Purpose and Scope
This SOP defines the procedures for using the Cyber Security Evaluation Tool (CSET®) for evaluating and documenting Industrial Control Systems (ICS) and Information Technology (IT) Networks security practices and posture using recognized industry and government standards.
Revision: 00
Responsibility
The responsibility for initiating an addition to the database will fall with the Security Analyst after discussion with the Director of IT and other affected leadership or management. Depending upon the evaluation IT Operations, ICS Operators, or other resources with knowledge needed to complete the assessments. The Security Analyst will be responsible for scheduling annual reviews. The extended team will be responsible for reporting any changes to the environment to the Security Analyst to trigger an update.
Resources
US-Cert Downloading CSET
See Attached User Guide (also available in help section of tool)
Health and Safety
There are no health and safety requirements associated with this policy/procedure.
Link to Tool
https://cset.hernandoclerk.org/home/login
Procedure
- Access the tool at the link above
- Register for an Account
- Look in the lower right for a link to "Register New Account".
- Enter Required Information and wait for confirmation email.
- Use Credentials to Login
- High Level Overview of Assessment Process
- Identify Team
- Determine Security Assurance Level (SAL)
- This determines the Level of Protection required for the system.
- The Higher the SAL the more questions and requirements in the assessment.
- More information on SAL can be gained by viewing the Tutorial Below.
- Identify Required Standards
- The Security Standards section allows the selection of one or more standards to use in the assessment.
- Standards are grouped logically to simplify the selection process.
- Diagram
- Diagrams can be started using prepopulated templates or drawn from scratch.
- Details added to the diagram components such as IP Address, Hostname, Criticality, Description.
- Components of the Diagram can be used to create an inventory sheet.
- Components of the Diagram can generate component specific questions in the assessment.
- Answer Assessments Questions.
- Requires Input from the entire Team
- Questions are based on Standards and Diagram Components.
- Questions can be answered by Yes, No, NA, ALT
- NA if it doesn't apply.
- ALT if there is an alternate means of compliance.
- Detail Panel is explained in tutorial
- Contains Additional Information on the Requirement
- Allows documents to be uploaded.
- Links to Related Resources
- Results
- Results can be viewed in various formats as explained in the tutorial.
- Reports
- Multiple Reports Available
- Various Level of Detail
- Customized Executive Summaries
- Resource Library
- Contains various standards, templates, policy for reference.
- Detailed Tutorial (Recommended For Training)