碳市場基礎(chǔ)設(shè)施信息安全技術(shù)指導(dǎo)說明:工具和建議(英)_第1頁
碳市場基礎(chǔ)設(shè)施信息安全技術(shù)指導(dǎo)說明:工具和建議(英)_第2頁
碳市場基礎(chǔ)設(shè)施信息安全技術(shù)指導(dǎo)說明:工具和建議(英)_第3頁
碳市場基礎(chǔ)設(shè)施信息安全技術(shù)指導(dǎo)說明:工具和建議(英)_第4頁
碳市場基礎(chǔ)設(shè)施信息安全技術(shù)指導(dǎo)說明:工具和建議(英)_第5頁
已閱讀5頁,還剩48頁未讀, 繼續(xù)免費(fèi)閱讀

下載本文檔

版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請進(jìn)行舉報(bào)或認(rèn)領(lǐng)

文檔簡介

CMIWorkingGroupTechnicalGuidanceNote

InformationSecurityforCarbonMarketsInfrastructure:ToolsandRecommendations

3

2 InformationSecurityforCarbonMarketsInfrastructure:ToolsandRecommendations

Acknowledgments

ThistechnicalguidancenoteisanoutputoftheCarbonMarketsInfrastructureWorkingGroup(CMIWG)convenedbytheWorldBank.TheCMIWGmembersareAbaxxExchange,AirCarbonExchange,B3—BrazilianStockExchange,BeZeroCarbon,ClimateActionDataTrust(CADTrust),ClimateImpactX,CMEGroup,EcoRegistry,EuropeanBankforReconstructionandDevelopment(EBRD),GlobalCarbonCouncil(GCC),GlobalCarbonMarketUtility(GCMU),GoldStandard,IndianEnergyExchange(IEX),INFRAS,IntegrityCouncilfortheVoluntaryCarbonMarket(ICVCM),IntercontinentalExchange,InternationalStandardsOrganization(ISO),InternationalSwapsandDerivativesAssociation(ISDA),JohannesburgStockExchange(JSE),Nasdaq,PhilipLeeLLP,Puro.earth,S&PGlobalCommodityInsights,SustainCERT,Sylvera,Verra,WorldBank,andXpansiv.

TheInternationalOrganizationofSecuritiesCommissions(IOSCO)SecretariatandtheClimateDataSteeringCommittee(CDSC)Secretariatparticipatedasobservers.

ThenotewaspreparedbyasubgroupchairedbyS&PGlobalCommodityInsightsandXpansiv.ContributingmembersincludedJuanDavidDuranHernandez(EcoRegistry),AngelaDawson,JontyRushforth,JulieGareton,TeriHogan(S&PGlobalCommodityInsights),DavidSturt(Verra),ThuyTran(Verra),CurtisLetson(Xpansiv),ErikaCrandall(Xpansiv),HenrikHasselknippe(Xpansiv),MicahGoldston(Xpansiv),GemmaTorrasVives(WorldBank),ChandraShekharSinha(WorldBank)RituAhuja(WorldBank).

EditorialsupportwasprovidedbyClarityGlobalStrategicCommunicationsandKathleenGenevièveWeary(Consultant,WorldBank),anddesignsupportwasprovidedby

Simpelplus.

SupportwasalsoprovidedbytheWorldBank’smAI,anAIresearchassistant,fordataorganizationandcontentstructuring.

.

Foreword

Executivesummary

Informationsecurity

Recommendations

Wayforward

Annexes

3

?2025InternationalBankforReconstructionandDevelopment/TheWorldBank1818HStreetNW,Washington,DC20433

Telephone:202-473-1000Internet:

Thefindings,interpretations,andconclusionsexpressedinthisworkdonotnecessarilyreflecttheviewsoftheWorldBank,itsBoardofExecutiveDirectors,orthegovernmentstheyrepresent.

TheWorldBankdoesnotguaranteetheaccuracyofthedataincludedinthiswork.Theboundaries,colors,denominations,andotherinformationshownonanymapinthisworkdonotimplyanyjudgmentonthepartoftheWorldBankconcerningthelegalstatusofanyterritoryortheendorsementoracceptanceofsuchboundaries.

Rightsandpermissions

Thematerialinthisworkissubjecttocopyright.BecausetheWorldBankencouragesdisseminationofitsknowledge,thisworkmaybereproduced,inwholeorinpart,fornoncommercialpurposes,aslongasfullattributiontothisworkisgiven.

Pleasecitetheworkasfollows:TheWorldBank;CarbonMarketsInfrastructureWorkingGroup.2025.“TechnicalGuidanceNoteonInformationSecurityforCarbonMarketsInfrastructure:ToolsandRecommendations,”Washington,DC.

Foreword

Executivesummary

Informationsecurity

Recommendations

Wayforward

Annexes

Tableofcontents

Foreword

8

Executive

summary

10

CarbonMarkets

InfrastructureWorkingGroup

10

Information

security

14

Dataprotection

andprivacy

20

Threatprevention

anddetection

25

Identityandaccess

management

30

Incidentresponse

andresilience

34

Governance,

compliance,andculture

38

Recommendations

42

Wayforward

45

Annexes:

Resourcesandtoolsforinformationsecurityprograms

46

PAGE

10

InformationSecurityforCarbonMarketsInfrastructure:ToolsandRecommendations

PAGE

25

Listoftablesandfigures

Table1

CompositionoftheCMIWG

Table2

Keyelementsofinformationsecurity

Table3

Cross-cuttingrequirementsforinformationsecurityprograms

Table4

Dataprotectionandprivacyriskmitigationcontrols—Levels1,2,and3

Table5

Dataprotectionandprivacytools—Levels1,2,and3

Table6

Dataprotectionandprivacyindustrybestpractices—Levels1,2,and3

Table7

Threatpreventionanddetectionriskmitigationcontrols—Levels1,2,and3

Table8

Threatpreventionanddetectiontools—Levels1,2,and3

Table9

Threatpreventionanddetectionindustrybestpractices—Levels1,2,and3

Table10

Identityandaccessmanagementriskmitigationcontrols—Levels1,2,and3

Table11

Identityandaccessmanagementtools—Levels1,2,and3

Table12

Identityandaccessmanagementindustrybestpractices—Levels1,2,and3

Table13

Incidentresponseandresilienceriskmitigationcontrols—Levels1,2,and3

Table14

Incidentresponseandresiliencetools—Levels1,2,and3

Table15

Incidentresponseandresilienceindustrybestpractices—Levels1,2,and3

Table16

Governance,compliance,andcultureriskmitigationcontrols—Levels1,2,and3

Table17

Governance,compliance,andculturetools—Levels1,2,and3

Table18

Governance,compliance,andcultureindustrybestpractices—Levels1,2,and3

Table19

Examplesofkeyimplementationresponsibilitiesbyentitytype

Figure1

KeychallengesandrecommendationsofthefiveCMIWGtechnicalguidancenotes

Figure2

Three-stepassessmentframeworkforinformationsecurity

Figure3

Tool-basedrecommendationsforenhancinginformationsecurityincarbonmarkets

Foreword

Executivesummary

Informationsecurity

Recommendations

Wayforward

Annexes

Abbreviationsandacronyms

AC accesscontrol

API applicationprogramminginterfaceCIS CenterforInternetSecurity

CMIWG CarbonMarketsInfrastructureWorkingGroup

CSF cybersecurityframework

DLP datalossprevention

DMRV digitalmonitoring,reporting,andverification

EDR endpointdetectionandresponseEU EuropeanUnion

G20SFWGGroupof20SustainableFinanceWorkingGroup(SFWG)

GDPR GeneralDataProtectionRegulation

GRC governance,risk,andcomplianceIA identificationandauthenticationIAM identityandaccessmanagementICVCMIntegrityCouncilfortheVoluntary

CarbonMarket

IDS intrusiondetectionsystem

IEC InternationalElectrotechnicalCommission

IOSCO InternationalOrganizationof

SecuritiesCommissions

IPS intrusionpreventionsystem

IR incidentresponse

ISMS informationsecuritymanagementsystems

ISO InternationalOrganizationforStandardization

IT informationtechnologyMFA multi-factorauthenticationMRV monitoring,reporting,and

verification

NIST NationalInstituteofStandardsandTechnology

PAM privilegedaccessmanagementRBAC role-basedaccesscontrolSANS SysAdmin,Audit,Network,

andSecurity

SIEM securityinformationandeventmanagement

SOC StandardsOversightCommitteeSSO singlesign-on

UNIDROITInternationalInstituteforthe

UnificationofPrivateLaw

UnitedStates

Foreword

Carbonmarketsholdsignificantpotentialasavehicleforchannelingclimatefinancetodevelopingcountries,manyofwhichfacegrowingneedsthatfarexceedavailablefunding.Whendesignedwithhighintegrity,thesemarketsnotonlyunlockcapitalanddriveverifiableemissionsreductionsbutalsohelpcloseinvestmentgapsincriticalsectors.Beyondtheirenvironmentalimpact,well-functioningcarbonmarketssupportjobcreationanddelivertangiblefinancialbenefitstolocalcommunities.

Significantprogressisalreadyunderway.Ashighlightedinthe

WorldBank’s2024StateandTrends

Report

,severalkeyinitiativesareadvancingtheintegrityandfunctionalityofcarbonmarkets.TheInternationalOrganizationofSecuritiesCommissions(IOSCO)isadvocatingforstrongeroversightandmarketintegrity;theInternationalInstitutefortheUnificationofPrivateLaw(UNIDROIT)isworkingtoharmonizethelegalclassificationofcarboncredits;andtheIntegrityCouncilfortheVoluntaryCarbonMarket(ICVCM)isadvancingtransparencyandscalethroughitsContinuousImprovementWorkProgram.Theseglobaleffortslayessentialgroundwork,butfurtherprogressisneededtoaddresspersistentgaps—particularlyingovernance,institutionalcoordination,andtechnicalintegration.

Ascarbonmarketsgrowinscaleandstrategicrelevance,theneedfortrusted,connectedandscalableinfrastructurehasbecomeaglobalpolicypriority.Marketinfrastructureisthebackboneofcredibility,transparency,andefficiency.Itsupportstheissuance,transfer,andretirementofcarboncredits,andenablestrustamongmarketparticipants.UnderSouthAfrica’s2025G20Presidency,theSustainableFinanceWorkingGroup(SFWG),highlightsinits

NoteonAgendaPriorities

that“byfocusingonimprovingthefoundationalelementsofmarketinfrastructure–includingdatastandardizationandcross-borderconnections–theSFWGcanhelpunlockthegreaterfinancingpotentialofthesemarkets.”Thisreflectsgrowingrecognitionthatrobust,standardizedapproachestodataandinfrastructureareessentialforthecredibilityandeffectivenessofcarbonmarkets.

Whilecarbonmarketinfrastructureisjustonepartofabroadersystemthatencompassesenvironmental,financial,andsocialintegrity,itformsthebackboneofeffectivemarketoperations.Addressinginfrastructuregapsearlyiscriticaltobuildingasolidfoundationforgrowth.Thechoicesmadenowwillshapeourabilitytoscale,unlockclimatefinance,andachievemeaningfulemissionsreductions.

Advancingaglobalanddecentralizedmarket—suchasforcarboncredits—presentsauniqueopportunitytobuildrobust,future-readysystems.

AtCOP28,theWorldBanklaunchedtheEngagementRoadmapforCarbonMarketsoutlininghowitwillsupportcountriesinbuildinghigh-integrity,highimpactcarbonmarkets.Aspartofeffortstooperationalizethisstrategy,theWorldBanklaunchedtheCarbonMarketsInfrastructureWorkingGroup(CMIWG),conveningadiversesetofstakeholderstoidentifyinfrastructure-relatedbottlenecksanddeliveractionableguidance.AtCOP29,theCMIWGreleaseditsflagshippublication,ARoadmapforaSafe,Efficient,andInteroperableCarbonMarketsInfrastructure,whichoutlinedavisionforaddressingfoundationalgapsandidentifiedkeypriorityareasforaction.

BuildingonthesefindingsandthecollaborativeeffortsoftheCMIWG,fivetargetedtechnicalguidancenoteswerereleasedinJune2025.Thesetechnicalguidancenotesaimtosupportcountriesandmarketactorsinaddressingkeyinfrastructurechallengesthroughpracticalrecommendationsonecosystemgovernance,transactionintegrity,informationsecurity,datainteroperability,anddigitalMRV

1

EcosystemGovernanceforCarbonMarketsInfrastructure:AssessmentandRecommendations

2

TransactionIntegrityforCarbonMarketsInfrastructure:ToolsandRecommendations

3

InformationSecurityforCarbonMarketsInfrastructure:ToolsandRecommendations

4

EnhancingDataandSystemsInteroperabilityforCarbonMarkets:CurrentLandscapeandStrategicRecommendations

5

StandardizingDigitalMRVinCarbonMarkets:SystemEvaluationCriteriaandHotspotsAssessment

Together,theseguidancenotesarecomplementaryinsupportingthescale-upofsafe,efficient,andinteroperablecarbonmarketinfrastructure.Robustgovernancebuildstrustbyclarifyinginstitutionalrolesandresponsibilities,integrityandsecuritysafeguardsreducerisks,andinteroperabilityenablesscalebyfacilitatingseamlessdataandsystemintegration.TheWorldBankwillintegratethisguidanceintoongoingcapacity-buildingeffortstosupportcountriesinstrengtheningtheircarbonmarketinfrastructure.

Executivesummary

TheTechnicalGuidanceNoteonInformationSecurityforCarbonMarketsInfrastructure:ToolsandRecommendationsisoneoffiveguidancenotespreparedbytheCarbonMarketsInfrastructureWorkingGroup(CMIWG).Thenoteprovidesapracticalframeworktostrengtheninformationsecurityprogramsacrossthecarbonmarketsecosystem.Itaddresseskeyvulnerabilities—includingfragmentedcybersecuritypractices,inconsistentimplementationofstandards,andsystem-levelrisks—throughfivecorecategories:dataprotectionandprivacy;threatpreventionanddetection;identityandaccessmanagement;incidentresponseandresilience;andgovernance,compliance,andculture.DrawingoninternationallyrecognizedstandardssuchastheNIST(NationalInstituteofStandardsandTechnology)CybersecurityFramework(CSF),CenterforInternetSecurity(CIS)controls,andISO/IEC27001,theguidanceoutlinesmaturity-basedstepstosupportorganizationsatdifferentstagesofreadiness,offeringtailoredrecommendationsandpracticaltoolstoreinforcedigitalsafeguardsandupholdinformationsecurityacrossevolvingcarbonmarkets.

CarbonMarketsInfrastructureWorkingGroup

TheCMIWGwasestablishedtoidentifykeybottleneckshinderingthesecurity,efficiency,andinteroperabilityofcarbonmarketinfrastructureandtoprioritizeactionstoaddressthesechallenges.AsofJune2025,theCMIWGincludesentitiesfromacrossthecarbonmarketecosystem—rangingfromstandardsettersonboththedemandandsupplysides,carboncreditingprograms,registryoperators,tradingplatforms,marketplaces,financialinstitutions,dataandanalyticsproviders,technologyfirms,ValidationandVerificationBodies,legalandconsultingfirms,multilateralorganizations,andregulatoryauthorities,amongothers.Thisbroadandbalancedmembershipbringstogetherdiverseperspectivesthatareessentialforaddressinginfrastructuregaps,fosteringinteroperability,andsupportingtheintegrityandscalabilityofglobalcarbonmarkets(Table1).

Thisbroadandbalancedmembershipbringstogetherdiverseperspectivesthatareessentialforaddressinginfrastructuregaps,fosteringinteroperability,andsupportingtheintegrityandscalabilityofglobalcarbonmarkets.

B3—BrazilianStockExchange

BeZeroCarbon

ClimateActionDataTrust(CADTrust)

ClimateImpactX

CMEGroup

EuropeanBankforReconstructionandDevelopment(EBRD)

GlobalCarbonCouncil(GCC)

IntercontinentalExchange(ICE)

JohannesburgStockExchange(JSE)

InternationalStandardsOrganization(ISO)

InternationalSwapsandDerivativesAssociation(ISDA)

Nasdaq

Puro.earth

S&PGlobalCommodityInsights

SustainCERT

Sylvera

GlobalCarbonMarketUtility(GCMU)

TABLE1

AbaxxExchange

AirCarbonExchange

IntegrityCouncilfortheVoluntaryCarbonMarket(ICVCM)

CompositionoftheCMIWG

CMIWGMemberOrganizations

EcoRegistry

PhilipLeeLLP

GoldStandard

Verra

IndianEnergyExchange(IEX)

WorldBank

INFRAS

Xpansiv

Observers:

InternationalOrganizationofSecuritiesCommissions(IOSCO)SecretariatClimateDataSteeringCommittee(CDSC)Secretariat

PAGE

20

InformationSecurityforCarbonMarketsInfrastructure:ToolsandRecommendations

PAGE

13

Foreword

Executivesummary

Informationsecurity

Recommendations

Wayforward

Annexes

TheCMIWGconvenedaseriesofmeetingsandconsultationsbeginninginJune2024,whichinformedthedevelopmentof

ARoadmapforSafe,Efficient,andInteroperableCarbon

MarketInfrastructure(2024)

,releasedatCOP29.Theroadmapidentifiedkeyinfrastructurebottlenecksandoutlinedthreepriorityactionareastostrengthenthecarbonmarketecosystem:

ecosystemgovernance,(ii)informationsecurityandtransactionintegrity,and(iii)dataandsystemsinteroperability.ItproposedthedevelopmentoftargetedtechnicalguidancenotesforeachpriorityareabyJune2025,intendedtoprovidedeeperanalysisofexistingbarriersaswellaspracticalframeworks,tools,andrecommendationstoguidecoordinatedactionandsystem-wideimprovements(Figure1).

Theobjectiveofthesenotesistoofferpracticaltoolsandactionablerecommendationsforabroadspectrumofmarketparticipants.Thisincludesboththosedesigningandoperatingkeycomponentsofcarbonmarketinfrastructure,aswellasthoseleveragingthesesystemstocarryoutcarbonmarketactivities.Allstakeholdersplayacriticalroleindevelopingrobust,secure,andscalablemarketsystems.Theinsightspresentedherearealsointendedtoinformcapacity-buildingandtechnicalassistanceeffortstailoredtotheuniquecontextsandinstitutionalcapacitiesofeachcountry.Thistargetedsupportisdesignedtopromoteacohesive,inclusive,andresilientcarbonmarketinfrastructure.

Theinsightspresentedherearealsointendedtoinformcapacity-buildingandtechnicalassistanceeffortstailoredtotheuniquecontextsandinstitutionalcapacitiesofeachcountry.

FIGURE1

KeychallengesandrecommendationsofthefiveCMIWGtechnicalguidancenotes

1

Stocktakeofsafeguardsandrecommendationstoclarifyroles,

mandatesandterminologyacrosstheecosystem.

Unclearrolesandoverlappingresponsibilitiescanleadtofragmented

governance,underminingaccountabilitychains.

2

Riskmitigationframeworkandsafeguardstostrengthencredibility

oftransactionsandpreventfraud.

Inadequatesafeguardsforidentityverificationandtransactionprocessescan

underminetrust.

5

Asystem-level

evaluationframeworkandasetofpriorityhotspotsto

supportthe

InconsistentMRVframeworkscanincreaseerrors,costs,

andreducecomparability.

Insufficient

Weaksafeguardsininformationsecuritycanincreaserisksof

databreachesandsystemfailures.

3

Riskmitigation

frameworkandsafeguardsforcybersecurityanddataprotection

tosecuredigital

scaledadoptionofdigitalMRV

systems.

ChallengesRecommendations

interoperabilityofdataandsystemscanlimitregistryalignment,transparencyandscalability.

4

Stocktakeofmulti-stakeholdereffortsand

recommendationstostandardizedataandstrengthenregistryinteroperabilityfortransparentglobalemissionreductionsaccounting.

infrastructure.

Informationsecurity

Scopeandapproach

Thistechnicalguidancenoteprovidesastructuredapproachtostrengtheninginformationsecurityacrosscarbonmarkets.Itisdesignedtosupportbothnewentrantsandexperiencedparticipantsinbuildingsecure,resilient,andtrustworthysystemsthatprotectdataintegrity,enhancetransactioncredibility,andreducecyberrisks.Practicalrecommendationsareprovidedthroughout,groundedinproventoolsandtechniquestohelpstakeholders—whetherdesigningorimplementingmarketinfrastructure—implementeffectivesafeguards.Theentitiesresponsibleforimplementinginformationsecurityprogramswillvarybyjurisdictionandspecificmarketcontext.WhilesomeexamplesarepresentedinTable19inthe

Recommendations

section,thenote’sobjectiveistoconsolidatefoundationaltoolsandapproachesthatcanbeadaptedbyawiderangeofactors—regardlessoftheirinstitutionalmandateormarketmaturity—tostrengtheninformationsecurityacrosscarbonmarketsystems.

Informationsecurityincarbonmarketsiskeytomaintainingtrust,resilience,andcomplianceacrossregistries,tradingplatforms,andmarketparticipants.Itrequiresarobustmarketinfrastructurethatsafeguardsdataintegrity,protectsagainstcyberthreats,andenforcesadherencetosecurityprotocolsandbestpractices(Table2).Upholdinginformationsecurityalsoinvolvesclearlyassigningrolesandresponsibilitiesformanagingandprotectinginformationassets,therebyreinforcingaccountabilityacrosstheecosystem.Inaddition,itdemandsrigorousmonitoring,incidentresponse,andresilienceplanningtoguardagainstbreaches,manipulation,andoperationaldisruptions,allofwhichcouldunderminemarketconfidenceandtransactionalintegrity.

TABLE2

Dataprotection Safeguardinginformationfromunauthorizedaccess,disclosure,alteration,ordestruction.

Keyelementsofinformationsecurity

Encryption

Protectingtheconfidentialityofdatabothinstorageandduringtransmission.

Accesscontrol

Conducingauthentication(verifyingidentity)andauthorization(granting/restrictingpermissionsbasedonrolesorneeds).

Dataretention

Policiesandproceduresforsecurestorage,archiving,and/ordeletingdataincompliancewithlegal,regulatory,orbusinessrequirements.

Monitoringsystems Continuousoversightandimprovementregardingsecurityrelatedtoactivities/systemsdeployedtosecurity detect,prevent,andrespondtosecurityincidentstoidentifypotentialthreatsorbreaches.

Maintainingaudit Recordingandpreservinglogsofallsignificantactionsoreventswithinaninformationsystemwhichcantrails beusedforcompliance,forensicinvestigations,andensuringaccountability.

Source:AdaptedfromRoadmapforSafe,Efficient,andInteroperableCarbonMarketsInfrastructure(WorldBank,2024).

Thenoteaddresseskeychallenges,suchasinconsistentimplementationofsafeguards,fragmentedcybersecuritypractices,andvulnerabilitiesacrossregistriesandtradingplatforms,manyofwhicharecloselytiedtotheintegrityofcarbonmarkettransactions.Asoutlinedin

ARoadmapforSafe,Efficient,andInteroperableCarbonMarketInfrastructure(2024)

,preparedbytheCMIWG,aprimaryconcernisthelackofconsistentapplicationofinformationsecurityframeworksacrossjurisdictionsandmarketactors.WhileglobalstandardssuchasISO/IEC27001,theGeneralDataProtectionRegulation(GDPR),andguidelinesfromfinancialregulators(forexample,IOSCO)offerstrongfoundationsforsafeguardingdigitalinfrastructure,knowledgegapsandinconsistentapplicationexposethecarbonmarketecosystemtosignificantrisks.Theseincludeunauthorizedaccess,datamanipulation,andsystemicbreachesacrossregistries,tradingplatforms,andverificationsystems.Unevenunderstandingofsecurityprotocols—especiallyamonggovernments,registryoperators,projectdevelopers,andintermediaries—furthercompoundstheserisks,underminingmarkettrustandreliability.Theserisksarecloselytiedtotransactionintegrityvulnerabilities,asweakprotectionofdata,systems,andidentitiescanamplifythelikelihoodandimpactoftransactionfailures(forfurtherdetailsrefertoCMIWGGuidanceNoteonTransactionIntegrity).

Toaddressthechallengesoutlinedabove,thisnoteprovidesanoverviewofcross-cuttingrequirementsthatestablishthefoundationalgovernanceandoperationalstructuresnecessaryforeffectiveinformationsecurityprograms.Theseincludecoreelementssuchassecuritypolicies,oversightmechanisms,andclearlydefinedaccountabilityframeworks.

Inaddition,thenoteintroducesathree-stepassessmentframeworkappliedacrossfivecoreinformationsecuritydomains:1)DataProtectionandPrivacy,2)ThreatPreventionandDetection,

IdentityandAccessManagement,4)IncidentResponseandResilience,and5)Governance,Compliance,andCulture.Foreachdomain,theframeworkappliesthefollowingsequence:

Risks

Identificationofkeyvulnerabilitiesandthreatvectorsspecifictothesecurityarea.

MitigationControls

Definitionofsafeguards,protocols,andprocedurestoaddressidentifiedrisks.

Execution

Practicalrecommendationsfortools,operationalpractices,andglobalbestpracticestoensureeffectiveimplementationandenforcement.

Theframeworkguidesorganizationsthroughaprogressivematuritymodel,offeringaflexiblepathwayfromfoundationalpractices(Level1)toadvanced,fullyintegratedinformationsecurityprograms(Level3).Organizationsaresupportedinstrengtheningsystem-wideresilience,enhancingtrust,andensuringalignmentwithregulatoryexpectations.ThisstructureisillustratedinFigure2:Three-stepassessmentframeworkforinformationsecurity.

FIGURE2

Three-stepassessmentframeworkforinformationsecurity

Bestpractices

Tools

Focusesontheoperationalizationofcontrolsthroughtools,practices,andcomplianceprocedures.

Outlinestechnical,procedural,andpolicysafeguardsthatcanbeappliedtoaddressidentifiedrisks.

Mapspotentialvulnerabilitiesandexposuresspecifictoeachsystemorprocess.

Execution

MitigationControls

Risks

Three-stepassessmentframeworkforinformationsecurity

Cross-cuttingrequirements

Identifiesfoundationalresources,regulations,andcontextualneedsforeachcategory.

Source:CMIWG

Thisguidancedrawsoninternationallyrecognizedandfreelyaccessibleframeworks,includingthe

NISTCybersecurityFramework(CSF)2.0

1,NIST800-53SecurityandPrivacyControls2,CISControlsVersion83,andguidancefromtheSANSInstitute.4Theseframeworkswereselectedbecausetheyareupdatedregularlybytrustedorganizationsandprovidedetailedguidanceacrossalllevelsoforganizationalmaturity.Therecommendationistoalwaysreferencethelatestversionstoensurealignmentwithcurrentbestpractices.

Fororganizationsaimingtobuildaudit-readyandmatureinformationsecurityprograms,thenotealsosupportsalignmentwithadvancedsecuritystandardssuchasSOC2Type2andISO/IEC27001.ASOC2Type2auditevaluatesacompany'scontrolsrelatedtosecurity,availability,processingintegrity,confidentiality,andprivacyoveradefinedperiod.AnISO27001auditassessesanorganization'sadherencetointernationalstandardsforinformationsecuritymanagementsystems(ISMS).Thesecertificationsareparticularlyimportantforfinancialtradingentities,astheyenhanceclientconfidence,supportregulatorycompliance,andserveascompetitiveadvantages.

Thenoteconcludeswithtailoredrecommendationsforcarbonmarketparticipantsatdifferentstagesofmaturity.SeeAnnexAforasummaryofcross-cuttingrequirementsandtools,AnnexBforamappingofrisks,tools,andframeworks,andAnnexCforkeyinformationsecurityframeworks,protocols,andstandards.

Theframeworkguidesorganizationsthroughaprogressivematuritymodel,offeringaflexiblepathwayfromfoundationalpractices(Level

toadvanced,fullyintegratedinformationsecurityprograms(Level3).

NationalInstituteofStandardsandTechnology(NIST),FrameworkforImprovingCriticalInfrastructureCybersecurity,Version1.1,2018.

/cyberframework

.

NationalInstituteofStandardsandTechnology(NIST),SecurityandPrivacyControlsforInformationSystemsandOrganizations,SpecialPublication800-53Revision5,2020.

/publications/detail/sp/800-53/rev-5/fina

l.

CenterforInternetSecurity

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫網(wǎng)僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時(shí)也不承擔(dān)用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。

評論

0/150

提交評論