The Framework of SK-275
SK-275 adopts NIST and CIS as its primary references and introduces 15 priority cybersecurity controls categorized into five key areas including:
Category | Control Objectives |
Identity | Establish and maintain an inventory of all company assets. Establish and maintain an inventory of all accounts. Establish and maintain an inventory of all service accounts. |
Protect | Restrict administrator access rights to designated administrator accounts. Implement and maintain anti-malware software Manage access controls for remotely connected assets. |
Detect | Collect audit logs. Centralize audit logs. Review audit logs. Configure automatic anti-malware scans on removable media. |
Respond | Disable inactive accounts. Assign personnel to manage the company’s incident handling process. Establish and maintain an incident response process. |
Recover | Perform automated backups. Test backup recovery. |
Alternative Measures: Risk Assessment
In cases where BUMN cannot fully implement the 15 controls, they must conduct a comprehensive risk assessment for any unimplemented minimum controls. This assessment should cover:
- Risk Appetite: The level of risk the company is prepared to accept to achieve its goals.
- Risk Treatment: Strategies to address identified risks effectively.
- Risk Mitigation: Actions designed to reduce risks or their impact.
Reporting Obligations
BUMN are required to report their progress in implementing the established controls annually through the BUMN Annual Report to the Ministry of State-Owned Enterprises. This ensures ongoing accountability and alignment with the ministry's cybersecurity objectives.
