Roles & Change Management
UR E26 §3.2.1 & §4.1.1.3.2.2: The “Identify” phase must define key resources and their roles/responsibilities. Furthermore, a Management of Change (MoC) policy must be established to ensure the asset inventory and CSDD remain accurate throughout the ship’s operational life.
1. Cybersecurity Roles
Compliance requires that specific individuals are tasked with maintaining the “Identify” database. Use this matrix to assign duties within your Ship Cyber Security and Resilience Program (SCSRP).
| Role | Core Responsibility (Identify Phase) |
|---|---|
| Company Cyber Security Officer (CCSO) | Fleet-wide policy oversight; approval of MoC requests. |
| Shipboard Cyber Lead (Master/ETO) | Verifying physical inventory; logging local software changes. |
| Technical Superintendent | Ensuring OEMs/Vendors provide CSDD updates after repairs. |
2. Management of Change (MoC) Procedure
When a system is repaired, replaced, or updated, the following workflow must be followed to maintain Class compliance:
Change Request: Document why the change is needed (e.g., hardware failure, mandatory firmware update).
Risk Assessment: Evaluate if the change introduces new protocols or network connections.
Inventory Update: Log new MAC addresses, Serial numbers, and Software versions in the Asset Inventory.
CSDD Revision: Update the Cyber System Definition Document to reflect the current “As-Built” state.
Governance Established?
With roles and procedures defined, you are ready to compile the final “Master Evidence” for the Class Surveyor.