IAEA International Atomic Energy Agency IAEA Training Course on Conducting Computer Security Assessments Presented by: Donald D. Dudenhoeffer.

Slides:



Advertisements
Similar presentations
IAEA International Atomic Energy Agency Introductions; Objectives and Scope of the Course Tr aining course on Authorization and Inspection of Uranium Mining.
Advertisements

Khammar Mrabit Director Office of Nuclear Security
Directions for this Template  Use the Slide Master to make universal changes to the presentation, including inserting your organization’s logo –“View”
IAEA International Atomic Energy Agency. IAEA Outline Learning objectives Introduction Functions of Regulatory Body (RB) on EPR Appraisal guidance: Part.
International Atomic Energy Agency Course Objectives, Overview and Introduction Interregional Training Course on Technical Requirements to Fulfil National.
Course Material 1.Overview of Process Safety 2.Compliance with Standards 3.Process Hazard Analysis 4.Standard Operating Procedures 5.Safe Work Procedures.
Seafood HACCP Alliance for Training and Education Chapter 10 Principle 6: Establish Verification Procedures.
INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.
IAEA International Atomic Energy Agency International Cooperation in Nuclear Security David Ek Office of Nuclear Security.
Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.
1 Effective Safety & Health Assessments: Audits and Inspections Disclaimer: These safety materials, resources and PowerPoint ® presentations are not intended.
Unit 5:Elements of A Viable COOP Capability (cont.)  Define and explain the terms tests, training, and exercises (TT&E)  Explain the importance of a.
Operations Security (OPSEC) Introduction  Standard  Application  Objectives  Regulations and Guidance  OPSEC Definition  Indicators.
IAEA International Atomic Energy Agency Overview of legal framework Regional Workshop - School for Drafting Regulations 3-14 November 2014 Abdelmadjid.
NEXT Lessons Learned from Integrated Regulatory Review Service (IRRS) 22 nd and 23 rd January 2014, Brussels Fernando Franco, Spanish Nuclear.
IAEA International Atomic Energy Agency Reviewing Management System and the Interface with Nuclear Security (IRRS Modules 4 and 12) BASIC IRRS TRAINING.
IAEA International Atomic Energy Agency IAEA Nuclear Security Programme Enhancing cybersecurity in nuclear infrastructure TWG-NPPIC – IAEA May 09 – A.
IAEA International Atomic Energy Agency. IAEA Outline LEARNING OBJECTIVES FIRST THINGS FIRST Invitation of a mission Information meeting self-assessment.
International Atomic Energy Agency THE “EMERGENCY CONVENTIONS” Interregional Training Course on Technical Requirements to Fulfil National Obligations in.
IAEA International Atomic Energy Agency Presentation held at the Workshop on Lessons Learned from IRRS Missions Moscow, Russian Federation 9-11 December.
IAEA International Atomic Energy Agency. IAEA Outline USNRC IRRS Training - Preparations of Reviewers2 Learning Objectives To start with Advance Reference.
International Atomic Energy Agency International Nuclear Security Axel Hagemann Office of Nuclear Security Department of Nuclear Safety and Security International.
Presented by Dr. Kristóf Horváth Deputy Director General Hungarian Atomic Energy Authority Based on the Guideline developed by the WG on Computer Protection.
Programme Performance Criteria. Regulatory Authority Objectives To identify criteria against which the status of each element of the regulatory programme.
IAEA International Atomic Energy Agency TOOLS AND METHODS FOR ENHANCING IRRS EFFECTIVENESS AND EFFICIENCY Presentation to the Workshop on Lessons Learned.
IAEA International Atomic Energy Agency International peer review on evaluation of nuclear power infrastructure A. Cardoso Department of Technical Cooperation.
IAEA International Atomic Energy Agency International Standards, Codes and Guidance for Radiation Safety Regulatory Infrastructure IAEA Advanced Regional.
IAEA International Atomic Energy Agency. IAEA Outline LEARNING OBJECTIVES FIRST THINGS FIRST Invitation of a mission Information meeting self-assessment.
Organization and Implementation of a National Regulatory Program for the Control of Radiation Sources Inspection Part III.
International Atomic Energy Agency Roles and responsibilities for development of disposal facilities Phil Metcalf Workshop on Strategy and Methodologies.
IAEA International Atomic Energy Agency LESSONS LEARNED ON THE REGULATION OF NUCLEAR SAFETY Presentation to the Workshop on Lessons Learned from IRRS Missions.
IAEA International Atomic Energy Agency Milestones in the development of a national infrastructure for nuclear power The Nuclear Security dimension Technical.
Office of Human Research Protection Georgia Health Sciences University.
IAEA International Atomic Energy Agency. IAEA Outline LEARNING OBJECTIVES REVIEW TEAM AMD COUNTERPARTS Team Composition Qualification PREPARATORY PHASE.
ISO CONCEPTS Is a management standard, it is not performance or product standard. The underlying purpose of ISO 1400 is that companies will improve.
IAEA International Atomic Energy Agency The IAEA Integrated Regulatory Review Service (IRRS) IRRS Missions : Overview from a Radiation Safety.
IAEA International Atomic Energy Agency TM/WS TOPICAL ISSUES ON INFRASTRUCTURE DEVELOPMENT: MANAGING THE DEVELOPMENT OF NATIONAL INFRASTRUCTURE FOR NUCLEAR.
Organization and Implementation of a National Regulatory Program for the Control of Radiation Sources Program Performance Criteria.
By Annick Carnino (former Director of IAEA Division of Nuclear Installations Safety) PIME, February , 2012.
IAEA International Atomic Energy Agency. IAEA Outline Learning Objectives Timing of Preparations Standard IRRS Preparation Timeline Schedule of the Mission.
IAEA International Atomic Energy Agency Functional and Security Domains Presented by:
IAEA Division of Nuclear Security
IAEA International Atomic Energy Agency Computer Security Culture and Capacity Building Overview Presented by: May 2016.
Implementing SMS in Civil Aviation: the Canadian Perspective
An Overview on Risk Management
CPA Gilberto Rivera, VP Compliance and Operational Risk
Disaster and Emergency Planning
Conduction of a simulation considering cascading effects
Audit of <insert title and audit #>
Nuclear and Treaty Law Section Office of Legal Affairs
International Workshop on National Registers of Radiation Sources
NRC Cyber Security Regulatory Overview
Protective Security Advisor Program Brief
Cyber-security and IEC International Standards
Training Courses for RPOs
IS4550 Security Policies and Implementation
Audit of <insert title and audit #>
Communication and Consultation with Interested Parties by the RB
BASIC IRRS TRAINING Lecture 14
Conduction of a simulation considering cascading effects
Education and Training in the Area of Safety Assessment Irina Sanda
IS4680 Security Auditing for Compliance
Team Training 7/5/2019 TM on the Safety and Security Interface Group 4 Safety and Security Culture Interfaces October 2018.
Gender Based Security For SHIs
SAFEGUARDS CAPACITY BUILDING ARGENTINE EXPERIENCE
SAFE AND SECURE TRANSPORT OF RADIOACTIVE MATERIAL: A GLOBAL CHALLENGE THAT REQUIRES A GLOBAL SOLUTION Dr. Pil-Soo Hahn Director Division of Radiation,
"Experience with the peer reviews, successes and things to change for next reviews" Delina Ibrahimaj, Albania.
Risk Management NDS Forum June 23rd 2010.
Directions for this Template
IAEA - Department of Nuclear Safety & Security
Presentation transcript:

IAEA International Atomic Energy Agency IAEA Training Course on Conducting Computer Security Assessments Presented by: Donald D. Dudenhoeffer

IAEA Key objectives of this course: Provide training and exercises on how to apply NST037 - Conducting Computer Security Assessments at Nuclear Facilities with a focus on: Assessment Overview Assessment Methodology Assessment Planning Functional and Security Domains Final Report and Post-Assessment Activities The hypothetical Shapash Nuclear Facility will be used as an example to illustrate concepts for use in the exercises. 2 Course Objectives

IAEA Nuclear Security Nuclear security focuses on the prevention of, detection of, and response to, criminal or intentional unauthorized acts involving or directed at nuclear material, other radioactive material, associated facilities, or associated activities. Nuclear security is the ultimate focus of our training. 3

IAEA Nuclear and Computer Security Threat actors today have embraced computers as both a means and target of attacks. The security paradigm has changed from one of “Guns, Guards, and Gates” to that of “Guns, Guards, Gates, and Geeks”. Information and computer security are now key elements of Nuclear Security. 4

IAEA Why do an Assessment? Assessments help to measure the degree of confidence one has that the managerial, technical and operational security measures work as intended to protect the system and the Computer it processes. An assessment cannot guarantee that you are secure, but only that those items observed have met a certain level of compliance. 5

IAEA Focus of an Assessment? verify compliance with regulations, policies or procedures identify problem areas (e.g., safety hazards, inefficiencies, recurring errors, etc.), investigate an unusual occurrence or incident analyze a known or suspected problem area and make recommendations for improvements. identify excellent areas 6

IAEA Types of Assessment Compliance based Assessments Self-Assessments Assessments of Third Parties 7

IAEA Assessments may help you to understand the maturity of the computer security programme. 8 Programme Maturity Level Example Maturity Level Characteristics (Ref: CYBERSECURITY CAPABILITY MATURITY MODEL (C2M2), US DOE, Feb 2014).

IAEA Resources for Assessments IAEA Nuclear Security Series and assessment guides provide the assessors with the key points and areas for reviews. Member States and organizations may have additional reference documents for use in developing assessment guides. 9

IAEA The Assessment Process IAEA Guidance Standards Regulatory Guides Best Practices Lessons Learned Subject Experts IAEA Guidance Standards Regulatory Guides Best Practices Lessons Learned Subject Experts Assessment Planning Document Reviews Interviews Direct Observations Assessment Evaluation Framework / Checklist Assessment Evaluation Framework / Checklist Assessment Final Report Assessment Final Report The Assessment Planning Logistics Team Focus Assessment Framework Development Scope and Objective 10

IAEA Scoping the Assessment What do we want to assess? simple question, but often may be hard to define the exact bounds due to the interconnectivity of systems. Security Domains Constitute high level focus areas for computer security review. Functional domains help provide the assessment team with a comprehensive target for review of the security practices. 11

IAEA Information Collection Direct Observations: 12 Where to get information? Documents and Records Interview Questions

IAEA Assessment Analysis Process Requirements/Guidelines Observations Findings Good Practices Recommendations Suggestions Analysis What is the significance of the observation/finding, the impact? What are the recommended actions forward? Analysis How does the observation compare to established guidelines? What does the information tell us? 13

IAEA The Final Report Basic elements of evaluation and reporting Final report composition Observation Finding Recommendations/suggestions Finding significance/Potential Impact determination Scoring methods Out Briefing Interpretation of results and trends Follow on activities 14

IAEA Definitions from NSS No. 17 Computers and computer systems refer to the computation, communication, instrumentation and control devices that make up functional elements of the nuclear facility. Computer Security is used to cover the security of all computers and all interconnected systems and networks formed by the sum of the elements. The terms IT security and cyber security are, considered synonyms of computer security within IAEA NSS guidance.

IAEA For Additional Information For Additional Information, Please Contact: Donald Dudenhoeffer Nuclear Security Information Officer International Atomic Energy Agency Tel: +43 (1)