SPHINX Functional Requirements and Guidelines: PART IX

Continue form PART VIII

 

SPHINX shall allow third-parties to discover and retrieve the available SPHINX functionalities.

The SPHINX Platform shall enable third-parties to discover and access the different SPHINX data protection and information cyber security services that are available to them. A discovery system should provide the list of services as well as a description of the common features, versions and added value they provide.

IT Domain: Security/Privacy

Cyber Security Management Cycle: Not applicable.

SPHINX shall allow third-parties to request a cyber certification of their IT components.

The SPHINX Platform shall enable third-parties to submit information concerning their IT components (e.g., medical devices, software components, services) in order to receive their cyber certification by SPHINX. The information submitted shall be the minimum necessary to enable the SPHINX system to perform the cyber certification process.

IT Domain: Security/Privacy

Cyber Security Management Cycle: Identify.

SPHINX shall allow third-parties to receive a certification report of their IT components.

The SPHINX Platform shall perform the certification process of a third-party’s IT component upon receiving a cyber certification request by the third-party. The certification report shall declare either the full compliance of the IT component to SPHINX cyber security standards or the list of detected issues/vulnerabilities that deem the third-party IT component unsafe and the proposed alterations required to be implement in the third-party IT component for it to become fully compliant to SPHINX cybersecurity standards.

IT Domain: Security/Privacy

Cyber Security Management Cycle: Identify.

SPHINX shall provide customised cyber security reports.

The SPHINX Platform shall provide customised cyber security report containing:

  • comprehensive visual analytics (e.g., charts, tabular information, statistics);
  • statistical information on registered cyber security events and incidents in the IT ecosystem, including successful and unsuccessful hacking attempts and type of attack: spam, email trap, malware, phishing, database injection, anomalous user and network behaviours;
  • time and duration of successful cyber-attacks to the IT ecosystem along with list of the affected assets;
  • identification and location of the organisation affected by the cyber attack.

Overall, this capability supports the users’ cyber security awareness and decision-making with respect to the prevention of cyber threats and the mitigation of cyber-attacks. In addition, it also assists the organisations with fulfilling their incident notification obligations concerning cybersecurity incidents, particularly data breach events.

IT Domain: Applications; Security/Privacy.

Cyber Security Management Cycle: Identify; Detect; Protect.

 

More information about the Functional Requirements and Guidelines of SPHINX can be found in Deliverable 2.8 that is publicly available here.