0% found this document useful (0 votes)

43 views4 pages

AESCSF v2 Quick Reference Guide 10

The Australian Energy Sector Cyber Security Framework (AESCSF v2) outlines a comprehensive approach to managing cyber security risks across various domains, including risk management, asset management, and incident response. It emphasizes the importance of establishing governance, maintaining situational awareness, and managing third-party dependencies to protect critical infrastructure. The framework includes maturity indicators and practices to assess and enhance the organization's cyber security posture.

Uploaded by

Daniel Johns

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

43 views4 pages

AESCSF v2 Quick Reference Guide 10

Uploaded by

Daniel Johns

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 4

Australian Energy Sector Cyber Security Framework – version 2 (AESCSF v2)

Quick Reference Guide – Domain Overview & Key Terms

Domain Domain Description

Establish, operate, and maintain an enterprise cyber security risk management program to identify, analyse, and mitigate cyber security risk to the organisation, including its business units, subsidiaries,
Risk Management RISK
related interconnected infrastructure, and stakeholders.
Establish and maintain an enterprise cyber security program that provides governance, strategic planning, and sponsorship for the organisation’s cyber security activities in a manner that aligns cyber
Cybersecurity Program Management PROGRAM
security objectives with the organisation’s strategic objectives and the risk to critical infrastructure.
Asset, Change, and Configuration Manage the organisation’s operations technology (OT) and information technology (IT) assets, including both hardware and software, commensurate with the risk to critical infrastructure and
ASSET
Management organisational objectives.
Create and manage identities for entities that may be granted logical or physical access to the organisation’s assets. Control access to the organisation’s assets, commensurate with the risk to critical
Identify and Access Management ACCESS
infrastructure and organisation objectives.

Cybersecurity Architecture ARCHITECTURE Establish and maintain clear mapping of your IT and OT assets and a plan as to where and how controls should be implemented to protect your environment in the event of a cyber security attack.

Establish and maintain plans, procedures, and technologies to detect, identify, analyse, manage and respond to cyber security threats and vulnerabilities, commensurate with the organisation’s
Threat and Vulnerability Management THREAT
infrastructure (e.g., critical, IT, operational) and organisational objectives.
Establish and maintain activities and technologies to collect, analyse, alarm, present, and use operational and cyber security information, including status and summary information from the other model
Situational Awareness SITUATION
domains, to form a common operating picture (COP).
Event and Incident Response, Establish and maintain plans, procedures, and technologies to detect, analyse, and respond to cyber security events and to sustain operations throughout a cyber security event, commensurate with the
RESPONSE
Continuity of Operations risk to critical infrastructure and organisational objectives.
Supply Chain and External Establish and maintain controls to manage the cyber security risks associated with services and assets that are dependent on external entities, commensurate with the risk to critical infrastructure and
THIRD-PARTIES
Dependencies Management organisational objectives.
Establish and maintain plans, procedures, technologies, and controls a culture of cyber security and to ensure that ongoing suitability and competence of personnel, commensurate with the risk to critical
Workforce Management WORKFORCE
infrastructure and organisational objectives.
Establish and maintain plans, procedures, and technologies to reduce privacy related risks, and manage personally identifiable information through its lifecycle - collection, storage, use and disclosure,
Australian Privacy Management PRIVACY
and disposal (including de-identification).

Term Definition

Ability and means to enter a facility, to communicate with or otherwise interact with a system, to use system resources to handle information, to gain knowledge of the information the system contains,
Access
or to control system components and functions.
In the context of this model, ad hoc (i.e., an ad hoc practice) refers to performing a practice in a manner that depends largely on the initiative and experience of an individual or team (and team
leadership), without much in the way of organisational guidance in the form of a prescribed plan (verbal or written), policy, or training. The methods, tools, and techniques used, the priority given a
Ad hoc particular instance of the practice, and the quality of the outcome may vary significantly depending on who is performing the practice, when it is performed, and the context of the problem being
addressed. With experienced and talented personnel, high-quality outcomes may be achieved even though practices are ad hoc. However, because lessons learned are typically not captured at the
organisational level, approaches and outcomes are difficult to repeat or improve across the organisation.
Anomalous Inconsistent with or deviating from what is usual, normal, or expected.
Something of value to the organisation. Assets include many things, including technology, information, roles performed by personnel, and facilities. For the purposes of this model, assets to be
Asset
considered are IT and OT hardware and software assets, as well as information essential to operating the function.
The preservation of authorised restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. For an information asset, confidentiality is
Confidentiality
the quality of being accessible only to authorised people, processes, and devices.
Australian Energy Sector Cyber Security Framework – version 2 (AESCSF v2)
Quick Reference Guide – Domain Overview & Key Terms (continued)
Term Definition

The management, operational, and technical methods, policies, and procedures-manual or automated-(i.e., safeguards or countermeasures) prescribed for an IT and ICS to protect the confidentiality, integrity, and availability of the
Controls
system and its information.
Credential An object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a Subscriber.
Updated at an organisation-defined frequency (e.g., as in the asset inventory is kept 'current') that is selected such that the risks to critical infrastructure and organisation objectives associated with being out-of-date by the maximum
Current
interval between updates are acceptable to the organisation and its stakeholders.
The development and maintenance of the object of the practice (such as a program). For example, 'Establish and maintain identities' means that not only must identities be provisioned, but they also must be documented, have
Establish and maintain
assigned ownership, and be maintained relative to corrective actions, changes in requirements, or improvements.

Event Any observable occurrence in a system or network. Depending on their potential impact, some events need to be escalated for response. To ensure consistency, criteria for response should align with the organisation's risk criteria.

The high-level electricity system activity or set of activities performed by the utility to which the model is being applied. Generally, the function will be generation, transmission, distribution, and/or markets. When using the AESCSF
Function
evaluation survey, the function is the organisational line-of-business (generation, transmission, distribution, or markets) that is being evaluated by completing the model.

An organisational process of providing strategic direction for the organisation while ensuring that it meets its obligations, appropriately manages risk, and efficiently uses financial and human resources. Governance also typically
Governance includes the concepts of sponsorship (setting the managerial tone), compliance (ensuring that the organisation is meeting its compliance obligations), and alignment (ensuring that processes such as those for cybersecurity program
management align with strategic objectives).
Guidelines A set of recommended practices produced by a recognised authoritative source representing subject matter experts and community consensus, or internally by an organisation. See standard.

Identity The set of attribute values (i.e., characteristics) by which an entity is recognisable and that, within the scope of an identity manager's responsibility, is sufficient to distinguish that entity from any other entity.

An event (or series of events) that significantly affects (or has the potential to significantly affect) critical infrastructure and/or organisational assets and services and requires the organisation (and possibly other stakeholders) to
Incident
respond in some way to prevent or limit adverse impacts. See also computer security incident and event.

The extent to which a practice or activity is ingrained into the way an organisation operates. The more an activity becomes part of how an organisation operates, the more likely it is that the activity will continue to be performed over
Institutionalisation
time, with a consistently high level of quality. ('Incorporated into the ingrained way of doing business that an organisation follows routinely as part of its corporate culture.' - CERT RMM). See also maturity indicator level.

Logging typically refers to automated recordkeeping (by elements of an IT or OT system) of system, network, or user activity. Logging may also refer to keeping a manual record (e.g., a sign-in sheet) of physical access by personnel
Logging to a protected asset or restricted area, although automated logging of physical access activity is commonplace. Regular review and audit of logs (manually or by automated tools) is a critical monitoring activity that is essential for
situational awareness (e.g., through the detection of cyber security events or weaknesses).
Collecting, recording, and distributing information about the behaviour and activities of systems and persons to support the continuous process of identifying and analysing risks to organisational assets and critical infrastructure that
Monitoring
could adversely affect the operation and delivery of services.
Periodic review/activity A review or activity that occurs at specified, regular time intervals, where the organisation-defined frequency is commensurate with risks to organisational objectives and critical infrastructure.
Personnel Employees of the organisation. This includes full time, part time, and contracted employees.
A measure of the extent to which an organisation is threatened by a potential circumstance or event, and typically a function of (1) the adverse impacts that would arise if the circumstance or event occurs and (2) the likelihood of
Risk
occurrence.

An external organisation or an internal or external person or group that has a vested interest in the organisation or function (that is being evaluated using this model) and its practices. Stakeholders involved in performing a given
Stakeholder
practice (or who oversee, benefit from, or are dependent upon the quality with which the practice is performed) could include those from within the function, from across the organisation, or from outside the organisation.

Any circumstance or event with the potential to adversely impact organisational operations (including mission, functions, image, or reputation), resources, and other organisations through IT, OT, or communications infrastructure via
Threat
unauthorised access, destruction, disclosure, modification of information, and/or denial of service.
A cyber security vulnerability is a weakness or flaw in IT, OT, or communications systems or devices, system procedures, internal controls, or implementation that could be exploited by a threat source. A vulnerability class is a
Vulnerability
grouping of common vulnerabilities.
Australian Energy Sector Cyber Security Framework – version 2 (AESCSF v2)
Quick Reference Guide – Key Framework Components
Framework Structure MIL and SP Attributes

Framework

Domain
AESCSF contains 11 Domains
See previous page for descriptions.

Each domain contains one or more objectives.

Maturity Indicator Level (MIL)

MIL-1
! The measure of cyber
security maturity
associated with each
practice. Each MIL has
specific characteristics
Objective/s MIL-2 which impact
Objectives are numbered and unique to each domain, assessment for Practices
(See following page)
MIL-3
Practice
Practices

!
Objective contains multiple Practices Anti-Pattern
Practices are lettered and unique to each Security Profile (SP)
Objective
Each Practice and Anti- Security Profiles are the
Pattern has a SP-1 defined target states for
Anti-Patterns corresponding Maturity participants depending on
Indicator Level (MIL) their criticality.
9 of the 11 Domains contain Anti-Patterns. SP-2
and Security Profile (SP)
Applicable Anti-Patterns for each domain are Security Profiles do not
contained in their own Objective SP-3 impact the assessment
approach.

Practice Completion and Anti-Pattern Presence

Practice Anti-Pattern

!
Anti-Patterns are assigned a MIL, however
MIL-1 Practices for MIL-1 are assessed as either MIL-1, 2 & 3 the MIL, and it’s associated Management Characteristics,
Yes or No do not impact assessment of Anti-Patterns

Anti-Patterns are no
No Not Complete Present Not Complete longer attached to
Practice individual Practices,
Yes Complete Not Present Complete however they remain linked
to an AESCSF Domain and
Practices for MIL-2 & 3 are assessed against MIL.
MIL-2 & 3
four levels of implementation

Not Implemented
Not Complete
Partially Implemented

Largely Implemented
Complete
Fully Implemented
3
Australian Energy Sector Cyber Security Framework – version 2 (AESCSF v2)
Quick Reference Guide - Completion & Management Characteristics
MIL-1 Practice MIL-2 Practice

Not
Implementation Response
The Practice IS NOT performed

Implementation Response
No
Practices performed at

The Practice is NOT performed

The Practice IS performed

Practices performed at
MIL-1

Partially
MIL-2

Management Characteristics
The Practice IS performed 1 The Practice is documented

Yes
Note: For MIL-1 this can be ad-hoc, and may therefore vary in 2 Stakeholders of the Practice are identified and involved

Largely
frequency, accuracy, and completeness, based on the skills and
Any Fully Implemented practice
tools of the personnel completing the activities Adequate resources are provided to support the Practice
at MIL-3 requires all 3 (people, funding, and tools)
Management Characteristics

Fully
from both MIL-2 and MIL-3. Standards and/or guidelines have been identified to guide the
4
MIL-3 Practice implementation of the Practice

Not
The Practice IS NOT performed, OR the Practice is performed HOWEVER
MIL-2 Management Characteristics (1, 2 and/or 3) are MISSING .
Anti-Patterns

Implementation Response
The Practice IS performed, AND
AT LEAST MIL-2 Management Characteristics 1, 2 and 3 are present
Practices performed at

Implementation Response
Present
+ This activity IS exhibited within the function
(either pervasively or within a limited context)
Activities are guided by policies (or other organisational
MIL-3

Management Characteristics

5
Partially

Anti-Patterns at
MIL-1, 2 & 3
directives) and governance
Personnel performing the Practice have adequate skills
6 and knowledge
Policies include compliance requirements for specified

Not Present
7
Fully Largely

standards and/or guidelines

Responsibility and authority for performing the This activity IS NOT exhibited within the function
8 Practice is assigned to personnel
Activities are periodically reviewed to ensure they
9 conform to policy

Risk Assesment, Management, Ethic Etc
No ratings yet
Risk Assesment, Management, Ethic Etc
15 pages
SCF - Security & Privacy Principles - 2022.2
No ratings yet
SCF - Security & Privacy Principles - 2022.2
2 pages
CISSP Domain 1 Cheat Sheet
No ratings yet
CISSP Domain 1 Cheat Sheet
6 pages
Notes CC-Exam
No ratings yet
Notes CC-Exam
24 pages
Week 8 - Risk Management + Technology Audits
No ratings yet
Week 8 - Risk Management + Technology Audits
41 pages
Action Guide Information Security Management Systems
No ratings yet
Action Guide Information Security Management Systems
6 pages
Risk Domains 2025
No ratings yet
Risk Domains 2025
6 pages
Week 07 The People, Processes, and Technology of Cybersecurity (Part II)
No ratings yet
Week 07 The People, Processes, and Technology of Cybersecurity (Part II)
42 pages
Information Systemrttttgjfgxhfytfgyttyyt
No ratings yet
Information Systemrttttgjfgxhfytfgyttyyt
10 pages
Chapter Seven
No ratings yet
Chapter Seven
26 pages
CompTIA Sec+ Notes
No ratings yet
CompTIA Sec+ Notes
41 pages
PLIA 20160819 A
No ratings yet
PLIA 20160819 A
36 pages
Procedure On Risk Management
No ratings yet
Procedure On Risk Management
14 pages
Cybersecurity Training Guide
100% (1)
Cybersecurity Training Guide
72 pages
Information Security Plan Summary
100% (3)
Information Security Plan Summary
25 pages
GRC Terms
No ratings yet
GRC Terms
9 pages
Cybersecurity Unti I2
No ratings yet
Cybersecurity Unti I2
11 pages
Cyber Risk Management Guidelines Issued by The DFSA
No ratings yet
Cyber Risk Management Guidelines Issued by The DFSA
3 pages
Certified in Risk and Information Systems Control (CRISC) Glossary
100% (1)
Certified in Risk and Information Systems Control (CRISC) Glossary
17 pages
004 C2M2 Reference Cheat Sheet
No ratings yet
004 C2M2 Reference Cheat Sheet
1 page
CSF PF To Sp800 53r5 Mappings
No ratings yet
CSF PF To Sp800 53r5 Mappings
285 pages
NIST Framework Summary Book
No ratings yet
NIST Framework Summary Book
12 pages
Chapter 7
No ratings yet
Chapter 7
26 pages
Info Sec Revision
No ratings yet
Info Sec Revision
20 pages
CISSP Session 01 PDF
100% (1)
CISSP Session 01 PDF
93 pages
Secure Controls Framework SCF 2025-2-1
No ratings yet
Secure Controls Framework SCF 2025-2-1
196 pages
Cyber Compliance IE - 07 23 - Huwyler - 1688548230295
No ratings yet
Cyber Compliance IE - 07 23 - Huwyler - 1688548230295
29 pages
Cyber Security Incident Response Planning 1736093435
No ratings yet
Cyber Security Incident Response Planning 1736093435
51 pages
A Cybersecurity Evaluation Tool For SMEs B
No ratings yet
A Cybersecurity Evaluation Tool For SMEs B
2 pages
Cyber Security Incident Response Planning: Practitioner Guide
No ratings yet
Cyber Security Incident Response Planning: Practitioner Guide
51 pages
Module 1 Glossary Introduction To Information Security and Compliance
No ratings yet
Module 1 Glossary Introduction To Information Security and Compliance
2 pages
Cyber Essentials Starter Kit
No ratings yet
Cyber Essentials Starter Kit
17 pages
Mapping Nist CSF To Iso 27001-2022
No ratings yet
Mapping Nist CSF To Iso 27001-2022
37 pages
Cyber Security Policy For Banks
100% (4)
Cyber Security Policy For Banks
83 pages
CMA CISSP Domain 1 Review Notes
No ratings yet
CMA CISSP Domain 1 Review Notes
9 pages
Cybersecurity Framework v2.0 - Concept Crosswalk - Template
No ratings yet
Cybersecurity Framework v2.0 - Concept Crosswalk - Template
4 pages
Critical Infrastructure Cybersecurity
No ratings yet
Critical Infrastructure Cybersecurity
35 pages
Information Security Management
No ratings yet
Information Security Management
3 pages
NIST Cybersecurity & Privacy Framework Mapping
No ratings yet
NIST Cybersecurity & Privacy Framework Mapping
31 pages
Arc Media Holdings Limited Technical Detail Report 2023-08-01 Commentedmk Extra
No ratings yet
Arc Media Holdings Limited Technical Detail Report 2023-08-01 Commentedmk Extra
75 pages
eBook-Certified in Cybersecurity Cheat Sheet
No ratings yet
eBook-Certified in Cybersecurity Cheat Sheet
26 pages
NCSC Cyber Security Risk Management Executive
100% (1)
NCSC Cyber Security Risk Management Executive
8 pages
Notes
No ratings yet
Notes
5 pages
Ebook - CISSP - Domain - 01 - Security and Risk Management
No ratings yet
Ebook - CISSP - Domain - 01 - Security and Risk Management
202 pages
Your Cyber Security Roadmap
No ratings yet
Your Cyber Security Roadmap
26 pages
Doe c2m2v2 1 CSF Mapping
No ratings yet
Doe c2m2v2 1 CSF Mapping
184 pages
Risk Assessment Unit 4 (1.)
No ratings yet
Risk Assessment Unit 4 (1.)
31 pages
Function Category: Asset Management (AM) : The Personnel, Devices, Systems, and
No ratings yet
Function Category: Asset Management (AM) : The Personnel, Devices, Systems, and
21 pages
Cyber Threat Management Summary
No ratings yet
Cyber Threat Management Summary
19 pages
CISM Glossary v2 1 1
No ratings yet
CISM Glossary v2 1 1
7 pages
PWC Brochure Cyber Security
No ratings yet
PWC Brochure Cyber Security
6 pages
Nist - CSF 2.0
No ratings yet
Nist - CSF 2.0
8 pages
Lecture 1 - Introduction
No ratings yet
Lecture 1 - Introduction
30 pages
Informative Reference Submission Form Field Name
No ratings yet
Informative Reference Submission Form Field Name
44 pages
Cyber Security Framework V1.01
100% (1)
Cyber Security Framework V1.01
42 pages
Holistic IT Governance
100% (4)
Holistic IT Governance
13 pages
CRISCd-All Files
No ratings yet
CRISCd-All Files
49 pages
Hojiwala GIDC Details
0% (1)
Hojiwala GIDC Details
9 pages
Model ISO TC Strategic Business Plan Template
No ratings yet
Model ISO TC Strategic Business Plan Template
11 pages
XN 120
No ratings yet
XN 120
83 pages
East Syllabus 1
No ratings yet
East Syllabus 1
2 pages
Forwarding Instruction: Page 1 of 1
No ratings yet
Forwarding Instruction: Page 1 of 1
1 page
Karnataka State Pre-University Education Examination Board: Second Year Puc Examination
No ratings yet
Karnataka State Pre-University Education Examination Board: Second Year Puc Examination
8 pages
Minor Project Synopsis
No ratings yet
Minor Project Synopsis
6 pages
P0934-Line Pressure Sensor Circuit Low: Theory of Operation
No ratings yet
P0934-Line Pressure Sensor Circuit Low: Theory of Operation
5 pages
COPE-SERCO-RP-23-1493 - Sentinel Data Access Annual Report 2022 - 1.0
No ratings yet
COPE-SERCO-RP-23-1493 - Sentinel Data Access Annual Report 2022 - 1.0
121 pages
SC 200
No ratings yet
SC 200
4 pages
Platform Analytics Guide
No ratings yet
Platform Analytics Guide
469 pages
Jet Presentation Guidelines
No ratings yet
Jet Presentation Guidelines
5 pages
Termostato AKM 446 PDF
No ratings yet
Termostato AKM 446 PDF
4 pages
HWMobilePanels2GenUS en-US
No ratings yet
HWMobilePanels2GenUS en-US
280 pages
Bridgelux SMD 3535 Data Sheet For BXEX-xxC-11H-3A1 20210802
No ratings yet
Bridgelux SMD 3535 Data Sheet For BXEX-xxC-11H-3A1 20210802
19 pages
User Manual
No ratings yet
User Manual
33 pages
Guide To The Installation of PV Systems 2nd Edition
100% (1)
Guide To The Installation of PV Systems 2nd Edition
32 pages
Pneumatic Vices AIR Ing DAMO
No ratings yet
Pneumatic Vices AIR Ing DAMO
2 pages
PSR04448 - Liquid - SRS - Sprint 0
No ratings yet
PSR04448 - Liquid - SRS - Sprint 0
18 pages
Techtip: On-Screen Keyboard Options in Intouch 9.5/10.0: 425 Caredean Drive, Horsham, Pa 19044 215.675.5800
No ratings yet
Techtip: On-Screen Keyboard Options in Intouch 9.5/10.0: 425 Caredean Drive, Horsham, Pa 19044 215.675.5800
6 pages
ICE3A2065Z
No ratings yet
ICE3A2065Z
33 pages
Lancia Thesis Used Parts
100% (3)
Lancia Thesis Used Parts
8 pages
CET333 Product Development Assignment
No ratings yet
CET333 Product Development Assignment
8 pages
APIs
No ratings yet
APIs
4 pages
LXI980+LXC6110 E Installation Configuration Instructions
No ratings yet
LXI980+LXC6110 E Installation Configuration Instructions
10 pages
User Manual DSC Pc585 Pc1565
No ratings yet
User Manual DSC Pc585 Pc1565
1 page
Leica Viva TS16 DS
No ratings yet
Leica Viva TS16 DS
2 pages
Lighting Lighting: Gentlespace Gen3
No ratings yet
Lighting Lighting: Gentlespace Gen3
3 pages
What Is A Flowchart - Lucidchart
No ratings yet
What Is A Flowchart - Lucidchart
23 pages
History of NEC - About NEC - NEC Contracts
No ratings yet
History of NEC - About NEC - NEC Contracts
8 pages