Security Guidelines Working Group Update

Slides:

Advertisements

Similar presentations

NERC Critical Infrastructure Protection Advisory Group (CIP AG) Electric Industry Initiatives Reducing Vulnerability To Terrorism.

Advertisements

NESCC Meeting March 28, Topics Accomplishments Since Last Meeting Program Management for NESCC Support to the NESCC Sponsor Committee Review and.

Update: Physical Guideline UPDATE: Physical Security Guideline UPDATED Physical Response Security Guideline Public Release.

K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss

CIPC Executive Comittee Update CIPC Conference Call September 16, 2004 Stuart Brindley CIPC Chair CIPC Confidentiality - Public.

Lisa Wood, CISA, CBRM, CBRA Compliance Auditor, Cyber Security

Nuclear Power Plant/Electric Grid Regulatory Coordination and Cooperation - ERO Perspective David R. Nevius and Michael J. Assante 2009 NRC Regulatory.

CRITICAL INFRASTRUCTURE PROTECTION COMMITTEE. 2 Group carried over from ECAR, MAAC, & MAIN workgroups that were assembled to address 1200 Urgent Action.

INFORMATION ASSURANCE USING C OBI T MEYCOR C OBI T CSA & MEYCOR C OBI T AG TOOLS.

Security Guidelines Working Group Update CIPC Meeting Phoenix, AZ Mar 16, 2006 Seiki Harada SGWG Chair CIPC Confidentiality: Public Release.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

1 Crisis Response Task Force (CRTF) Proposal Tom Bowe (Chairman) CSO, PJM Interconnection Scott Heffentrager (Temp. Chairman) Physical Security.

Role for Electric Sector in Critical Infrastructure Protection R&D Presented to NERC CIPC Washington D.C. June 9, 2005 Bill Muston Public Release.

ANZI/AIHA Z Occupational Health and Safety Management Systems.

CIPC Executive Committee Update CIPC Meeting Mesa AZ March 16, 2006 Barry Lawson CIPC Vice-Chair CIPC Confidentiality: Public Release.

Paragraph 81 Project. 2RELIABILITY | ACCOUNTABILITY Background FERC March 15, 2012 Order regarding the Find, Fix, Track and Report (FFT) process  Paragraph.

Standards and Guidelines Working Group Status Updates 2005 Jun 09 Washington DC Critical Infrastructure Protection Committee Public Release.

CIPC Executive Committee Update-1 CIPC Meeting Long Beach CA March 17, 2005 Pat Laird Vice Chair Public Release.

Security Guidelines Working Group Update CIPC Meeting Denver CO September 29, 2005 Seiki Harada SGWG Chair Public Release.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

1 Presented by David Thompson, TIA December 14, 2005 NFPA 1600 and Emergency Communications.

APPRAISAL OF THE HEADTEACHER GOVERNORS’ BRIEFING.

Department of Higher Education and Training

Law Firm Data Security: What In-house Counsel Need to Know

Iowa Communications Alliance

Data Minimization Framework

INDULGENCE There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

COMPREHENSIVE PLAN 2017 AMENDMENT PROCESS and DOCKET

Security SIG in MTS 05th November 2013 DEG/MTS RISK-BASED SECURITY TESTING Fraunhofer FOKUS.

Ken Matthews Chair, Partnership Working Group 31 July 2013

COMPREHENSIVE PLAN 2017 AMENDMENT PROCESS and DOCKET

Status report on the activities of TF-CS/OTA

WMO IT Security Incident Process

NERC Cyber Security Standards Pre-Ballot Review

OFFICE OF THE CITY CLERK SEPTEMBER 22, 2014 CITY COUNCIL MEETING RESCIND RESOLUTION NO AND ADOPT A RESOLUTION ESTABLISHING THE RULES GOVERNING.

CIPC Outreach WG Update March 2006

CIPC Executive Committee Update

Larry Bugh ECAR Standard Drafting Team Chair January 2005

CIPC Relationships & Roles

ISO/IEC 27001:2005 A brief introduction Kaushik Majumder

Larry Bugh ECAR Standard Drafting Team Chair January 2005

Role for Electric Sector in Critical Infrastructure Protection R&D

NERC Critical Infrastructure Protection Advisory Group (CIP AG)

CIPC Executive Committee Update-1

Security Guidelines Working Group Update

CIPC Executive Committee Update

Progress Report on proposed GUID on Information System Security Audit

NERC Critical Infrastructure Protection Committee (CIPC) Executive Committee Public Release 29 September 2005.

Cyber security Policy development and implementation

Critical Infrastructure Protection Committee

Group Meeting Ming Hong Tsai Date :

NERC Reliability Standards Development Plan

CIPC Executive Committee Update

UPDATE: Physical Security Guideline

ADS Study Group Mid-week Report

IBM GTS Storage Security and Compliance overview.

Joint Wireless Groups Architecture AdHoc

Joint Wireless Groups Architecture AdHoc

Crisis Response Task Force (CRTF) Proposal

<month year> doc.: IEEE <030158r0> January 2004

Grace Anderson Chair, Budget Work Group May 16, 2018

CIPC Executive Committee Report-2

NERC Reliability Standards Development Plan

DSC Contract Management Committee Meeting

Grace Anderson Chair, Budget Work Group May 16, 2018

IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec

Report of the Technical Subcommittee

MAC Input on Section 4.9 Review

WG Technical Editor’s Report

Standards Review Subcommittee Update

Presentation transcript:

Security Guidelines Working Group Update CIPC Confidentiality: Public Release Security Guidelines Working Group Update CIPC Meeting Phoenix, AZ Mar 16, 2006 Seiki Harada SGWG Chair

Discussion Items SGWG Roster Change to the Guideline Preamble 2006 Prioritization of the Guideline Updates Regular Review Cycle for All Security Guidelines Content Review of Guidelines by SGWG Guideline Directions

SGWG Roster: As of March 10, 2006, the SGWG comprises: Scott McCoy (Physical) Scott Webber (Physical) Bruce Metruck (Physical) Mike Paszynsky (Physical) Larry Bugh (Cyber) Joe Doetzl (Cyber) David Baumken (Cyber) Roger Lampila (Operations) Tom Kropp (Research Institutions) Ken Hall (Research Institutions)

Changes to the Preamble A suggestion was made by a NERC legal staff to adopt the following: “This document addresses potential risks that can apply to some electricity sector organizations and provides practices that can help mitigate the risks. Each organization decides for itself the risks it can accept and the practices it deems appropriate to manage its risks. “

Prioritization of Guideline Updates: Of the 18 Security Guidelines, 14 were assessed as needing updates. The remainder, 4, are recent ones and deemed acceptable. It is not reasonable to expect various working groups to re-draft all 14 of them and put through CIPC approvals in one year (9 months now!). SGWG recommends 7 updates this year and 7 next year (refer to the SGWG Reference Document No.1)

Criteria for Prioritization: Synchronization with, or in support of, the permanent cyber security guidelines Importance/relevance of the subject matter today How 'off' or 'dated' the content is Subsumed by any new guidelines ( e.g., elimination candidates)?

Prioritization of Guideline Updates: Recommended Updates for 2006: SG001 Vulnerability and Risk Assessment SG002 Emergency Plans SG003 Continuity of Business Processes SG005 Physical Security SG006 Cyber Security – Risk Management SG007 Cyber Security – Access Controls SG018 Threat Alert System and Cyber Response

Prioritization of Guideline Updates: Recommended Updates for 2007: SG004 Communications SG008 Cyber Security – IT Firewalls SG009 Cyber Security – Intrusion Detection SG010 Employment Background Screening SG011 Protecting Potentially Sensitive Information SG012 Securing Remote Access to Electronic CPS SG014 Threat and Incident Reporting

Guideline Updates – Further Recommendations: The CIPC Executive Committee assign an ‘owning’ working group for each security guideline. The ‘owning’ working group will accommodate identified updates in their 2006/2007 work schedule. NERC CIPC support staff will follow up with respective working group re the timing of completion and CIPC reviews

Regular Guideline Reviews: Today, there is no fixed schedule for reviewing existing guidelines. The Cyber Security Standard (CIP 003) asks for an annual review of policies. SGWG Recommendation: Complete the identified updates for 2006 and 2007 After that, schedule reviews of the guidelines every two years or when there is a watershed event in the subject area. These bi-annual reviews may not necessarily result in updates.

Content Review of Security Guidelines: Background: Comments were made that SGWG should stay away from reviewing guideline contents. The SGWG Terms of Reference states, in part: “review existing CIPC guidelines, and other electric and non-electric industry reference material, for currency and relevance”.

Content Review of Security Guidelines: What the SGWG guideline reviews entail today: Consistency and compatibility with security standards and other security guidelines Consistency of parts within a specific guideline Currency and relevance to the current threats/industry practices (e.g., against IEEE, ISO, NIST, ANSI, CSA, etc)

Content Review of Security Guidelines: Recommendation: SGWG will review ‘content’ only in the sense of the above consistency checks – not in value judgement. SGWG will provide timely comments to the ‘Owning’ working group. The ‘owning’ working group will consider the comments provided. They are not obliged to accommodate all comments.

Guideline Directions: Most new guidelines come from Working Groups or Task forces/Teams. SGWG may from time identify the area where a new security guideline is appropriate. The CIPC will have the final say in the generation of a new (or the elimination of an existing) security guidelines.

Thank you! Thank you for working with me for the past two years. It has been a challenge and pleasure at the same time. Please support Scott McCoy in the coming years!