MASS UK Industry Conduct Principles and Code of Practice 2022 (V6)
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
automatically. Others are testing <strong>and</strong> verifying the security configurations <strong>of</strong> implemented systems <strong>and</strong><br />
investigating incidences that can compromise system or network security.<br />
5.14 CYBER GLOSSARY<br />
https://www.open-scap.org/features/st<strong>and</strong>ards/<br />
“Access control” is selective limiting <strong>of</strong> the ability <strong>and</strong> means to communicate with or otherwise interact with a system,<br />
to use system resources to h<strong>and</strong>le information, to gain knowledge <strong>of</strong> the information the system contains or to control<br />
system components <strong>and</strong> functions.<br />
20. ANSI<br />
The ANSI (American National St<strong>and</strong>ards Institute) framework contains st<strong>and</strong>ards, information, <strong>and</strong> technical<br />
reports which outline procedures for implementing <strong>and</strong> maintaining Industrial Automation <strong>and</strong> Control Systems<br />
(IACS). The framework applies to all organisations that implement or manage IACS systems. The framework<br />
consists <strong>of</strong> four categories as defined by ANSI. The first category contains foundational information like security<br />
models, terminologies, <strong>and</strong> concepts. The second category addresses the aspects involved in creating <strong>and</strong><br />
maintaining IACS cyber security programs. The third <strong>and</strong> fourth categories outline requirements for secure system<br />
integration <strong>and</strong> security requirements for product development, respectively.<br />
“Back door” is a secret method <strong>of</strong> bypassing normal authentication <strong>and</strong> verification when accessing a system. A back<br />
door is sometimes created in hidden parts <strong>of</strong> the system itself or established by separate s<strong>of</strong>tware.<br />
“Bring your own device (BYOD)” allows employees to bring personally owned devices (laptops, tablets, <strong>and</strong> smart<br />
phones) to the ship <strong>and</strong> to use those devices to access privileged information <strong>and</strong> applications for business use.<br />
“Cyberattack” is any type <strong>of</strong> <strong>of</strong>fensive manoeuvre that targets IT <strong>and</strong> OT systems, computer networks, <strong>and</strong>/or<br />
personal computer devices <strong>and</strong> attempts to compromise, destroy or access company <strong>and</strong> ship systems <strong>and</strong> data.<br />
https://www.ansi.org/<br />
21. NIST SP 800-12<br />
“Cyber incident” is an occurrence, which actually or potentially results in adverse consequences to an onboard system,<br />
network <strong>and</strong> computer or to the information that they process, store or transmit, <strong>and</strong> which may require a response action<br />
to mitigate the consequences.<br />
This framework provides an overview <strong>of</strong> control <strong>and</strong> computer security within an organisation. Also, NIST SP 800-12<br />
focuses on the different security controls an organisation can implement to achieve a strengthened cyber security<br />
defence. Although most <strong>of</strong> the control <strong>and</strong> security requirements were designed for federal <strong>and</strong> governmental<br />
agencies, they are highly applicable to private organisations seeking to enhance their cyber security programs. NIST<br />
SP 800-12 enables companies to maintain policies <strong>and</strong> programs for securing sensitive IT infrastructure <strong>and</strong> data.<br />
“Cyber risk management” means the process <strong>of</strong> identifying, analysing, assessing, <strong>and</strong> communicating a cyber-related<br />
risk <strong>and</strong> accepting, avoiding, transferring, or mitigating it to an acceptable level by taking into consideration the costs<br />
<strong>and</strong> benefits <strong>of</strong> actions taken by stakeholders.<br />
“Cyber system” is any combination <strong>of</strong> facilities, equipment, personnel, procedures <strong>and</strong> communications integrated to<br />
https://csrc.nist.gov/CSRC/media/Publications/sp/800-12/rev-1/draft/documents/sp800_12_r1_draft.pdf<br />
provide cyber services; examples include business systems, control systems <strong>and</strong> access control systems.<br />
22. NIST SP 800-14<br />
“Defence in breadth” is a planned, systematic set <strong>of</strong> activities that seek to identify, manage, <strong>and</strong> reduce exploitable<br />
vulnerabilities in IT <strong>and</strong> OT systems, networks <strong>and</strong> equipment at every stage <strong>of</strong> the system, network, or sub-component life<br />
cycle. Onboard ships, this approach will generally focus on network design, system integration, operations <strong>and</strong> maintenance.<br />
NIST SP 800-14 is a unique publication that provides detailed descriptions <strong>of</strong> commonly used security principles.<br />
The publication enables organisations to underst<strong>and</strong> all that needs to be included in cyber security policies. As a<br />
result, businesses ensure to develop holistic cyber security programs <strong>and</strong> policies covering essential data <strong>and</strong><br />
systems. Besides, the publications outline specific measures which companies should use to strengthen already<br />
implemented security policies. In total, the NIST SP 800-14 framework describes eight security principles with a<br />
total <strong>of</strong> 14 cyber security practices.<br />
“Defence in depth” is an approach which uses layers <strong>of</strong> independent technical <strong>and</strong> procedural measures to protect IT<br />
<strong>and</strong> OT on board.<br />
“Executable s<strong>of</strong>tware” includes instructions for a computer to perform specified tasks according to encoded instructions.<br />
https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=890092<br />
“Firewall” is a logical or physical break designed to prevent unauthorised access to IT infrastructure <strong>and</strong> information.<br />
23. NIST SP 800-26<br />
“Firmware” is s<strong>of</strong>tware imbedded in electronic devices that provides control, monitoring <strong>and</strong> data manipulation <strong>of</strong><br />
engineered products <strong>and</strong> systems. These are normally self-contained <strong>and</strong> not accessible to user manipulation.<br />
Whereas the NIST SP 800-14 framework discusses the various security principles used to secure information<br />
<strong>and</strong> IT assets, NIST SP 800-26 provides guidelines for managing IT security. Implementing security policies alone<br />
cannot enable a company to realise optimum cyber security since they require frequent assessments <strong>and</strong><br />
evaluations. For example, the publication contains descriptions for conducting risk assessments <strong>and</strong> practices<br />
for managing identified risks. It is a highly useful framework that ensures organisations maintain effective cyber<br />
security policies. A combination <strong>of</strong> different NIST publications can ensure businesses maintain adequate cyber<br />
security programs.<br />
“Flaw” is unintended functionality in s<strong>of</strong>tware.<br />
“Intrusion Detection System (IDS)” is a device or s<strong>of</strong>tware application that monitors network or system activities for<br />
malicious activities or policy violations <strong>and</strong> produces reports to a management station.<br />
“Intrusion Prevention System (IPS”, also known as Intrusion Detection <strong>and</strong> Prevention Systems (IDPSs), are network<br />
security appliances that monitor network <strong>and</strong>/or system activities for malicious activity.<br />
https://csrc.nist.gov/publications/detail/sp/800-26/archive/2001-11-01<br />
“Local Area Network (LAN)” is a computer network that interconnects computers within a limited area such as a home,<br />
ship or <strong>of</strong>fice building, using network media.<br />
52<br />
<strong>MASS</strong> <strong>UK</strong> <strong>Industry</strong> <strong>Conduct</strong> <strong>Principles</strong> <strong>and</strong> <strong>Code</strong> <strong>of</strong> <strong>Practice</strong> Version 6<br />
<strong>MASS</strong> <strong>UK</strong> <strong>Industry</strong> <strong>Conduct</strong> <strong>Principles</strong> <strong>and</strong> <strong>Code</strong> <strong>of</strong> <strong>Practice</strong> Version 6<br />
53