16.11.2022 Views

MASS UK Industry Conduct Principles and Code of Practice 2022 (V6)

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

automatically. Others are testing <strong>and</strong> verifying the security configurations <strong>of</strong> implemented systems <strong>and</strong><br />

investigating incidences that can compromise system or network security.<br />

5.14 CYBER GLOSSARY<br />

https://www.open-scap.org/features/st<strong>and</strong>ards/<br />

“Access control” is selective limiting <strong>of</strong> the ability <strong>and</strong> means to communicate with or otherwise interact with a system,<br />

to use system resources to h<strong>and</strong>le information, to gain knowledge <strong>of</strong> the information the system contains or to control<br />

system components <strong>and</strong> functions.<br />

20. ANSI<br />

The ANSI (American National St<strong>and</strong>ards Institute) framework contains st<strong>and</strong>ards, information, <strong>and</strong> technical<br />

reports which outline procedures for implementing <strong>and</strong> maintaining Industrial Automation <strong>and</strong> Control Systems<br />

(IACS). The framework applies to all organisations that implement or manage IACS systems. The framework<br />

consists <strong>of</strong> four categories as defined by ANSI. The first category contains foundational information like security<br />

models, terminologies, <strong>and</strong> concepts. The second category addresses the aspects involved in creating <strong>and</strong><br />

maintaining IACS cyber security programs. The third <strong>and</strong> fourth categories outline requirements for secure system<br />

integration <strong>and</strong> security requirements for product development, respectively.<br />

“Back door” is a secret method <strong>of</strong> bypassing normal authentication <strong>and</strong> verification when accessing a system. A back<br />

door is sometimes created in hidden parts <strong>of</strong> the system itself or established by separate s<strong>of</strong>tware.<br />

“Bring your own device (BYOD)” allows employees to bring personally owned devices (laptops, tablets, <strong>and</strong> smart<br />

phones) to the ship <strong>and</strong> to use those devices to access privileged information <strong>and</strong> applications for business use.<br />

“Cyberattack” is any type <strong>of</strong> <strong>of</strong>fensive manoeuvre that targets IT <strong>and</strong> OT systems, computer networks, <strong>and</strong>/or<br />

personal computer devices <strong>and</strong> attempts to compromise, destroy or access company <strong>and</strong> ship systems <strong>and</strong> data.<br />

https://www.ansi.org/<br />

21. NIST SP 800-12<br />

“Cyber incident” is an occurrence, which actually or potentially results in adverse consequences to an onboard system,<br />

network <strong>and</strong> computer or to the information that they process, store or transmit, <strong>and</strong> which may require a response action<br />

to mitigate the consequences.<br />

This framework provides an overview <strong>of</strong> control <strong>and</strong> computer security within an organisation. Also, NIST SP 800-12<br />

focuses on the different security controls an organisation can implement to achieve a strengthened cyber security<br />

defence. Although most <strong>of</strong> the control <strong>and</strong> security requirements were designed for federal <strong>and</strong> governmental<br />

agencies, they are highly applicable to private organisations seeking to enhance their cyber security programs. NIST<br />

SP 800-12 enables companies to maintain policies <strong>and</strong> programs for securing sensitive IT infrastructure <strong>and</strong> data.<br />

“Cyber risk management” means the process <strong>of</strong> identifying, analysing, assessing, <strong>and</strong> communicating a cyber-related<br />

risk <strong>and</strong> accepting, avoiding, transferring, or mitigating it to an acceptable level by taking into consideration the costs<br />

<strong>and</strong> benefits <strong>of</strong> actions taken by stakeholders.<br />

“Cyber system” is any combination <strong>of</strong> facilities, equipment, personnel, procedures <strong>and</strong> communications integrated to<br />

https://csrc.nist.gov/CSRC/media/Publications/sp/800-12/rev-1/draft/documents/sp800_12_r1_draft.pdf<br />

provide cyber services; examples include business systems, control systems <strong>and</strong> access control systems.<br />

22. NIST SP 800-14<br />

“Defence in breadth” is a planned, systematic set <strong>of</strong> activities that seek to identify, manage, <strong>and</strong> reduce exploitable<br />

vulnerabilities in IT <strong>and</strong> OT systems, networks <strong>and</strong> equipment at every stage <strong>of</strong> the system, network, or sub-component life<br />

cycle. Onboard ships, this approach will generally focus on network design, system integration, operations <strong>and</strong> maintenance.<br />

NIST SP 800-14 is a unique publication that provides detailed descriptions <strong>of</strong> commonly used security principles.<br />

The publication enables organisations to underst<strong>and</strong> all that needs to be included in cyber security policies. As a<br />

result, businesses ensure to develop holistic cyber security programs <strong>and</strong> policies covering essential data <strong>and</strong><br />

systems. Besides, the publications outline specific measures which companies should use to strengthen already<br />

implemented security policies. In total, the NIST SP 800-14 framework describes eight security principles with a<br />

total <strong>of</strong> 14 cyber security practices.<br />

“Defence in depth” is an approach which uses layers <strong>of</strong> independent technical <strong>and</strong> procedural measures to protect IT<br />

<strong>and</strong> OT on board.<br />

“Executable s<strong>of</strong>tware” includes instructions for a computer to perform specified tasks according to encoded instructions.<br />

https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=890092<br />

“Firewall” is a logical or physical break designed to prevent unauthorised access to IT infrastructure <strong>and</strong> information.<br />

23. NIST SP 800-26<br />

“Firmware” is s<strong>of</strong>tware imbedded in electronic devices that provides control, monitoring <strong>and</strong> data manipulation <strong>of</strong><br />

engineered products <strong>and</strong> systems. These are normally self-contained <strong>and</strong> not accessible to user manipulation.<br />

Whereas the NIST SP 800-14 framework discusses the various security principles used to secure information<br />

<strong>and</strong> IT assets, NIST SP 800-26 provides guidelines for managing IT security. Implementing security policies alone<br />

cannot enable a company to realise optimum cyber security since they require frequent assessments <strong>and</strong><br />

evaluations. For example, the publication contains descriptions for conducting risk assessments <strong>and</strong> practices<br />

for managing identified risks. It is a highly useful framework that ensures organisations maintain effective cyber<br />

security policies. A combination <strong>of</strong> different NIST publications can ensure businesses maintain adequate cyber<br />

security programs.<br />

“Flaw” is unintended functionality in s<strong>of</strong>tware.<br />

“Intrusion Detection System (IDS)” is a device or s<strong>of</strong>tware application that monitors network or system activities for<br />

malicious activities or policy violations <strong>and</strong> produces reports to a management station.<br />

“Intrusion Prevention System (IPS”, also known as Intrusion Detection <strong>and</strong> Prevention Systems (IDPSs), are network<br />

security appliances that monitor network <strong>and</strong>/or system activities for malicious activity.<br />

https://csrc.nist.gov/publications/detail/sp/800-26/archive/2001-11-01<br />

“Local Area Network (LAN)” is a computer network that interconnects computers within a limited area such as a home,<br />

ship or <strong>of</strong>fice building, using network media.<br />

52<br />

<strong>MASS</strong> <strong>UK</strong> <strong>Industry</strong> <strong>Conduct</strong> <strong>Principles</strong> <strong>and</strong> <strong>Code</strong> <strong>of</strong> <strong>Practice</strong> Version 6<br />

<strong>MASS</strong> <strong>UK</strong> <strong>Industry</strong> <strong>Conduct</strong> <strong>Principles</strong> <strong>and</strong> <strong>Code</strong> <strong>of</strong> <strong>Practice</strong> Version 6<br />

53

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!