MIL1 requirements
a. IT and OT assets that are important to the delivery of the function are inventoried, at least in an ad hoc manner
MIL2 requirements
b. The IT and OT asset inventory includes assets within the function that may be leveraged to achieve a threat objective
c. Inventoried IT and OT assets are prioritized based on defined criteria that include importance to the delivery of the function
d. Prioritization criteria include consideration of the degree to which an asset within the function may be leveraged to achieve a threat objective
e. The IT and OT inventory includes attributes that support cybersecurity activities (for example, location, asset priority, asset owner, operating system, and firmware versions)
MIL3 requirements
f. The IT and OT asset inventory is complete (the inventory includes all assets within the function)
g. The IT and OT asset inventory is current, that is, it is updated periodically and according to defined triggers, such as system changes
h. Data is destroyed or securely removed from IT and OT assets prior to redeployment and at end of life
Organisation must maintain a listing of used data systems and their owners. Owner is responsible for completing the related documentation and possible other security actions directly related to the data system.
Data system documentation must include at least:
Organisation must maintain a listing of controlled data stores and their owners. Owner is responsible for completing the documentation and other possible security actions directly related to the data store.
Data store documentation must include at least:
The organization shall maintain a list of data sets contained in the data stores it manages.
The documentation shall include at least the following information:
The organization shall list all relevant protected assets to determine ownership and to ensure that security measures cover all necessary items.
A large portion of the protected assets (including data sets, data systems, personnel / units, and partners) are treated through other tasks. In addition, the organization must list other important assets, which may be, depending on the nature of its operations, e.g. hardware (servers, network equipment, workstations, printers) or infrastructure (real estate, power generation, air conditioning). In addition the organization should make sure that relevant external devices are documented.
Printers and copiers are interpreted as information systems and must therefore meet the requirements for both technical, physical and administrative information security. The technical requirements can be met, for example, with a separate device solution.
The requirement can be met by taking the measures mentioned below:
The organization has a clear process, according to which it identifies the most critical functions in terms of its operations (e.g. services offered to customers), which are subject to the highest continuity requirements.
Items in the IT environment that are necessary for these activities (such as information systems, data reserves, operating processes, partners, units, hardware) are classified as critical.
Critical functions are considered with the highest priority, e.g. in continuity planning, and stricter safety requirements can be applied to them than to other objects in the environment.
.png)
