|
|
| MEDIUM | · ISO/IEC 27001:2013 A.11.1.1, A.11.1.2, A.11.1.4, A.11.1.6, A.11.2.3 |
|
|
|
| 2.1.3 | PR.AC-3: Are SMEs establishing and documenting usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed to their systems in accordance with their access control policy? | HIGH | · COBIT 5 APO13.01, DSS01.04, DSS05.03 · ISA 62443-2-1:2009 4.3.3.6.6 · ISO/IEC 27001:2013 A.6.2.2, A.13.1.1, A.13.2.1 | SME Administrator/ Logging all activities. | Sub Metric | Met2.1.3 |
| 2.1.4 | PR.AC-4: Is access to systems by users |managed in terms of permissions, implementing the use of least privilege? |
| · CCS CSC 12, 15 · ISA 62443-2-1:2009 4.3.3.7.3 · SA I62443-3-3:2013 SR 2.1 · NIST SP 800-53 Rev. 4 AC-2, AC-3, AC-5, AC-6, AC-16 | SME Administrator to avoid giving access to unauthorised users. | Sub Metric | Met2.1.4 |
|
|
| HIGH |
|
|
|
|
| 2.1.5 | PR.AC-5: Is the SMEsLAN and WAN well protected, including network segregation if applicable? | MEDIUM | · ISA 62443-2-1:2009 4.3.3.4 · ISA 62443-3-3:2013 SR 3.1, SR 3.8 · ISO/IEC 27001:2013 A.13.1.1, A.13.1.3, A.13.2.1 | SME Administrator t ensure network is secure | Sub Metric | Met2.1.5 |
| 2.1.6 | PR.AC-7: Does the cloud provider use appropriate technology like single-factor, multi-factor to ensure that SME users, devices, and other assets are authenticated? | MEDIUM | · COBIT 5 DSS05.04, DSS05.05, DSS05.07, DSS06.03 · ISA 62443-2-1:2009 4.3.3.2.2, 4.3.3.5.2, 4.3.3.7.2, 4.3.3.7.4 | Cloud Provider | Sub Metric | Met2.1.6 |
| 2.2 | Awareness and Training (2.2): The SME’s users and staff are provided regular security awareness trainings and are sufficiently trained to perform their work whilst ensuring that security is paramount and tasks are performed as outlined in the policies, procedures, and agreements. |
|
|
| Metric | Met2.2 |
| 2.2.1 | PR.AT-1: All users are informed and trained on the security aspects pertaining to their cloud usage? | HIGH | · ISO/IEC 27001:2013 A.7.2.2 · NIST SP 800-53 Rev. 4 AT-2, PM-13 · COBIT 5 APO07.03, BAI05.07 · ISA 62443-2-1:2009 4.3.2.4.2 | SME Users/Admin/ Owners be trained well | Sub Metric | Met2.2.1 |
| 2.2.2 | PR.AT-2: Do the SME’s Privileged users like admins and super users understand their privileges & responsibilities pertaining to the cloud? | HIGH | · CCS CSC 9 · COBIT 5 APO07.02, DSS06.03 · ISA 62443-2-1:2009 4.3.2.4.2, 4.3.2.4.3 · ISO/IEC 27001:2013 A.6.1.1, A.7.2.2 · NIST SP 800-53 Rev. 4 AT-3, PM-13 | SME Users/Admin/ Owners be trained well | Sub Metric | Met2.2.2 |
| 2.2.4 | PR.AT-4: Do the SME’s owners and senior personnel understand their privileges & responsibilities pertaining to the cloud? | HIGH | · COBIT 5 APO07.03 · ISA 62443-2-1:2009 4.3.2.4.2 · ISO/IEC 27001:2013 A.6.1.1, A.7.2.2, · NIST SP 800-53 Rev. 4 AT-3, PM-13 | SME Users/ Admin/ Owners be trained well | Sub Metric | Met2.2.4 |
| 2.2.5 | PR.AT-5: Do information security personnel understand their privileges & responsibilities pertaining to the cloud? | MEDIUM | · CCS CSC 9 · COBIT 5 APO07.03 · ISA 62443-2-1:2009 4.3.2.4.2 · ISO/IEC 27001:2013 A.6.1.1, A.7.2.2, · NIST SP 800-53 Rev. 4 AT-3, PM-13 | SME Users/Admin | Sub Metric | Met2.2.5 |