Proposed Cybersecurity SAI Questions - HWY BASE
|
NIST Category |
| Section |
Description |
|
| 13.000 |
Enhance Internal and External Cybersecurity |
|
| 13.000 |
IDENTIFY |
|
| 13.101 |
Does your organization have a cybersecurity program? |
Asset Management |
| 13.102 |
Does your organization have written and approved cybersecurity policy, plan, process, and supporting procedures? |
Asset Management |
| 13.103 |
Do your cybersecurity plans incorporate any of the following approaches/guidance? |
Asset Management |
|
*National Institute of Standards and Technology (NIST), Framework for Improving Critical Infrastructure Cybersecurity |
Asset Management |
|
*NIST 800-171 - Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations |
Asset Management |
|
*NIST Special Publication 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations |
Asset Management |
|
*ISO/IEC 27001 - Information Security Management |
Asset Management |
|
*U.S. Department of Homeland Security, Transportation Systems Sector Cybersecurity Framework Implementation Guidance |
Asset Management |
|
*Industry-specific methodologies (See TRB, APTA, and ATA Fleet CyWatch, etc.) |
Asset Management |
|
*Other (if checked, elaborate) |
Asset Management |
| 13.104 |
Does your organization review, assess, and update as necessary all cybersecurity policies, plans, processes, and supporting procedures at least every 12 months, or when there is a significant organizational or technological change? |
Governance |
| 13.105 |
Does your organization conduct cyber vulnerability assessments as described in your risk assessment process in the following environments? |
Risk Assessment |
|
*OT environment? |
Risk Assessment |
|
* IT environment? |
Risk Assessment |
| 13.106 |
Has a written cybersecurity incident response strategy been developed and integrated into the overall cybersecurity program? |
Risk Management Strategy |
| 13.107 |
Has your organization taken actions to ensure their supply chain policies, procedures, and processes—include acquisition, receipt, warehouse, inventory control, and distribution—when acquiring vehicles, equipment, goods and services to ensure that cybersecurity risks are addressed? |
Supply Chain Management |
| 13.200 |
PROTECT |
|
| 13.201 |
Does your organization have a designated and alternate cybersecurity representative and/or team responsible for the following? |
Identity Management & Access Control |
|
*OT? |
Identity Management & Access Control |
|
*IT? |
Identity Management & Access Control |
| 13.202 |
Does the organization ensure that recurring cybersecurity training reinforces security roles, responsibilities, and duties of employees at all levels to protect against and recognize cyber threats for the following? |
Awareness and Training |
|
*OT? |
Awareness and Training |
|
*IT? |
Awareness and Training |
| 13.203 |
Has your organization established and documented policies and procedures for the following?
|
Data Security |
|
*Access Control |
Data Security |
|
*Awareness and Training |
Data Security |
|
*Audit and Accountability |
Data Security |
|
*Configuration Management/Baseline security controls |
Data Security |
|
*Cyber Asset Management and Maintenance/Change Management |
Data Security |
|
*Cybersecurity Incident Response |
Data Security |
|
*Identification and Authentication |
Data Security |
|
*Information Protection |
Data Security |
|
*Insider Threat |
Data Security |
|
*Media Protection |
Data Security |
|
*Patch Management |
Data Security |
|
*Personnel Security |
Data Security |
|
*Physical Protection (related to cyber systems, cyber assets, communications) |
Data Security |
|
*Recovery (disaster, business continuity) plan(s) |
Data Security |
|
*Risk Assessment |
Data Security |
|
*Security Assessment |
Data Security |
| 13.204 |
Does the organization prioritize protection for accounts with elevated privileges, remote access, and/or used on high value assets by using a multi-factor authentication approach for the identified high-value assets? |
Information Protection Processes & Procedures |
| 13.300 |
DETECT |
|
| 13.301 |
Has your organization implemented processes to respond to anomalous activity through the following?
|
Anomalies and Events |
|
*Generating alerts and responding to them in a timely manner? |
Anomalies and Events |
|
*Logging cybersecurity events and reviewing these logs? |
Anomalies and Events |
|
*Are logs regularly analyzed and maintained for a minimum of 12 months? |
Anomalies and Events |
| 13.302 |
Does your organization monitor for unauthorized access or the introduction of malicious code or communications? |
Security Continuous Monitoring |
| 13.303 |
Has your organization established technical or procedural controls for cyber intrusion monitoring and detection? |
Security Continuous Monitoring |
| 13.400 |
RESPOND |
|
| 13.401 |
Has your organization established policies and procedures for cybersecurity incident handling, analysis, and notifications (reporting/alerting), including assignments of specific roles/tasks to individuals and teams? |
Response Planning |
| 13.402 |
Does the organization have procedures in place for reporting incidents through the appropriate channels (i.e. local FBI and CISA cyber incident response office(s)) and also contacting TSA's Transportation Security Operations Center (TSOC) for actual or suspected cyber-attacks that could impact transportation operations? |
Communications |
| 13.500 |
RECOVER |
|
| 13.501 |
Has your organization established a plan for the recovery and reconstitution of cyber assets within a time frame to align with the organization's safety and business continuity objectives? |
Recovery Planning |
| 13.502 |
Has the organization developed, separately or as part of another document, recovery plans in the event of a cybersecurity incident for the following? |
Recovery Planning |
|
*IT(devices that support communication, business enterprise)? |
Recovery Planning |
|
*IT/OT (devices that support the organization's operations)? |
Recovery Planning |
|
*ICS (cyber systems for operations and management)? |
Recovery Planning |
| 13.503 |
Does your organization review its cyber recovery plan annually and update it as necessary? |
Recovery Planning |
| 13.504 |
Does the organization document lessons learned and incorporate them into cybersecurity planning and training? |
Improvements |
| 13.505 |
Does the organization have documented procedures in place to coordinate restoration efforts with internal and external stakeholders (coordination centers, Internet Service Providers, victims, vendors, etc.)? |
Communications |