Shared responsibility for forensic readiness-related security controls: Prerequisite for critical infrastructure maintenance and supplier relationships

Abstract

New regulation on cybersecurity for critical infrastructure mandates the implementation of a minimum set of security measures to achieve satisfactory security posture for the respective business domain. The organization responsible for operation of a given critical infrastructure may have some flexibilities in selecting recommended or mandatory national or international standards used for compliance. No matter which set of standards and guidelines are selected, security incident response will be one of the key security requirements to be met, e.g. according to ISO/IEC 27002:2013, §16, ISO/IEC 27035, ISO/IEC 27041 or NIST SP 53Rev4. This paper focuses on the business needs and practical approaches on shared responsibility with regard to the enforcement of selected security controls. The topics and case studies addressed in this paper include shared responsibility of contractors with service providers (e.g. application providers and cloud service providers) and shared responsibility related to maintenance services (site-local maintenance, remote maintenance, and preventive maintenance). As of today there is no agreed upon semi-formal representation for expressing these shared responsibilities.