Industrial Internet Security Framework v 1.0 | Page 106
Security Framework
11: Security Configuration and Management
Security management is the management of the security controls on an endpoint, including the
addition and removal of security controls, the setting of security policy, and enablement of
extracting security events and logs.
Operational management should be separated from security management so that security
controls processes can evolve independently.
Secure operational management involves protecting the operational management process and
functions to ensure the integrity and confidentiality of changes made to operational elements of
the system including endpoints, communications, monitoring, and management systems.
Figure 11-2: Secure Operational Management
Both implement policy to configure the settings on the endpoints, and a misconfiguration on
either the system or the security may result in vulnerability. The sensitive nature of the
endpoints, the applications and the data requires especially diligent care in the separation of
concerns between these areas, though the line between them is often blurred.
Operational management must interact with operational monitoring. There should also be a
separation between operational events and security events. Security events from the endpoints
and communications are used by security monitoring to evaluate security and identify gaps that
must be remediated. The operational management and monitoring controls are specific to the
system’s operational process, as opposed to the security management and monitoring, which
can be the same across different operational processes. For example, the setting of credentials,
the definition of network data channel rules and the identification of the destinations for security
event data are all required across various operational processes, though the actual settings may
vary from endpoint to endpoint.
A common security API across all the endpoints making up the operational process isolates the
security process from the operational process, independent of the make, model and
IIC:PUB:G4:V1.0:PB:20160926
- 106 -