SPHINX Functional Requirements and Guidelines: PART III

Continue from PART II

SPHINX shall provide vulnerability assessment checklists to users
The SPHINX Platform shall provide vulnerability assessment checklists for the users, allowing them to employ effective tools for evaluating the state of readiness and the potential exposures and vulnerabilities of the IT ecosystem. It shall have reminders, alerts associated with levels of security. It should be possible to report the recommended actions for correcting or mitigating the vulnerabilities in question and not only report the vulnerability itself, its impact and scope.

IT Domain: IT Hardware Infrastructure, Networking, Applications

Cyber Security Management Cycle: Protect

SPHINX shall deliver a cyber risk assessment report.

The SPHINX Platform shall deliver a cyber risk assessment report that allows for the healthcare organisation to understand, manage, control and mitigate cyber risks across the IT ecosystem. The cyber risk assessment shall identify and prioritise assets, identify threats and vulnerabilities, analyse controls and propose new controls, calculate the likelihood and impact of different security scenarios and prioritise cyber risks based on the cost of prevention versus the value of the assets. The cyber risk evaluation shall also include actionable recommendations to improve security(reduce risk, minimise breach impact and protect against future cyber-attacks), using best practices.

IT Domain: IT Hardware Infrastructure, Networking, Applications, Security/Privacy

Cyber Security Management Cycle: Identify

SPHINX shall provide an automated zero-touch device and service verification toolkit.

The SPHINX Platform shall provide an automated zero-touch verification toolkit that will perform vulnerability and cyber risk assessment of devices and services entering or connected to the network. The verification toolkit shall generate detailed reports of possible misuse or vulnerabilities identified. The verification process will require little or no operator intervention. The user will be notified in case issues and risks are detected. Detail reports shall be easily generated in a machine-readable format (JSON, CSV).

IT Domain: IT Hardware Infrastructure, Networking, Applications

Cyber Security Management Cycle: Detect

The SPHINX device and service verification toolkit shall be easily integrated into existing healthcare IT infrastructures.

The SPHINX Platform shall allow the easy integration of the automated zero-touch device and service verification toolkit within the existing healthcare IT infrastructure. This integration enables the implementation of a device and service verification toolkit that respects service continuity with no impact during device/service creation, modification and removal, automating the network’s configuration changes as pre-defined by the user. In other words, it should be possible to deploy the sandboxing and certification tools on the existing resources without them creating additional risks or threats when running validations of untrusted code or devices.

IT Domain: IT Hardware Infrastructure, Networking, Applications

Cyber Security Management Cycle: Detect

SPHINX shall enable the certification of devices (to be) connected to the organisation’s IT ecosystem.

The SPHINX Platform shall perform the certification of the medical and IoT-based devices in the network as safe, meaning that they do not present any vulnerability to the overall IT ecosystem. The SPHINX Platform shall first verify newly added devices and certify them as safe in order for them to be allowed to connect to the network. Whenever a device is assessed as not being safe, the SPHINX Platform shall propose the actions to be taken in order to eliminate all existing device vulnerabilities.

IT Domain: IT Hardware Infrastructure

Cyber Security Management Cycle: Identify, Protect

SPHINX shall provide an automated certification service.

The SPHINX Platform shall deliver an automated certification service to devices and services, assessing their cybersecurity and protection status and contributing to facilitate the user’s cybersecurity monitoring responsibilities. The SPHINX automated certification service shall also be available to third-parties’ devices and services, allowing them to ascertain their readiness to become connected to the organisation’s IT ecosystem (certification as safe).

IT Domain: IT Hardware Infrastructure, Applications

Cyber Security Management Cycle: Identify, Protect

More information about the Functional Requirements and Guidelines of SPHINX can be found in Deliverable 2.8 that is publicly available here.