COUNTRY: NAME: ORGANIZATION: JOB POSITION: SECTOR: DATE: STAKEHOLDER GROUP: INTERVIEWER: CYSPA Questionnaire To support: Impact analysis of cyber disruptions across target industry sectors Prioritisation of strategic activities for the CYSPA Alliance Section 1: All stakeholders Section 1: General Information [To be completed by interviewer where possible] Question Number of employees Annual turnover Operates across multiple countries? If yes, which? Response Member of any trade organisation or initiatives? If yes, which? Relationships with government departments? If yes, which? Page 1 of 17 Section 2a: Users: Section 2a.1: Assets This section is designed to identify the types of network and information assets your organisation has, and how these contribute to both a national and international picture. What systems, networks and information assets do you operate which you consider to be critical to your organisation? For example: Finance systems, CRM systems, HR systems, corporate email, operational control systems, network management systems, payment systems, customer information databases. What systems, networks and information stores do you operate that you consider to be critical at national or international level (eg are part of critical national infrastructure, or provide systemic capability at EU level)? For example: Systems which could be considered to be part of critical national infrastructure. What systems, networks and information assets external to your organisation is your organisation critically dependent upon? For example: National power networks, transport networks, international payments mechanism such as SWIFT. Page 2 of 17 Section 2a.2: Threats This section explores the cyber threat that your organisation faces. In your opinion, which threat actors present the greatest risk to your organisation? Please select 2-3 from the list: Criminal groups or professional fraudsters Employees/ insiders to the organisation Hobbyist hackers Competitors Those involved in industrial espionage Activists State sponsored spies Suppliers or partners Other: In your opinion, what are the most serious threats that are perceived in your organization? Please select 2-3 from the list: Natural disasters Environmental or industrial disasters Communications services failure Organizational deficiencies Software vulnerabilities Masquerading of identity Malware APT (Advanced Persistent Threats) Software manipulation Destructive attack Intrusion in the facilities Staff shortage Extortion Social engineering Page 3 of 17 Other: How does potential cyber disruption compare with other operational threats across your organisation? Section 2a.3: Impacts This section explores the potential impact of a cyber disruption on your organisation. In the event of a cyber disruption, what impact would be of most concern to your organisation? Please select 2-3 from the list: Loss of customer data Reputation damage through exposure of internal decisions Interruption of internal service during a trading period Interruption of service to customer Direct monetary loss, for example embezzlement Theft of intellectual property Theft of competitive bid information or pricing data Compromise of customer capabilities Loss or compromise of personal data Other: Page 4 of 17 We use a five point scale for assessing the impact of a cyber disruption: 5 Very high impact 4 High impact 3 Medium impact 2 Low impact 1 Very low impact 0 Negligible impact Worst case. Full prescriptive controls & executive oversight required. Severe Major Moderate Minor. Few controls needed. No meaningful impact, no controls needed. The table below contains a number of scenarios to explore the impact of a cyber disruption on your organisation. Using the above five-point scale, for each scenario please rate the extent to which the different types of impact would affect your organisation: Impact on the mission Financial/economic loss Reputational damage Information availability A cyber disruption leads to… For example: Level of damage to operational effectiveness or efficiency For example: % revenue lost Cost of response & fines For example: Amount of negative press coverage Customer satisfaction Public opinion An outage of your online services for a prolonged period E.g. 2: Low impact on operational effectiveness E.g. 1: Very low impact – loss of earnings is <1% revenue, cost of response is <1% of revenue E.g. 3: Medium impact – some negative national press coverage & adverse publicity For example: Criticality of information availability Extent to which information is recoverable/ regenerable E.g. 1: Very low impact – information is recoverable and outage period is tolerable Irretrievable loss of a significant amount of customer data Publication of a copy of your latest corporate strategy document An outage of part of your operational services Your corporate email service being unavailable for several days Your Intellectual Property getting into the hands of a competitor Page 5 of 17 Regarding the assets identified in section 2a.1, what are the critical impacts that could be caused by a cyber disruption on these assets? For example, financial/economic loss, reputation damage, reduced availability of information. Section 2a.4: Controls This section is designed to identify your organisation’s current mechanisms and controls to protect and mitigate against cyber disruptions. What measures are currently in place to protect the critical assets you identified in 2a.2 from cyber disruptions? What contingency plans do you have in place in the event of a cyber disruption on these assets? Who has overall accountability in your organisation for ensuring resilience against cyber disruption? Which elements of your organisation have a role in achieving resilience? Page 6 of 17 Generally what information security measures do you employ across your organisation? Do you feel staff within your organisation understand relevant policies about how different data types are required to be protected? For example, policies around protection of personal data, financial services data etc. Page 7 of 17 Section 2b: Providers: Section 2b.1: Threats This section is designed to explore the kinds of cyber threats that are faced by the market sectors your organisation operates in. Which industry sectors does your organisation primarily provide services or products to? In your opinion, what are the most serious threats that are perceived at the market sector(s) your organisation operates in? Please select 2-3 from the list: Natural disasters Environmental or industrial disasters Communications services failure Organizational deficiencies Software vulnerabilities Masquerading of identity Malware APT (Advanced Persistent Threats) Software manipulation Destructive attack Intrusion in the facilities Staff shortage Extortion Social engineering Other: Page 8 of 17 In your opinion, what threat actors present the greatest risk to the market sector(s) your organisation operates in? Please select 2-3 from the list: Criminal groups or professional fraudsters Employees/ insiders to the organisation Hobbyist hackers Competitors Those involved in industrial espionage Activists State sponsored spies Suppliers or partners Other: Section 2b.2: Impacts This section is designed to explore the level of impact a potential cyber disruption could have on the market sectors your organisation operates in. In your opinion, what are the biggest cyber security risks and areas of most concern in these industry sectors? Page 9 of 17 Section 2c: Public Authorities: Section 2c.1: Assets This section is designed to identify the critical infrastructure and assets at a national level. Which systems, networks, information assets or organisations are you most concerned about in terms of cyber security risk from a national or international level? Which other systems, networks, information assets or organisations do you consider to be critical at a national or international level? Section 2c.2: Impacts This section explores the potential impacts and key challenges that your country faces in relation to cyber security. At a national level, what level of risk does cyber security currently pose? What impacts are of most concern at national or international level? Page 10 of 17 Section 2c.3: Controls This section is designed to identify the current mechanisms and controls that protect and mitigate against cyber disruptions at a national level. What initiatives or bodies are currently in place at a national level to improve cyber security? For example CERTs, information sharing schemes, threat intelligence schemes, awareness schemes. Are there any further planned national intiatives or bodies designed to improve cyber security? If so are you able to provide objectives and approximate timescales for these? In your opinion, do you think the level of cyber security across key organisations in your country is sufficient? Please provide an explanation for your response. Page 11 of 17 Section 3: All stakeholders Section 3: Benefits This section will explore which kinds of strategic direction and action you would be interested in CYSPA taking. CYSPA Benefits map: The benefits map shows the different benefits that CYSPA’s stakeholder groups can achieve through involvement with the CYSPA project and Alliance. Which of these benefits are of most interest to your organisation? Are there any other benefits or outcomes that you would like to achieve through involvement with CYSPA? Page 12 of 17 If you operate across multiple countries within the EU, what are the biggest challenges this poses from a cyber security perspective? For example, differing legislative requirements for management of personal data across nations, different levels of law enforcement in relation to cyber crim, differing levels of cyber security maturity across countries. The European Commission is currently involved in and/or sponsoring a number of initiatives related to cyber security. What kinds of activities do you think are missing at European level? For example, Europe-wide standards, maturity models, common legislation on cyber security issues, etc. CYSPA is currently assessing a number of different strategic directions that it could take to actively contribute to improved cyber security across industry. Of the below strategic themes, which would be of most interest to you? [Please assign each theme a priority of High, Medium or Low] Theme Understanding the cyber security landscape Direct action with users Evolving the policy and legislative landscape Defining common standards and measures Improving information and intelligence sharing Streamlining the incident process Supporting new technology Page 13 of 17 Your prioritisation (H, M, L) Section 4: All stakeholders Section 4: Stakeholder and environmental context This section will explore the political, business and market environment that your organisation operates in. What is your opinion of the level of cyber security maturity within your market sector across Europe? For example: - - How mature do you consider your industry to be in relation to others? How aware do you think organisations in your sector are about cyber security concepts and issues? What market trends in your industry are relevant to cyber security? Do you think cyber security is a differentiator currently for organisations in your sector? What is your opinion of the European Commmission’s proposal for a Directive on Network and Information Security? Are there any objectives or actions in the proposal that you particularly support or oppose? For example, the proposed threat information sharing between the Financial Services Industry and Government. Is there any other information that you would like to provide, or topics that you would like to discuss in relation to cyber security and CYSPA? Page 14 of 17 Annex 1 - Glossary accountability assignment of actions and decisions to an entity [ISO-27000:2012] process of tracing information system activities to a responsible source. [CNSS 4009:2010] asset anything that has value to the organization. NOTE. There are many types of assets, including: a) information; b) software, such as a computer program; c) physical, such as computer; d) services; e) people, and their qualifications, skills, and experience; and f) intangibles, such as reputation and image. [ISO-27000:2012] availability property of being accessible and usable upon demand by an authorized entity [ISO-27000:2012] ensuring timely and reliable access to and use of information. [NIST SP 800-53:2009] contingency plan Management policy and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies, system failures, or disasters. [NIST SP 800-34:2010] control means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of administrative, technical, management, or legal nature NOTE 1 Controls for information security include any process, policy, procedure, guideline, practice or organizational structure, which can be administrative, technical, management, or legal in nature which modify information security risk. NOTE 2 Controls may not always exert the intended or assumed modifying effect. NOTE 3 Control is also used as a synonym for safeguard or countermeasure. [ISO-27000:2012] critical infrastructure Critical infrastructures are those physical and information technology facilities, networks, services and assets which, if disrupted or destroyed, would have a serious impact on the health, safety, security or economic well-being of citizens or the effective functioning of governments in European Union (EU) countries. Page 15 of 17 Critical infrastructure includes: energy installations and networks; communications and information technology; finance (banking, securities and investment); health care; food; water (dams, storage, treatment and networks); transport (airports, ports, intermodal facilities, railway and mass transit networks and traffic control systems); production, storage and transport of dangerous goods (e.g. chemical, biological, radiological and nuclear materials); government (e.g. critical services, facilities, information networks, assets and key national sites and monuments). http://europa.eu/legislation_summaries/justice_freedom_security/fight_against_terrorism/l 33259_en.htm Critical infrastructures are organizations or institutions with major importance for the public good, whose failure or damage would lead to sustainable supply bottlenecks, considerable disturbance of public security or other dramatic consequences. [DE CSS:2011] A term used by governments to describe assets that are essential for the functioning of a society and economy (e.g. electricity generation, gas production, telecommunications, water supply etc.). [NZ CSS:2011] disruption an unplanned event that causes an information system to be inoperable for a length of time (e.g., minor or extended power outage, extended unavailable network, or equipment or facility damage or destruction) [NIST SP 800-34:2010] impact a measure of the effect of an incident, problem or change on business processes. Impact is often based on how service levels will be affected. Impact and urgency are used to assign priority. [ITIL:2011] the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability. [NIST SP 800-60:2008] incident an unplanned interruption to an IT service or reduction in the quality of an IT service. Failure of a configuration item that has not yet affected service is also an incident – for example, failure of one disk from a mirror set. [ITIL:2011] Page 16 of 17 mitigation limitation of any negative consequence of a particular event. [ISO/IEC Guide 73] implementing appropriate risk-reduction controls based on risk management priorities and analysis of alternatives. [NIST SP 800-53 Rev 4] resilience the ability to quickly adapt and recover from any known or unknown changes to the environment through holistic implementation of risk management, contingency, and continuity planning. [NIST SP 800-34:2010] adaptive capacity of an organization in a complex and changing environment [ISO Guide 73:2009] risk a measure of the extent to which an organization is threatened by a potential circumstance or event, and typically a function of (1) the adverse impacts that would arise if the circumstance or event occurs and (2) the likelihood of occurrence. [US ESC:2012] possibility that a particular threat will adversely impact an information system by exploiting a particular vulnerability. [CNSS 4009:2010] risk - level of risk magnitude of a risk or combination of risks, expressed in terms of the combination of consequences and their likelihood [ISO Guide 73:2009] threat potential cause of an unwanted incident, which may result in harm to a system or organization [ISO-27000:2012] any circumstance or event with the potential to adversely impact an information system through unauthorized access, destruction, disclosure, modification of data, and/or denial of service. [CNSS 4009:2010] Page 17 of 17