GCC960C103 3BHE033067R0103模块备件

DDC779BE02 3BHE006805R0002

需要与信息技术专家合作的物理安全评估员
在风险评估过程中评估各种系统。这包括效用
渗透点和控制；电信设备和房间；和物理访问
控制和电子安全系统、部件和控制。这些元件中的每一个可以
或者可以不具有基于网络的操作系统和/或互联网连接。鉴于这些
变量，工作组建议采用一种综合方法
网络安全专业人员参与制定适当风险的所有阶段
评估方法，进行风险和脆弱性评估，并建议
适当的对策和/或协议。这样，联邦设施将更加安全
并且在面对来自所有危险的威胁时具有弹性。
3.1评估方法
为了识别漏洞，物理安全评估人员需要评估相同的系统
包括在物理安全评估中，
通过网络或虚拟手段连接、操作或连接。具体而言，必须进行调查
关于每个组件的操作和与网络的连接
潜在漏洞，系统是远程操作还是本地操作，以及
安全控制已到位（例如，加密、防火墙、业务系统防病毒软件、，
等等）。
3.2威胁识别和缓解
机构间安全委员会（ISC）召集设计基础威胁（DBT）
小组委员会和反措施小组委员会处理和更新威胁和
相应的安全标准。这些机构应是以下方面的协调中心和起点：
制定额外的安全标准以减轻网络威胁。两个小组委员会都有：
用于更新其产品的流程，这些流程可以扩展到包括
与总统政策指令21和行政命令13636相关的考虑。
3.2.1威胁定义
为了有效确定可能的漏洞，设计基础威胁小组委员会
需要将网络威胁纳入不良事件列表。定义了网络威胁
作为：
可能对组织运营产生不利影响的任何情况或事件
（包括使命、职能、形象或声誉）、组织资产、个人、其他
通过信息系统通过未经授权的访问、破坏或访问，
披露、修改信息和/或拒绝服务。8
该威胁类别的识别应包括潜在目标吸引力特征，以及
可能的场景。成功识别这些特征后，安全评估人员将
反过来，识别这些威胁的漏洞，并根据识别的漏洞对设施进行分类
目标吸引力特征。该小组委员会可以利用联邦、州、地方、部落、，
地区和/或私营部门主题专家协助

DDC779BE02 3BHE006805R0002

DDC779BE02 3BHE006805R0002

Physical security assessors, in collaboration with information technology specialists, are required to evaluate a variety of systems during the risk assessment process. This includes utility penetration points and controls; telecommunications equipment and rooms; and physical access controls and electronic security systems, components, and controls. Each of these elements may or may not have a cyber-based operating system and/or internet connectivity. Given these variables, the Working Group recommends an integrated approach whereby physical security and cybersecurity professionals are involved in all phases of developing an appropriate risk assessment methodology, conducting risk and vulnerability assessments, and recommending appropriate countermeasures and/or protocols. In doing so, Federal facilities will be more secure and resilient in the face of threats from all hazards. 3.1 Assessment Methodology To identify vulnerabilities, physical security assessors need to evaluate the same systems already included in the physical security assessment, but also determine if the systems are dependent, operated, or connected through cyber or virtual means. Specifically, inquiries must be made regarding each component’s operation and connectivity to a network, the type and impact of potential vulnerabilities, whether the system is/can be operated remotely or locally, and what security controls are in place (e.g., encryption, firewalls, business system antivirus software, etc.). 3.2 Threat Identification and Mitigation The Interagency Security Committee (ISC) convenes the Design Basis Threat (DBT) Subcommittee and the Countermeasures Subcommittee to address and update threats and corresponding security criteria. These bodies should be the focal and starting points for developing additional security criteria to mitigate cyber threats. Both Subcommittees have processes in place for updating their products, and these can be expanded to include considerations relevant to Presidential Policy Directive 21 and Executive Order 13636. 3.2.1 Threat Definition In order to effectively determine possible vulnerabilities, the Design Basis Threat Subcommittee will need to incorporate cyber threat into the list of undesirable events. A Cyber Threat is defined as: Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.8 Identification of this threat category should include potential target attractiveness features and possible scenarios. Upon successful identification of these characteristics, security assessors will in turn identify vulnerabilities to those threats and categorize facilities based upon the identified target attractiveness feature(s). The Subcommittee can utilize Federal, state, local, tribal, territorial, and/or private sector subject matter experts to assist in d