NERC Security Requirements – What Vendors Should Provide James W. Sample, CISSP, CISM Manager of Information Security California ISO.

Slides:

Advertisements

Similar presentations

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Advertisements

Audit of IT Systems SARQA / DKG Scandinavian Conference, October 2002, Copenhagen Sue Gregory.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

Cyber Security 2005 ERCOT COMPLIANCE ROLLOUT Lane Robinson Reliability Analyst.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Security Controls – What Works

Information Security Policies and Standards

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)

Computer Security: Principles and Practice

Factors to be taken into account when designing ICT Security Policies

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Initial Findings  Secure all contracts with third party vendors immediately  Develop a strong understanding of the ‘Flow of PHI’ within and outside of.

Network security policy: best practices

Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.

University of Missouri System 1 Security – Defending your Customers from Themselves StateNets Annual Meeting February, 2004.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Audit – Proof Information System Security Controls Wednesday, August 18, 2010 John R. Robles Tel:

1 Kyung Hee University Prof. Choong Seon HONG Network Control.

Auditing for Security Management By Cyril Onwubiko Network Security Analyst at COLT Telecom Invited Guest Lecture delivered at London Metropolitan University,

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss

CIP 43 ReliabilityFirst Audit Observations ReliabilityFirst CIP Webinar Thursday, September 30, 2010 Tony Purgar, Sr. Consultant - Compliance.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

11 SECURITY TEMPLATES AND PLANNING Chapter 7. Chapter 7: SECURITY TEMPLATES AND PLANNING2 OVERVIEW  Understand the uses of security templates  Explain.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Implementing the New Reliability Standards Status of Draft Cyber Security Standards CIP through CIP Larry Bugh ECAR Standard Drafting Team.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

1 CIP Cyber Security – Personnel & Training Steve Garn CIP Compliance Workshop Baltimore, MD August 19-20, 2009 © ReliabilityFirst Corporation.

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Unit 4 IT 484 Networking Security Course Name – IT Networking Security 1203C Term Instructor.

Click anywhere to continue Click here to go back Presented by Sam Sciacca – Working Group C1 Chair Substations C0 Subcommittee IEEE Standard for Substation.

Blueberry Software IT Security Audit Results. Results: Good.

AREVA T&D Security Focus Group - 09/14/091 Security Focus Group A Vendor & Customer Collaboration EMS Users Conference September 14, 2009 Rich White AREVA.

OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.

Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Training and Dissemination Enabling Grids for E-sciencE Jinny Chien, ASGC 1 Training and Dissemination Jinny Chien Academia Sinica Grid.

Chapter 2 Securing Network Server and User Workstations.

PCI Training for PointOS Resellers PointOS Updated September 28, 2010.

Security fundamentals Topic 2 Establishing and maintaining baseline security.

Chapter 8 Auditing in an E-commerce Environment

IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.

High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.

Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.

Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.

Information Security tools for records managers Frank Rankin.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

September 20, 2016 How to Defend Your Organization from a Cyber Breach LTC Tim Bloechl (U.S. Army, Ret.) Director, Cyber Security Business.

Security measures deployed by e-communication providers

Critical Security Controls

Chapter 6 Application Hardening

and Security Management: ISO 28000

Module Overview Installing and Configuring a Network Policy Server

NERC CIP Implementation – Lessons Learned and Path Forward

I have many checklists: how do I get started with cyber security?

Final HIPAA Security Rule

County HIPAA Review All Rights Reserved 2002.

Information Security Awareness

Larry Bugh ECAR Standard Drafting Team Chair June 1, 2005

Security week 1 Introductions Class website Syllabus review

6. Application Software Security

Global One Communications

Presentation transcript:

NERC Security Requirements – What Vendors Should Provide James W. Sample, CISSP, CISM Manager of Information Security California ISO

NERC 1200 Cyber Security Standard  1201 – Cyber Security Policy  1202 – Critical Cyber Assets  1203 – Electronic Security Perimeter  1204 – Electronic Access Controls  1205 – Physical Security Perimeter  1206 – Physical Access Controls  1207 – Personnel  1208 – Monitoring Physical Access  1209 – Monitoring Electronic Access  1210 – Information Protection  1211 – Training  1212 – Systems Management  1213 – Test Procedures  1214 – Electronic Incident Response Actions  1215 – Physical Incident Response Actions  1216 – Recovery Plans

1203 – Electronic Security Perimeter Provide detailed documentation that includes:  Detailed data flow diagrams  Source/destination systems  Required services/ports (protocols)  Interconnectivity requirements  Access points

1204 – Electronic Access Controls Deliver systems:  With detailed documentation around access controls  That require authentication and authorization using unique user Ids  Where access management is simple  Where access control exists at all layers (e.g. operations system, database, application)

1207 – Personnel Provide detailed documentation that includes:  List of all personnel supporting product plus access required, including sub-contractors  Promptly notify customer of any changes in support personnel  Conduct proper background checks on all personnel –provide evidence to customer of background check

1209 – Monitoring Electronic Access Deliver systems:  With detailed documentation around access monitoring, including error codes  That provided auditable logging of events  That synchronize with a central time source  That log to a remote central repository  With tools to analyze audit logs where appropriate

1210 – Information Protection Deliver systems:  With detailed documentation that identifies critical configuration settings, processes, libraries, etc. that should be monitored

1211 – Training  Provide security training specific to your product  Document security features, including configuration and administration procedures, for your product  Provide detailed documentation for rebuilding the system securely

1212 – Systems Management Deliver systems:  Where access management is simple (e.g. password can be changed easily and periodically)  With all unnecessary ports and services disabled  That use secure protocols verses insecure protocols  Promptly test all released operating systems and third-party patches to allow for proper and timely patch management  With remote administration securely configured (e.g. modems, VPN, etc.)

1213 – Test Procedures Deliver systems:  With a set of test procedures that the customer can use to verify system security

1216 – Recovery Plans Deliver systems:  With documents designed specifically for disaster recovery

General Recommendations  Design with system security in mind up front  Vendors should sponsor annual security user group meetings  Keep it Simple, Stupid (KISS)