Roles and responsibilities
Organizational roles and responsibilities with accountability are vital for effective management, especially in the case of critical infrastructure. Awareness of the organizational hierarchy and clear lines of authority and reporting structure are necessary to instill efficient and effective collaboration and synergy within CSPs.
Risk, vulnerability and compliance management
Computer security risk management involves evaluating vulnerabilities and potential consequences of sensitive digital assets and computer-based systems to implement computer security controls using a graded approach to defend against cyberattacks. The level of security measures applied should be commensurate with the level of risk associated with the information and/or computer-based systems being protected. By considering the consequence of the vulnerability or threat, organizations can determine the level of security measures needed to mitigate the risk.
Security design and management
Computer security design is a critical aspect of protecting against cyberthreats. Fundamental design principles include a graded approach and defence in depth, where multiple layers of zoned security controls are implemented to prevent and mitigate attacks. Requirements for security must also be incorporated throughout the system development life cycle including third-party organizations being governed by clear policies and agreements to ensure security measures are consistent and effective.
Digital assets management
Effective computer security relies on a systematic process to identify a comprehensive list of all facility functions, assets, and systems including sensitive digital assets that are essential to protect nuclear operations or to maintain safe and secure use of nuclear and other radioactive material. Such a list also provides data flow and interdependencies that are significant to the organization to support access controls, backups and other security measures to protect these assets from sabotage or theft.
Security procedures
Operational nuclear security policies and procedures provide the direction with accountability to prevent of theft, sabotage, or unauthorized use of nuclear material and facilities. These policies ensure that access to sensitive information and assets is tightly controlled, and that individuals with access are screened and trained appropriately.
Personnel management
Trustworthiness, awareness, and training are critical for personnel management in the nuclear industry. Evaluations of trustworthiness should be conducted to ensure that personnel are reliable, competent, and free from any conflicts of interest that could compromise safety or security. Maintaining qualified and trustworthy personnel is critical to ensure nuclear safety and security.
*More details are included in IAEA Nuclear Security Series No. 17-T (Rev. 1), Computer Security Techniques for Nuclear Facilities.