
emergency management officials in five states regarding their experiences in adopting the
NDRF as part of their recovery operations. To select these states, we obtained information
from FEMA’s Office of Response and Recovery on disaster declarations in those states in
which a Recovery Support Function (RSF) was activated from 2012 through 2014. We sorted
the information based on the number of states that were affected by disasters with three or
more RSF activations. We selected 5 states based on geographic diversity, a range of disaster
types, and at least three RSF activations, which occurred in 2012 and 2013. Those states

Page 59 of 86

included Alaska, Arizona, Colorado, New York, and Oklahoma. We also analyzed states
disaster recovery plans and other related state recovery planning documents and compared
them with the core elements contained in the NDRF, such as the RSF structure, roles and
responsibilities, and core principles identified in the NDRF, and whether the plans had been
updated since the NDRF’s 2011 issuance.

Frameworks and Guides

 Presidential Policy Directive / PPD-8: National Preparedness
 National Disaster Recovery Framework (Second Edition June 2016).
 FEMA Needs to Assess Its Effectiveness in Implementing the National Disaster
Recovery Framework.


Successful implementation of the NDRF is critical to avoiding government coordination
issues that created challenges during previous disaster recovery efforts. It provides a
framework for coordination and recovery planning at all levels of government before and
after a disaster and defines how those entities will work together following a disaster to best
meet the recovery needs of individuals and communities. States play a pivotal role in disaster
recovery, with primary responsibility for the recovery of their communities, along with local
and tribal governments. States also act as a conduit between the federal government and local
and tribal governments for key federal recovery assistance programs and are well-positioned
to encourage local and tribal governments to adopt the NDRF.


To enable a more effective approach in working with states to adopt the NDRF, we
recommend that the Secretary of Homeland Security direct the Administrator of FEMA to
take the following four actions:
 Conduct a systematic analysis of the information generated from FEMA’s readiness
assessments to determine the extent of regional office efforts to help states implement
the NDRF, including conducting education and outreach.

Page 60 of 86

 Develop best practices and lessons learned about conducting NDRF education and
outreach to states based on the analysis of readiness assessments and create a
mechanism to disseminate and share those best practices and lessons learned to
FEMA regional offices.

 Clarify with regional offices and FDRCs (Federal Disaster Recovery Coordinator)
the role of the regional implementation plans in FDRC performance plans and how
they will be used to assess NDRF regional implementation efforts. ·

 Align the annual FDRC performance expectations with clearly defined organizational
goals and priorities, consistent with key management practices.

3.16 Factors to Consider for Disaster Recovery by Functions audits.

In order to conduct a disaster recovery audit by functions, the US government analyses the
 Risk should be identified and managed in a coordinated way within the critical
infrastructure community to enable effective resource allocation.

 Critical infrastructure partnerships can greatly improve understanding of evolving
risk to both cyber and physical systems and assets and can offer data and perspectives
from various stakeholders.

 Understanding and addressing risks from cross-sector dependencies and
interdependencies is essential to enhancing overall critical infrastructure security and

 Gaining knowledge of and reducing infrastructure risk requires information sharing
across all levels of the critical infrastructure community.

 A partnership approach, involving public and private stakeholders, recognizes the
unique perspectives and comparative advantages of the diverse critical infrastructure
community. For example, Emergency Support Function 14 of the National Response
Framework supports the coordination of cross-sector operations, including
stabilization of key supply chains and Community Lifelines, among infrastructure
owners and operators, businesses, and their government partners.

 Regional, state, and local partnerships are crucial to developing shared perspectives
on gaps and improvement actions.

Page 61 of 86

 Critical infrastructure transcends national boundaries, requiring bilateral, regional,
and international collaboration; capacity building; mutual assistance; and other
cooperative agreements. For example, the “Canada-U.S. Action Plan for Critical
Infrastructure” sets the foundation for cross-border critical infrastructure security and
resilience efforts between the two countries.

 Security and resilience should be considered during the design of infrastructure

3.17 Coordination for the activation of the Disaster Recovery Plan by

Finally, as a result of the review of GAO reports, we identified that The Federal Emergency
Management Agency (FEMA) is the agency of the United States Department of Homeland
Security (DHS), created on April 1, 1979. which purpose is to coordinate the response to a
disaster (natural, electronic, economic, etc.) that has occurred in the United States and that
overwhelms the resources of local and state authorities, for that FEMA coordinate the
activities in cases of a national crisis that involve utility interruption or failure
(telecommunications, electrical power, water, gas, steam, HVAC, pollution control system,
sewerage system, other critical infrastructure) and Cyber security (data corruption/theft, loss
of electronic data interchange or ecommerce, loss of domain name server, spyware/malware,
vulnerability exploitation/botnets/hacking, denial of service).

3.18 National Agencies / government entities Cybersecurity Assessment

This section identifies the role of government entities in charge of cyber incident response
(CSIRT), specifying CSIRT evaluation schemes, identifying the elements of review to
understand the nature, scope, and operation of a cyber security incident handling service, as
well as explaining the SIM3 model for the evaluation of the maturity level of a CSIRT which
reviews the competence achieved, either in the execution of specific functions or in a set of
functions or services.

3.19 Entities Responsible of the National Cybersecurity.

There are government cybersecurity agencies specialized in the investigations of the different
computer crimes or frauds committed in cyberspace, their fundamental task is to combat
computer crimes and frauds that are carried out through the Internet, all this through legal

Page 62 of 86

processes established in the laws of each country; The computerized or cybernetic police
forces receive complaints through social networks or telephone calls, which are essential to
begin investigations in relation to crimes.

These police organizations dedicated to the computer world pursue and prevent bank fraud,
identity theft, cyberbullying or cyberbullying, child pornography, identity theft through
different social networks and hacks that result in loss or kidnapping of information. Their
functions are diverse: they are in charge of combating virtual terrorism, carrying out cyber
patrolling to avoid computer crimes or fraud against computer systems, banking institutions,
it is in charge of carrying out the pertinent investigations through any case of the different
types of existing computer crimes, finding dedicated bands to cyberbullying, and child
prostitution through the Internet as a means of contact, analyzes and identifies the different
types of computer crimes and scams carried out through the Internet.

The cybernetic police operate throughout cyberspace carrying out antihacker cyber patrols,
with the help of specialized equipment (computers) and personnel for its execution. Units
specializing in cybercrime seek to protect all citizens who use the network, monitoring
through the so-called CSIRT/CERT, protecting citizens social network accounts, responding
to calls for complaints or scams, or any other computer crime. i These teams (CSIRT/CERT)
are of vital importance since they are the ones in charge of coordinating the different
organizations that oversee identifying and responding to cyber incidents.

This section describes the role of cyber incident response teams (CSIRT) in charge of
responding to computer security incidents, in cybersecurity matters, to achieve advances in
cyberspace security; different types of cyber incident response teams (CSIRT) are reviewed,
which are those who manage the most critical and significant events that threaten the
confidentiality, integrity or availability of critical information networks and play a crucial
role in improving cyber resilience.

Guides are presented to evaluate a computer security incident response team (CSIRT), whose
objective is for an audit institution to identify the elements of review to understand the nature,
the scope and operation of an IT security incident management service, both to newly trained
teams and to a high degree of maturity.

It is important to underline that each country has a different political structure, culture,
geography, legal framework, and resources, and thus, the guidelines are not intended to be
imposed, but rather must be adapted to the local conditions of each country.

Page 63 of 86

3.20 CERT/CSIRT functions

 CERT – Computer Emergency Response Teams. It is a trademark registered by
Carnegie Mellon University in the USA and for a response team to be called in this
way, it must meet certain requirements and evaluations by this university.
 CSIRT – Computer Security Incident Response Teams, is a concept that may be more
commonly used by incident response teams. Associations such as FIRST, TF-CSIRT
or CSIRT validate, based on their skills and references, who should be considered as

The services provided by CSIRTs can be divided into three areas:
 Preventive/Proactive: in charge of alert monitoring, security audits, vulnerability
scanning, malicious artifact scanning, technology monitoring, artifact analysis, and
forensic analysis.
 Reactive: they manage an incident, from analysis, to response actions, support, and
coordination, which implies post-mortem analysis, on-site assistance, response to
vulnerabilities, response to malicious artifacts, etc.
 Added value, help manage the organization’s security by conducting risk assessments,
participating in business continuity plans, disaster recovery, as well as participating
in awareness programs.

All CSIRTs work differently depending on the entities they provide protection to. However,
in general terms, most of these groups have an attack team, which is responsible for studying
the behavior of cybercriminals and the main attack vectors, and a defense team, whose
objective is to analyze the traffic of the networks to be alert under the presence of a computer
eventuality. Additionally, these teams have great challenges such as sharing information,
adding synergies with other CSIRTs to be able to share information in forums (such as
APCERT or FIRST) and being able to offer an effective and rapid response to any threat that
puts the most critical information or the interruption of services and/or business.

Computer Emergency Response Team (CERT) and Computer Security Incident Response
Team (CSIRT)

Distinctions are made between CERT and CSIRT: A CERT is conceived as a study center
and a place where methods and procedures are established to improve incident response
teams; a CSIRT as those responsible for responding to incidents. ii and it should be clarified
that there are only two CERTs defined as such in the world: one is the CERT/CC (CERT
Coordination Center), which is part of the Software Engineering Institute of Carnegie Mellon
University, in Pennsylvania, United States, and the other is US-CERT, the response team of

Page 64 of 86

the US Department of Homeland Security. In all other countries around the world,
cybersecurity teams are called Computer Security Incident Response Teams (CSIRTs),
which upon obtaining certification offered by Carnegie Mellon University can include in its
name is the acronym CERT. iii

These teams can be public or private, the main types of CSIRT are listed below iv:
– National CSIRTs: In addition to serving a defined community, a country’s CSIRT
typically assumes the role of national incident response coordinator and is the contact
for national and international incidents.
– Government CSIRTs: Government CSIRTs serve State institutions to ensure that the
government’s IT infrastructure and the services offered to citizens have adequate
levels of security.
– Military Sector CSIRT: These CSIRTs provide services to the military institutions of
a country. Their activities are generally limited to the defense or offensive cyber
capabilities of a nation.
– Critical Infrastructure CSIRT: In some cases, there are CSIRTs determined
specifically for the protection of information assets and critical infrastructure of the
nation, regardless of whether it is operated by the public or private sector, or its sector.
– Provider CSIRT: These are CSIRTs that provide services related to specific products
of a manufacturer, developer, or service provider.
– Small and Medium Enterprise (PYME) Sector CSIRTs: Their size and nature often
do not allow PYMEs to implement individual incident response teams.
The TF-CSIRT site is the main European CERT’s forum in which the most outstanding
CERT’s in the world collaborate, innovate and share information, you can see lists of
accredited teams (194), certified (31) and lists (185) of the European Union at the date of this
document (January 2022), both from the public and private sectors.

3.21 Guide for cybersecurity CSIRT

Assessment guide for cybersecurity CSIRT

The first analysis that must be carried out consists of knowing if cybersecurity agencies and
their operating entities (CSIRT/CERT) have been established at the national level, by
answering the following questions:
Operating entities:
1. Is there a competent national authority for information security and cybersecurity

Page 65 of 86

2. Is there an incident reporting platform to collect cybersecurity incident data?
3. Are national cybersecurity exercises carried out?
4. Is there a National Incident Management Structure (NIMS) to respond to
cybersecurity incidents?
5. Is there a National Computer Emergency Response Team (CERT)? o Computer
Security Incident Response Team (CSIRT)?
6. In what year was the Computer Emergency Response Team (CERT) established?
In a study made by the European Union (EU) v, it is shown a board with the complete
description of the estate of the actual cybersecurity frames and its capacities for each member.
The report considers five main areas of cybersecurity politics of each state of EU:
– Legal foundations of cybersecurity
– Operating Entities.
– Public-private partnerships
– Education.

Incident response capabilities must be established in the Operating Entities, managing the
most critical and significant events that threaten the confidentiality, integrity, or availability
of significant information networks nationally and systems. Computer Emergency Response
Teams (CERT) and Computer Security Incident Response Teams (CSIRT) can play a crucial
role in improving cyber resiliency
Once verified the existence of those cybersecurity entities can be taken into consideration the
following two evaluations:
 A pillar-based evaluation in which the bases, mission, vision, and objectives are
reviewed, up to its operation, analyzing it as ad hoc with its purpose to achieve the
benefits expected by the organization; also reviews compliance with legal and
institutional frameworks and that their practices adhere to existing and approved
 On the other hand, there is the assessment of the maturity level of a CSIRT, which
focuses on comparing the current level of the organization with respect to how its
functions are governed, documented, performed, and measured and allows
understanding the improvement actions to be addressed.
Pillar-based assessment for cybersecurity agencies

The objective of the pillar-based evaluation guide for a CSIRT is to analyze its creation and
implementation, including the different criteria that were considered to define its
constitution, mission, vision, scope, budget, types of services, organizational model,
availability, legal and institutional frameworks, applicable regulations and their
organizational structure; it also contains an analysis of human resources requirements, both
in terms of skills and conduct, and of continuing training, which are considered necessary.
On the other hand, the review considers the physical infrastructure, which includes physical

Page 66 of 86

installations, hardware, software, network, and technical tools that allow its operation; and
finally, the policies, procedures, standards are analyzed vi.
The Pillars refer to 5 paragraphs where criteria are integrated that must be evaluated, these
ranging from its constitution to its operation vii :
 Bases: The root (business plan, constitution, legal restrictions, etc.).
 Organization: Attributions (mandate and related organizational structures).
 Human: Human resources (team personnel, structure, experience, code of conduct
and training options).
 Tools: Physical and logical infrastructure for the work (everything required to carry
out the tasks of the agency).
 Processes: Policies, procedures, processes, standards (for agency operation, incidents,
media, etc.).

Table 1: Evaluation by mainstay
¿What is
Description Required Information Elements to be evaluated Reference guides and good practices


foundations of

To carry out the
evaluation of the BASES
pillar, we must consider
the mission, objectives,
vision, values, priorities,
stakeholders, legal
alignment, its target
community, its
institutional and legal
framework and finally the
range and nature of
services it offers.

This review should
identify why the CSIRT
exists, what it does, to
whom it performs
services, what values
motivate it, the route that
the organization will take
in the long term, which is
the constitution of the
CSIRT (as an independent
(private) as a unit within a
public or private
organization, and finally
the legal framework
governing it at country
level imposing
restrictions to protect the
CSIRT and its operations.

1. Identification document of
the interested parties.
2. Stakeholder management
3. Constitution document of
the national CSIRT.
a. Mission and vision.
b. Institutional
c. Legal framework.
4. Minutes of planning and
implementation meetings.
5. Lists of participants in the
different activities.
6. Emails exchanged with
7. Definition of target
8. List of services with their
Agency definition

1. Scopes of action of the
2. Concerned parties
3. Mission, Objective, and
4. Alignment with the legal

Constitution of the agency

5. Institutional framework.
6. Legal framework. Review
of applicable laws and
regulations, at least the
a. Cybersecurity
b. Security of the
c. Personal data
d. Critical
e. Telecommunications
service providers
(data retention, user
f. International

7. Business plan (budget,
implementation plan).


8. Target community
(government, private
sector, or both).
9. Services (reactive services,
proactive services, and
value-added services).
Organization of American States (OAS)
Good practices to establish a national
National Cryptologic Center (CCN)
CCN-STIC-810 CERT/CSIRT creation

Thailand Computer Emergency Response
Team a member of ETDA
Establishing a CSIRT

Carnegie Mellon University (CMU)
Handbook for Computer Security Incident
Response Teams (CSIRTs)

European Union Agency for Cybersecurity
How to create a CSIRT step by step

Page 67 of 86


Computer security incident management


To carry out the
evaluation of the
the organizational model
(mandate) must be
considered, which
indicates the position and
attributions of the CSIRT
within the target
organization or
community, as well as its
relationship with other
internal and external
organizational structures.

1. CSIRT organizational

2. Participation reports in
cybersecurity forums.

Organizational model

1. Structure definition.
2. Information exchange.
a. Registration to forums and
information communities
on cybersecurity.

Carnegie Mellon University (CMU)
Organizational Models for Computer
Incident Response Teams (CSIRT)

Organization of American States (OAS)
Good practices to establish a national


Basic IT security incident management


CSIRT human

The evaluation of the
HUMAN pillar refers to
who carries out the
services required by the
target community, for this
it is necessary to evaluate
the organizational
structure of the CSIRT,
including functions and
responsibilities of each
member. Likewise, the
evaluation must consider
the knowledge,
experience, and necessary
skills of said resources
and the training options
that are required to
potentiate their functions
in the CSIRT, and finally,
the review must include
the conduct guidelines
1. Organizational structure.
2. Hired human resources.
3. Applicable code of conduct.
4. Cybersecurity training

Organization and HR

1. Organizational structures
(number of areas and
2. Roles and responsibilities.

Selection of human resources:
Training requirements:

3. Certifications and technical
training (in basic areas:
general cyber security,
incident response, cyber
security and malware and
forensic analysis, etc.).
4. Personal skills (resistance to
stress, analytical skills,
flexibility, creativity, etc.).

Conduct guidelines

5. Code of conduct

Book: Organizational Structure
By Mario Javier Brume Gonzalez

Organization of American States (OAS)
Good practices to establish a national
Official College of Psychologists
Technical guide and good
practices in recruitment and selection
of personnel (R&S).

Trusted Introducer CSIRT
Code of Practice

Page 68 of 86

established for the


Basic IT security incident management


and Facilities

The evaluation of the
TOOLS pillar includes
everything that is required
to carry out the tasks of
the agency, from the basic
general services that
correspond to the
equipment of the physical
space and services, the
physical access methods,
and the IT equipment, to
the tools or specialized
software packages for the

1. Location of physical
facilities, rental contracts, etc.
2. Technological infrastructure
and the respective support
3. Network diagrams.
4. Hardware relation.
5. Software Relationship.
6. Storage platform.
7. Backup schedule
8. Classification of information.

Facilities and IT infrastructure

1. Physical facilities
2. Basic network design
3. IT infrastructure and tools,
at least the following:
a. Institutional web server
b. Institutional mail server.
c. Intranet server.
d. File server.
e. Server backups.
f. DNS server.
g. Event monitoring,
collection, and correlation
h. Recording and monitoring
of incidents.

IT infrastructure design and
network architecture

4. Confidential information
5. Information storage.

Book: The Control Center Design Book
By: Armando Gonzalez Lefler
%20center&f=false, páginas 52-59.

Organization of American States (OAS)
Good practices to establish a national
International Organization for
Standardization (ISO) and International
Electrotechnical Commission (IEC)
ISO 27001
ISO 22301

Cybersecurity Agency of Catalonia Toolkit
to provide the first steps to new incident
management equipment. Tools such as:
open-source threat intelligence platforms,
incident management information,
operational intelligence, incident response
platforms, forensic network analysis, records
management, etc.


The evaluation of the
PROCESSES pillar must
include the analysis of the
organization’s policies
and procedures because
they are essential to
govern its operation and
the activities of the
response center, and these
should ensure the
1. Operations manual with
policies and procedures.
2. Formalized security policies
and procedures.
3. Documentation of
implemented standards.
4. Technical memories of
implementation of
5. Formalized operating
6. Formalized security
Politics and procedures

1. Definition of policies and
2. Formalization and
application of operational
policies and procedures of at
least the following policies:

a) Information classification.
b) Data protection.
c) Withholding information.
d) Iinformation destruction.
e) Disclosure of information.

Organization Forum of Incident Response
and Security Teams (FIRST)


Nacional Institute of Standards and
Technology (NIST) of USA.
SP 800-61
SP 800-83

Page 69 of 86

Source: Created by ASF.

The processes
governing the
availability and integrity
of the information and
resources, as well as the
quality of its services.

7. Description of specific
8. Definition of information
exchange formats.
9. General cybersecurity
10. Statistical reports.

f) Access to information.
g) Appropriate use of agency
h) Definition of security
incidents and event policy.
i) Incident management.
j) Cooperation.
k) Use of internet.
l) Incident reporting.
m) Agency communication.
n) Training and coaching.
o) Security of personal
p) Network security.
q) Use of email.
r) Use of mobile devices.
s) Telecommunications
equipment security.
t) Backups.
u) Segregation of duties.
v) Change control and

3. Standards and good
practices implemented for
the operation of the CSIRT:

a. Incident management
b. Incident prevention and
management procedures.
c. Incident detection
d. Specific incident process.
e. Procedures for integrating
forensic techniques in
incident response.
f. Incident response
g. Guidelines for the
collection and archiving of
h. Intrusion detection
message exchange formats.
i. Procedures for disclosure
of information.
SP 800-86

RFC 2350
RFC 3227
RFC 3067
RFC 4765

International Organization for
Standardization (ISO) and International
Electrotechnical Commission (IEC)
ISO 27035
ISO/IEC 29147
ISO 27001
ISO 27032

Standards and tools for exchange and
processing of actionable information

Page 70 of 86

Assessing the maturity level of a CSIRT

The objective of the maturity level evaluation is to analyze how well a CISRT team governs,
documents, performs, and measures its functionviii, this analysis compares the level where
the CISRT is currently, which allows organizations to visualize the information and consider
it as a baseline to detect existing gaps, carry out in-depth reviews, issue opinions and take
actions focused on continuous improvements.

SIM3 Model

Maturity is a level of competency achieved either in the execution of specific functions or in
a set of functions or services. The maturity of an organization will be determined by the
scope, the quality of established policies and documentation and the ability to execute an
established process, the level of advancement in knowledge, skills and competence measured
against a defined reference model ix.

The Security Incident Management Maturity Model (SIM3) issued by the Open CSIRT
Foundation and used since 2009x, is based on three basic elements for its evaluation:

1) Maturity parameters, 44 parameters: 10 in organization, 7 in human, 10 in tools and 17 in
2) Quadrants of maturity: Organization, Human, Tools and Processes.
3) Maturity Levels:

0 = unavailable / undefined / unaware
1 = implicit (known/considered but not written, “between the ears”)
2 = explicit, internal (written but not formalized in any way)
3 = explicit, formalized with the authorization of the head of the CSIRT (sealed or
4 = explicit, audited by the authority of the levels of government above the head of
the CSIRT (subject to control/audit/enforcement process)

Maturity models such as SIM3 can be used by new CSIRTs as well as well-established
CSIRTs around the world. Using this maturity model, they can ensure that they have a clearly
defined framework for achieving their goals. Considering that SIM3 is designed
incorporating extensive experience from incident response professionals, organizations
should consider it as a baseline and focus on continuous improvements.

Page 71 of 86

This model is used as a support in the certification frame of Trusted Introducer (which
belongs to the European Union, Austria, Brazil, China, Czech Republic, France, Germany,
Hong Kong, India, Israel, Italy, Japan, Luxemburg, Netherlands, Spain, United Kingdom,
United States, etc.,) and its being adopted by several organizations members of FIRST (to
which belongs 99 countries such as United States, Canada, Mexico, Colombia, Brazil, Peru,
Argentina The Russian Federation, China, Switzerland, Norway, Germany, Spain, Saudi
Arabia, South Africa, and Australia, etc.,) and the Nippon CSIRT Association -NCA in Japan
with (440 members) xi.

There is a self-assessment survey offered by ENISA (European Union Cybersecurity
Agency), based on the SIM3 maturity model, that can be done online which evaluates the 44
parameters divided into four categories: organization, processes, tools, and human resources
of an incident response team. These will determine a basic, intermediate, or advanced level
of maturity xii .

Image 1. Parameters to cover according to maturity levels

Through the
following link the
assessment can be done:

Table 2: Parameters of the SIM3 model
Parameter Number of questions ID What is checked?

10 O-1, O-2, O-3, O-4, O-
5, O-7, O-8, O-9, O-10
y O-11.
Mandate, distribution, authority, responsibility, service description,
service level description, incident classification, participation in existing
CSIRT frameworks, organizational framework, and security policy.

7 H-1, H-2, H-3, H-4, H-
5, H-6 y H-7.
Code of Conduct/Practice/Ethics, Personal Resilience, Skill/Skill Set
Description, Internal Training/Training, Technical Training (External),
Communication Training (External), and External Networks.


10 T-1, T-2, T-3, T-4, T-5,
T-6, T-7
T-8, T-9 y T-10
IT resource list, source list, consolidated email system, incident tracking
system, rugged phone, resilient email, resilient internet access, incident
prevention toolkit, Incident detection toolkit and incident resolution

Page 72 of 86



P-1, P-2, P-3, P-4, P-5,
P-6, P-7
P-8, P-9, P-10
P-11, P-12, P-13, P-14,
P-16 y P-17.
Scaling to governance level, scaling to press function, scaling to legal
function, incident prevention process, incident detection process,
incident resolution process, specific incident processes, audit/feedback
process, emergency accessibility process, internet presence best
practices, question about the secure information management process,
information sources process, disclosure process, reporting process,
statistics process, collection process and peer-to-peer process.
Source: Created by ASF.

a) Cybersecurity agencies

Policía cibernética: qué es, requisitos y mucho más

a) SIC- Spanish magazine specializing in information security and the security of technological information and communication
systems used in organisations. SIC number 142- November 2020- CSIRTs: At the foot of the Canyon:
a) General Secretariat of the Organization of American States (OAS), 20006 United States of America- April 2016- Good practices
to establish a national CSIRT
v a) BSA The Software Alliance- Document EU Cyber Security Panel. A path to a secure European cyberspace
a) SIC- Spanish magazine specializing in information security and the security of technological information and communication
systems used in organisations. SIC number 142- November 2020- CSIRTs: At the foot of the Canyon:
b) CCN- Guide to creating a CERT/CSIRT- CCN-STIC-810
c) Cybersecurity Agency of Catalonia – Tools and software packages
d) General Secretariat of the Organization of American States (OAS), 20006 United States of America- April 2016- Good practices
to establish a national CSIRT
a) ThaiCERT (Thailand Computer Emergency Response Team a member of ETDA)- Translation into Spanish CSIRT CEDIA-
Document Establishing a CSIRT
viii a) Open CSIRT Foundation (OCF) 2016-2019- Document SIM3 : Security Incident Management Maturity Model; SIM3 mkXVIIIC1-
Stikvoort, 30 March 2015 (c version 1 May 2019) –
a) Definition of maturity by TF-CSIRT
a) SIM 3 Model

Page 73 of 86

a) ThaiCERT (Thailand Computer Emergency Response Team a member of ETDA)- Translation into Spanish CSIRT CEDIA-
Document Establishing a CSIRT
b) FIRST- Map of forum members
c) Members of NCA- Japan
a) ENISA- Self-assessment SIM3 model

4 . Considerations of cybersecurity and data protection by

Critical infrastructure sectors contain vital systems, which if incapacitated, could debilitate
or destabilize a nation’s security, economic security, public health or safety. Critical
infrastructure includes banking and financial institutions, telecommunications networks, and
energy production and transmission facilities. In the United States, most of these facilities
are owned and operated by the private sector, not the government.

However, cyber threats to these critical infrastructure sectors continue to increase and
represent a significant security challenge. Specifically, malicious actors have intruded and
extracted information from, and disrupted the networks of, government agencies and major
critical infrastructure companies throughout the world. Recent incidents illustrate the
pressing need to strengthen critical infrastructure cybersecurity. For example, a ransomware
attack targeted the Colonial Pipeline in the United States, and attacks have targeted health
care and essential services in the United States and United Kingdom during the Coronavirus
Disease 2019 (COVID-19) pandemic. xii

Figure 1 describes examples of critical infrastructure sectors that may be in place. Although
these sectors were defined for the United States, other nations’ critical infrastructure sectors
may be similar or vary depending on the assets nations consider essential for the functions
of their society and economy.

Page 74 of 86

Figure 1: Examples of critical infrastructure sectors:

Source: GAO-22-105103

4.1 Key cybersecurity guidance and criteria for critical
infrastructure sectors
Many countries have specific laws or guidance to cover such critical infrastructure sectors.
In many cases, the guidance and criteria used to audit critical infrastructure sectors is broad
and may cover many (or all) critical infrastructure sectors. Cybersecurity guidance and
legislation related to the critical infrastructure sectors may include relevant laws in each
country (refer to chapter 3), each country’s internal auditing standards, and international
guidance documents relevant to the audit.

For example, to better protect against cyber threats, the National Institute of Standards and
Technology (NIST) facilitated the development of a voluntary framework of cybersecurity

Page 75 of 86

standards and procedures for sectors to use. Specifically, in February 2014, NIST published
the Framework for Improving Critical Infrastructure Cybersecurity , which has been translated
into seven languages and has been adopted by many governments around the world. xii
Much of the guidance specific to critical infrastructure is delineated in chapter 3 of this guide.

4.2 Challenges, risks, and threats for critical infrastructure
According to the U.S. Department of Homeland Security, the threats that face critical
infrastructure sectors can vary from natural disasters, man-made accidents, or malicious
actions. Examples of these threats can include:

 Geophysical, climatological, meteorological events, and other natural
disasters : drought, earthquakes, extreme heat, extreme precipitation, floods,
geomagnetic storms, hurricanes, tropical cyclones, volcanic eruptions, wildfires

 Technological and industrial accidents, malfunctions, and other unscheduled
disruptions : aging infrastructure, chemical spills, equipment malfunction,
hazardous substance releases, industrial fires, large scale power outages, structural

 Criminal and terrorist incidents, foreign interference operations, and other
malicious actions :
• cybersecurity incidents such as denial of service attacks, malware,
phishing active shooter incidents,
• supply chain attacks, vandalism, theft
• foreign influence to spread misinformation or undermine democratic
processes, untrusted foreign investment that give foreign powers undue
influence over a nation’s critical infrastructure, property damage

4.2.1 Cybersecurity threats to critical infrastructure sectors

As noted above, cybersecurity and other technology-based incidents are key threats to
critical infrastructure sectors. Ineffective protection of cyber assets from threats can increase
the likelihood of security incidents and cyberattacks that disrupt critical operations; lead to
inappropriate access to and disclosure, modification, or destruction of sensitive information;
and threaten national security, economic well-being, and public health and safety. Cyber
threats to critical infrastructure can be classified as unintentional or intentional:

 Unintentional or no adversarial threat sources may include failures in equipment or
software due to aging, resource depletion, and errors made by end users. They
also include the effects of natural disasters and failures of critical technological
infrastructure on which the organization depends but that are outside of the control
of the organization.

Page 76 of 86

 Intentional or adversarial threats may include corrupt employees, criminal groups,
terrorists, and nations that seek to leverage the organization’s dependence on
cyber resources (e.g., information in electronic form, information and
communications technologies, and the communications and information-handling
capabilities provided by those technologies). These threat adversaries vary in
terms of their capabilities, their willingness to act, and their motives, which can
include seeking monetary gain or seeking an economic, political, or military
advantage. Because systems and networks used by critical infrastructure sectors
are often interconnected with other systems and the internet, they can be
vulnerable to disruptions in service due to cyberattacks. Critical infrastructures in
general are becoming more reliant on technology, which may leave them more
vulnerable to attack. The table below includes examples of common intentional
cyber exploits.

Table 1: Common Methods of Intentional Cyber Exploits

Exploit Description
Watering hole A method by which threat actors exploit the vulnerabilities of
carefully selected websites frequented by users of the targeted
system. Malware is then injected to the targeted system via the
compromised websites.
Phishing and spear phishing A digital form of social engineering that uses authentic-looking
emails, websites, or instant messages to get users to download
malware, open malicious attachments, or open links that direct them
to a website that requests information or executes malicious code.
Credentials based An exploit that takes advantage of a system’s insufficient user
authentication and/or any elements of cybersecurity supporting it, to
include not limiting the number of failed login attempts, the use of
hard-coded credentials, and the use of a broken or risky
cryptographic algorithm.
Trusted third parties An exploit that takes advantage of the security vulnerabilities of
trusted third parties to gain access to an otherwise secure system.
Classic buffer overflow An exploit that involves the intentional transmission of more data
than a program’s input buffer can hold, leading to the deletion of
critical data and subsequent execution of malicious code.
Cryptographic weakness An exploit that takes advantage of a network employing insufficient
encryption when either storing or transmitting data, enabling
adversaries to read and/or modify the data stream.
Structured Query Language (SQL) injection An exploit that involves the alteration of a database search in a web-
based application, which can be used to obtain unauthorized access
to sensitive information in a database, resulting in data loss or
corruption, denial of service, or complete host takeover.
Operating system command injection An exploit that takes advantage of a system’s inability to properly
neutralize special elements used in operating system commands,
allowing the adversaries to execute unexpected commands on the
system by either modifying already evoked commands or evoking
their own.
Cross-site scripting An exploit that uses third-party web resources to run lines of
programming code (referred to as scripts) within the victim’s web
browser or scriptable application. This occurs when a user, using a
browser, visits a malicious website or clicks a malicious link. The
most dangerous consequences can occur when this method is used
to exploit additional vulnerabilities that may permit an adversary to

Page 77 of 86

steal cookies (data exchanged between a web server and a
browser), log key strokes, capture screen shots, discover and
collect network information, or remotely access and control the
victim’s machine.
Cross-site request forgery An exploit that takes advantage of an application that cannot, or
does not, sufficiently verify whether a well-formed, valid, consistent
request was intentionally provided by the user who submitted the
request, tricking the victim into executing a falsified request that
results in the system or data being compromised.
Path traversal An exploit that seeks to gain access to files outside of a restricted
directory by modifying the directory pathname in an application that
does not properly neutralize special elements (e.g. ‘…’, ‘/’, ‘…/’, etc.)
within the pathname.
Integer overflow An exploit where malicious code is inserted that leads to
unexpected integer overflow, or wraparound, which can be used by
adversaries to control looping or make security decisions in order to
cause program crashes, memory corruption, or the execution of
arbitrary code via buffer overflow.
Uncontrolled format string Adversaries manipulate externally-controlled format strings in print-
style functions to gain access to information and/or execute
unauthorized code or commands.
Open redirect An exploit where the victim is tricked into selecting a URL (website
location) that has been modified to direct them to an external,
malicious site which may contain malware that can compromises
the victim’s machine.
Heap-based buffer overflow Similar to classic buffer overflow, but the buffer that is overwritten is
allocated in the heap portion of memory, generally meaning that the
buffer was allocated using a memory allocation routine, such as
“malloc ()”.
Unrestricted upload of files An exploit that takes advantage of insufficient upload restrictions,
enabling adversaries to upload malware (e.g., .php) in place of the
intended file type (e.g., .jpg).
Inclusion of functionality from untrusted sphere An exploit that uses trusted, third-party executable functionality
(e.g., web widget or library) as a means of executing malicious code
in software whose protection mechanisms are unable to determine
whether functionality is from a trusted source, modified in transit, or
being spoofed.
Certificate and certificate authority compromise Exploits facilitated via the issuance of fraudulent digital certificates
(e.g., transport layer security and Secure Socket Layer).
Adversaries use these certificates to establish secure connections
with the target organization or individual by mimicking a trusted third
Hybrid of others An exploit combines elements of two or more of the aforementioned
Source: GAO, C ritical Infrastructure Protection: Measures Needed to Assess Agencies’
Promotion of the Cybersecurity Framework , GAO-16-152 (Washington, D.C.: Dec. 17,

Examples of recent cybersecurity attacks on critical infrastructure sectors

The consequences of cyberattacks and incidents have already been felt by several critical
infrastructure sectors:

Energy sector

Page 78 of 86

In the 2015 cyberattacks on the Ukrainian power grid, attackers issued unauthorized
commands to open the breakers at substations that three regional electricity utilities
managed, causing a loss of power to about 225,000 customers. It appears the attackers
used phishing emails to entice users to download malware onto their computers.

Transportation sector

In May 2021, the U.S.-based Colonial Pipeline Company announced that it was the victim
of a ransomware attack that led to temporary disruption in the delivery of gasoline and other
petroleum products across much of the southeast U.S.

Prior to the disruption, the U.S. GAO issued several findings and recommendations aimed
at addressing significant weaknesses in pipeline security program management within the
energy sector. For example, the GAO found that the government agency in charge of
pipeline security efforts had no process for determining when to update guidelines for
pipeline operators and needed to update its method for assessing risks.

The audit team made 10 recommendations related to these findings, including establishing
better processes for updating guidelines and assessing risks. As of May 2022, two of the 10
recommendations remain open. Specifically, the U.S. GAO had recommended that the
government agency in charge of U.S. pipeline security incorporate additional risk data into
its analysis of the relative risk of critical pipeline system, and coordinate an external peer
review of this risk analysis. If these steps were completed, there would be a better
understanding of the relative risk among pipeline systems using the most comprehensive
and accurate threat, vulnerability, and consequence information.

Communications sector

In February 2022, Viasat, Inc. began experiencing outages with its European satellite
internet service near the start of the Russian invasion of Ukraine, according to press
reporting. According to Viasat, the disruption was triggered by an attacker running
destructive commands against Viasat network devices. In its forensic analysis of the
incident, Sentinel Labs noted that the malware used in this attack shares some similarities
with malware used in attacks attributed to the Russian government. As a result of the attack,
a German wind turbine manufacturer explained that remote operation of more than 5,000
turbines had been affected. In March 2022, CISA and the FBI warned critical infrastructure
and other organizations of possible threats to U.S. and international satellite communication

Water and wastewater sector

In February 2021, the United States Department of Homeland Security issued an alert
explaining that cyber threat actors obtained unauthorized access to a U.S. water treatment
facility’s industrial controls systems and attempted to increase the amount of a caustic

Page 79 of 86

chemical that is used as part of the water treatment process. xii According to the Department
of Homeland Security, threat actors likely accessed systems by exploiting cybersecurity
weakness, including poor password security and an outdated operating system.

The alert recommended several recommendations to assist organizations in the water
sector, including:

 cyber hygiene measures, including updating to the latest version of the operating
systems and using strong passwords;
 physical security measures, such as installing systems hat physically prevent
dangerous conditions from occurring in the event of a cyberattack; and
 recommendations on the use and implementation of the specific software the
hacker used to gain access to the systems.

Healthcare and public health sector

In October 2020, during the COVID-19 pandemic, cybercriminals targeted several
organizations in the healthcare and public health sector. The cybercriminals disseminated
the malicious software using phishing campaigns that contain either links to malicious
websites that host the malware or attachments with the malware. In response to these
attacks, the U.S. Department of Homeland Security made several recommendations to
organizations in the sector, including maintaining business continuity plans, performing
cyber hygiene practices such as patch management, and ensuring that staff are trained.

Threats to multiple sectors

 In June 2017, the “NotPetya” malware was discovered. After NotPetya infected a
machine on which that software was installed, it was capable of automatically spreading
through a network and infecting other machines. NotPetya spread worldwide, damaged
computers used in critical infrastructure, and is estimated to have caused about $10
billion in damages globally. For example, it had infected organizations in several sectors
in the U.S., including finance, transportation, energy, commercial facilities, and
healthcare. The “NotPetya” malware exploited existing vulnerabilities in computer
software or networks to encrypt files and allowed attackers to gain privileged rights and
encrypt essential files, thus making the infected Windows computers unusable.

 In December 2020, the U.S. Department of Homeland Security issued an emergency
directive and alert explaining that an advanced persistent threat actor had compromised
the supply chain of a network management software suite and inserted a “backdoor”—
a malicious program that can potentially give an intruder remote access to an infected
computer—into a genuine version of that software product. The malicious actor then
used this backdoor, among other techniques, to initiate a cyberattack campaign against

Page 80 of 86

U.S. government agencies, critical infrastructure entities, and private sector

4.3 Considerations for auditing critical infrastructure sectors
When auditing critical infrastructure sectors, it is important to understand the technology
and systems used in the sector that is being audited; the potential vulnerabilities inherent
in that technology; the key guidance related to protecting the relevant systems; and the
regulatory environment of that sector.

I. Identifying and understanding key vulnerabilities for the critical infrastructure

It is important that auditors have a sufficient understanding of the technologies used by
a critical infrastructure sector, or key stakeholders or companies within that sector, to
identify potential areas of vulnerability. It is also important that audit teams analyze the
threats and hazards described above to determine their potential impacts on the critical
infrastructure sector, and how likely they are to occur.

Each sector uses unique systems and technology to accomplish its goals, but the
potential vulnerabilities across the sectors may be similar. However, the consequences
and impacts of cybersecurity attacks may be different depending on the technologies
used by that sector. Examples of these are described in more detail below.

Energy sector. Figure 2 depicts key potential vulnerabilities for a provider in the
energy critical infrastructure sector. These vulnerabilities could include physical
attacks—including the use of firearms or explosives—largely due to their stationary
nature, the volatility of transported products, and the dispersed nature of pipeline
networks spanning urban and outlying areas. The sophisticated computer systems
that pipeline operations rely on are also vulnerable to various cyber threats,
including malicious actors infiltrating business or control systems. For example, an
attacker could infiltrate a pipeline’s operational systems via the internet or other
communication pathways to potentially disrupt its service and cause spills,
releases, explosions, or fires.

Figure 2: U.S. Natural Gas and Oil Pipeline Systems’ Basic Components and
Examples of Vulnerabilities

Page 81 of 86

Transportation sector. Modern airplanes are equipped with networks and systems
that share data with the pilots, passengers, maintenance crews, other aircraft, and
air-traffic controllers in ways that were not previously feasible (as depicted in fig. 3).
Multiple networks for transmitting data internally and externally may be in place on
any given airplane, and these networks provide many different types of connections
between avionics and other systems. These systems and networks are at risk of a
variety of potential cyberattacks if not properly protected. Vulnerabilities could occur
due to (1) not applying modifications (patches) to commercial software, (2) insecure
supply chains, (3) malicious software uploads, (4) outdated systems on legacy
airplanes, and (5) flight data spoofing.

Figure 3: Key Systems Connections to Commercial Airplanes

Page 82 of 86

Financial services sector. The composition of the financial services sector extends
beyond the categories of financial services to include a network of essential specialized
service organizations and service providers that support the sector in its efforts to
provide a trusted services environment. For example, the financial services sector has
become more dependent on outsourcing certain activities—such as systems and
applications, hardware and software, and technically skilled personnel—to third-party
providers that are now an indispensable part of the sector’s infrastructure. Further,
mobile payment applications allow consumers to use their smartphones or other mobile
devices to make purchases and transfer money instead of relying on the physical use of
cash, checks, or credit and debit cards. Due in part to the introduction of these new
technologies, the financial services sector has even stronger need for information
technology capabilities and support from supply chain partners and third-party service
providers. A successful widespread cyberattack could erode public confidence in
financial institutions, deny businesses and individuals access to their funds, result in the
loss of funds, or affect the integrity of financial information.

Regardless of which sector is being audited, the team must understand the systems and
technology used in that sector, and the potential threats and vulnerabilities. This may be
accomplished by in several ways, including reviewing any documentation developed by
organizations within the sector, completing physical reviews of companies or locations, and
interviewing organizations within the sector. To identify vulnerabilities, an auditor may review
prior reports on cyber-based threats facing the sector as well as the threats identified by
cybersecurity organizations. Auditors should also analyze documentation from key
organizations in the sector, particularly those developed by any regulatory bodies (discussed
below), and interview subject matter experts.

Page 83 of 86

II. Identifying the regulatory and oversight framework, and stakeholder roles and
responsibilities, for the critical infrastructure sector(s)

The effort to strengthen critical infrastructure security depends on the ability of public and
private sector critical infrastructure owners and operators to make risk-informed decisions
in a collaborative way and to constantly share information to ensure that risk is properly
managed. In certain countries such as the United States, the private sector owns the majority
of the nation’s critical infrastructure instead of the government. Thus, it is vital that the public
and private sectors work together to protect these assets and systems.

Each country may oversee critical infrastructure sectors differently. In some cases, there
may be a body in charge of regulating all activity for that sector. In other cases, there may
be a government body that collaborates with critical infrastructure owners and operators and
provides government support as needed but does not have a direct oversight role.
Additionally, a country may not have regulators or regulatory bodies overseeing or providing
support for a sector. Before beginning an audit, it is important that auditors understand the
roles and responsibilities for protecting the sector that they are evaluating.

For example, in the United States, efforts to protect various critical infrastructure sectors are
carried out through the joint efforts of multiple components of a public-private partnership
model, including government agencies. These federal government agencies, referred to as
“sector risk management agencies,” prioritize and coordinate security and resilience efforts
and carry out incident management responsibilities for their assigned critical infrastructure
sectors. For example:

 In the transportation sector , the U.S. Federal Aviation Administration is co-lead,
with the U.S. Department of Homeland Security, on infrastructure protection
activities specifically for the avionics subsector. The Federal Aviation
Administration is responsible for the safety and oversight of commercial aviation,
which includes the certification and oversight of all US commercial aviation
products and commercial entities, while the Department of Homeland Security is
responsible for coordinating federal government activities addressing aviation

 In the financial services sector , the U.S. Department of the Treasury is the
sector risk management agency charged with coordinating the partnership
between private sector firms and the federal government. However, Treasury
works with other stakeholders, such as federal regulators and industry groups, to
enhance the security of the financial services sector and assist members of the
sector to collaborate to mitigate risks.

III. Identifying potential challenges or audit findings

Page 84 of 86

In order to identify findings and areas for improvement, an audit team should use the
information they gathered about the potential vulnerabilities, as well as the information about
the regulatory or oversight framework, to determine how to design the audit and what
methodologies to use.

If there is an oversight body, an audit team may work to identify how effective the
cybersecurity oversight has been for that sector. If there is no oversight body, the audit team
may consider evaluating the cybersecurity policies and procedures for key companies or
organizations within the critical infrastructure sector

Key questions to ask during an audit
 If there is an oversight or regulatory body:
o Oversight :
 Have they established an oversight program that includes cybersecurity?
Have they completed a risk assessment related to the sector? Have they
defined program objectives based on that risk assessment? Do they have
control activities related to the identified risks?
 Do they oversee/evaluate the implementation of cybersecurity and data
protection controls? If so, how? Did they produce oversight reports or
other documents? If not, why not?
o Guidance : Have government or other regulatory bodies identified guidance
(such as the NIST cybersecurity framework), or developed guidance, that could
be used in the particular sector(s)?
 Have they taken steps to encourage the use of relevant guidance?
 Have they taken steps to determine whether organizations in the sector
follow the relevant guidance (e.g., by using surveys, reporting,
assessments, or other mechanisms)?
 If the oversight body has developed guidance, does that guidance reflect
the current threat environment? Does the guidance reflect requirements
in law or best practices from applicable standards (such as the NIST
Framework for Improving Critical Infrastructure Cybersecurity )?
o Enforcement : Do they have enforcement authority? If so, do they take
enforcement measures?
o Workforce : Do they have the appropriate staff/skills to oversee cybersecurity
and data protection policies and procedures? Do they provide appropriate
training to staff, and how often?
o Collaboration : Have these supporting agencies assisted in identifying
improvements that could be made? How do sector stakeholders share security-
related information?
 If there is no government oversight body, an auditor may determine whether the critical
infrastructure owner/operator has a cybersecurity risk management program and/or has
performed a cybersecurity risk assessment using the criteria identified above and in
chapter 3 of this document.

Page 85 of 86

For example, in October 2020, the U.S. GAO reported that, as part of its responsibilities in
the transportation sector , the U.S. Federal Aviation Administration (FAA) should prioritize
oversight of evolving cyber threats and increasing connectivity between airplanes and other
systems: xii
o Oversight : FAA had not conducted an assessment of the risks to avionics
systems to determine the relative priority of cybersecurity risks to avionics
systems versus other safety concerns in its oversight program. Without such an
assessment, the GAO reported that FAA may not be able to appropriately
strengthen its oversight program specific to avionics systems cybersecurity
o Guidance : FAA had established a process for the certification and oversight of
U.S. commercial airplanes, including their operations.
o Enforcement : FAA’s monitoring of the implementation of avionics cybersecurity
controls in airplanes that are deployed in active service with air carriers does not
include policies or procedures for periodic testing. The GAO reported that until
FAA develops policies and procedures for periodic testing as part of its
monitoring process, it may be unable to ensure that cybersecurity controls remain
effective in mitigating evolving threats in deployed airplanes.
o Workforce : FAA did not have a staff training program specific to avionics
cybersecurity and none of the agency’s certification staff are required to take
cybersecurity training tailored to their oversight role. The GAO reported that until
FAA establishes a staffing and training program appropriately tailored to avionics
cybersecurity, the agency may not have the expertise necessary to address the
increasing cybersecurity risks to these systems.
o Collaboration : The GAO also reported that FAA coordinated with other key
federal agencies and industry to address aviation cybersecurity issues. However,
FAA’s internal coordination activities did not fully reflect key collaboration
practices. For example, FAA had not established a tracking program for
monitoring progress on issues raised at meetings and its oversight was not
supported through dedicated agency resources in its budget. The GAO reported
that until FAA prioritizes coordination efforts based on that assessment, it may
not be allocating resources and coordinating on risks as effectively as it could.

4.4 Example reports on critical infrastructure sectors
Government-wide critical infrastructure reviews:

 GAO, Critical Infrastructure Protection: Agencies Need to Assess Adoption of
Cybersecurity Guidance , GAO-22-105103 (Washington, D.C.: Feb. 9, 2022).
 GAO, High-Risk Series: Federal Government Needs to Urgently Pursue Critical
Actions to Address Major Cybersecurity Challenges , GAO-21-288 (Washington,
D.C.: Mar. 24, 2021).

Page 86 of 86

 GAO, Critical Infrastructure Protection: Additional Actions Needed to Identify
Framework Adoption and Resulting Improvements , GAO-20-299 (Washington, D.C.:
Feb. 25, 2020).
 GAO, Critical Infrastructure Protection: Additional Actions Are Essential for
Assessing Cybersecurity Framework Adoption , GAO-18-211 (Washington, D.C.:
Feb. 15, 2018).
 GAO, C ritical Infrastructure Protection: Measures Needed to Assess Agencies’
Promotion of the Cybersecurity Framework , GAO-16-152 (Washington, D.C.: Dec.
17, 2015).
 GAO, Critical Infrastructure Protection: Sector-Specific Agencies Need to Better
Measure Cybersecurity Progress , GAO-16-79 (Washington, D.C.: Nov. 19, 2015).

Sector-specific reports:

 Energy/transportation: GAO, Critical Infrastructure Protection: Actions Needed to
Address Significant Weaknesses in TSA’s Pipeline Security Program Management ,
GAO-19-48 (Washington, D.C.: Dec. 18, 2018).

 Transportation: GAO, Aviation Cybersecurity: FAA Should Fully Implement Key
Practices to Strengthen Its Oversight of Avionics Risks , GAO-21-86 (Washington,
D.C.: Oct. 9, 2020).

 Financial services: GAO, Critical Infrastructure Protection: Treasury Needs to
Improve Tracking of Financial Sector Cybersecurity Risk Mitigation Efforts , GAO-20-
631 (Washington, D.C.: Sept. 17, 2020).

Nota: El texto extraído es sólo una aproximación del contenido del documento, puede contener caracteres especiales no legibles.

Compartir en redes