Title Page
-
Purpose: To verify compliance with the SMS cyber safety requirements. Before any updated cyber risk assessment , list of changes & additions to onboard systems; audit of remote access requests & patching (updating) logs (which may be from the 3rd party support provider) should be obtained.
The SMS parts below deal with our approach but in essence, we try to stay close to the BIMCO cyber workbook.
CH 02 – Company policy (requires identification and processes to manage identified critical systems)
Ch 05 – Captains standing orders (Cover basic Cyber hygiene for crew, device use access to networks/e-mail)
Ch 7.02 – Responsibilities of person designated as cyber safety officer defined
Ch 7.03 – SOP’s – You need these for cyber hygiene e.g. repetitive tasks like ECDIS updates
Ch 7.04 – Describes cyber safety requirement
Ch 7.06 – Risk assessment & permit to work for remote access to systems.
Ch – 10 Cyber critical systems & identification thereof (use the flowchart)
The IMO primary requirement is to assess the risks, identify what systems could be used to endanger the yacht and protect those.
The weakest link will usually be the human element, hence basic training for all crew, cyber safety officer & captain to have a higher level of training.
Any changes to the systems onboard need to be considered and the risk assessment, network diagram & data flows updated as required at least annually. Scans & updates, including licences are more likely done monthly with updates as and when patches are released.
There does need to be some form of back up & recovery plan for any critical systems identified and shore based support would be best for this. Obs and NC's should be raised in C&N Connect. -
Yacht
-
Auditor
-
Conducted on
-
Captain
-
Cyber safety officer
Cyber risk assessment
-
IT system & equipment items (asset register) updated & any new equipment since last audit identified?
-
If possible obtain a copy of any updated register.
-
Is a data flow map & network diagram available for the yacht?
-
Please obtain a copy.
-
Are the risk assessment hazards, outcomes & mitigation measures maintained up to date?
-
Please obtain a copy.
Maintenance
-
Has the risk assessment identified any cyber systems to be critical?
-
Has a 3rd party assessment been used to identify these systems, have protective measures implemented been verified by a 3rd party?
-
Do planned maintenance instructions identify access permissions required and back up prior to installing new software?
-
For identified critical IT & OT systems are the maintenance requirements following the SMS Ch 10 table 3.3?
-
Are Passwords complex of sufficient length and protected; is multi factor authentication required in addition?
-
This covers the password policy for users & admin, number of passwords kept & how they are generated. length, complexity, expiration, multi factor authentication - Screenshot of settings.
The cyber safety officer (SMS Ch 7.02).
-
Is the person designated as cyber safety officer familiar with their job description & duties?
Safety, Environmental & Crew Protection Policy
-
Does the cyber safety officer understand the company policy as it applies to cyber safety?
-
Do captains standing orders contain cyber security measures, permitted use of IT systems/networks & acceptable use?
-
Do the captain & owner take into account cyber safety & support needs?
Cyber Safety Officer & Crew Training
-
Has the captain & cyber safety officer completed a training course listed in the SMS or equivalent training?
-
Have all crew completed a training course listed in the SMS or equivalent training?
-
Is any additional training given to the crew?
-
Request copy of training schedule & evidence of training completion.
Reporting
-
Have any cyber events/issues been reported to C&N
-
For example Malware found during routine virus scans, breach of e-mail security, un-authorised network access, unauthorised devices connected to machines or servers, unsecured wifi networks, passwords compromised.
Third party IT support company involved?
-
Is there a shore based company supporting the yacht's IT?
-
Company name
-
Is there a support contract detailing support provided & 24hr contact for emergencies?
-
Obtain a copy to verify the security & incident response coverage.
-
Does the company maintain software and network equipment?
-
Are software licences and updates/patches applied
-
Checking logs of updates done/licences renewed etc. will help to verify this.
-
Is expired software updated or is the cyber safety officer notified?
Standard operating procedures (SMS CH 7.03)
-
For IT/OT systems have standard operating procedures been put in place? (identified via the risk assessment)
Permit to work
-
Where remote access is required to be granted has the permit to work process been followed?
-
Are permits to work filed on completion?
Final summary
-
Remarks
-
Is a follow up audit by an IT specialist or the yachts 3rd party IT support company required?
-
If information in the above such as contracts, update/patching logs , risk assessments, network diagrams etc. can't be located this should be requested. More example questions.
Is there a change management procedure (Request/authorisation/testing/deployment/roll back/validation)
High privilege accounts - process to control accounts
Procedure for onboarding/offboarding crew - take example as evidence.
Access reviews - are these performed regularly? Any log available?
